fix: Gamma users shouldn't be able to create roles (#29687)

This commit is contained in:
Hugh A. Miles II 2024-08-20 20:14:20 -04:00 committed by GitHub
parent 1818054166
commit 7650c47e72
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 70 additions and 0 deletions

View File

@ -238,6 +238,12 @@ class SupersetSecurityManager( # pylint: disable=too-many-public-methods
"SQL Lab", "SQL Lab",
"User Registrations", "User Registrations",
"User's Statistics", "User's Statistics",
# Guarding all AB_ADD_SECURITY_API = True REST APIs
"Role",
"Permission",
"PermissionViewMenu",
"ViewMenu",
"User",
} | USER_MODEL_VIEWS } | USER_MODEL_VIEWS
ALPHA_ONLY_VIEW_MENUS = { ALPHA_ONLY_VIEW_MENUS = {

View File

@ -26,6 +26,7 @@ from superset.daos.dashboard import EmbeddedDashboardDAO
from superset.models.dashboard import Dashboard from superset.models.dashboard import Dashboard
from superset.utils.urls import get_url_host from superset.utils.urls import get_url_host
from superset.utils import json from superset.utils import json
from tests.integration_tests.conftest import with_config
from tests.integration_tests.base_tests import SupersetTestCase from tests.integration_tests.base_tests import SupersetTestCase
from tests.integration_tests.constants import ADMIN_USERNAME, GAMMA_USERNAME from tests.integration_tests.constants import ADMIN_USERNAME, GAMMA_USERNAME
from tests.integration_tests.fixtures.birth_names_dashboard import ( from tests.integration_tests.fixtures.birth_names_dashboard import (
@ -135,3 +136,64 @@ class TestSecurityGuestTokenApi(SupersetTestCase):
) )
self.assert400(response) self.assert400(response)
class TestSecurityRolesApi(SupersetTestCase):
uri = "api/v1/security/roles/" # noqa: F541
@with_config({"FAB_ADD_SECURITY_API": True})
def test_get_security_roles_admin(self):
"""
Security API: Admin should be able to get roles
"""
self.login(ADMIN_USERNAME)
response = self.client.get(self.uri)
self.assert200(response)
@with_config({"FAB_ADD_SECURITY_API": True})
def test_get_security_roles_gamma(self):
"""
Security API: Gamma should not be able to get roles
"""
self.login(GAMMA_USERNAME)
response = self.client.get(self.uri)
self.assert403(response)
@with_config({"FAB_ADD_SECURITY_API": True})
def test_post_security_roles_gamma(self):
"""
Security API: Gamma should not be able to create roles
"""
self.login(GAMMA_USERNAME)
response = self.client.post(
self.uri,
data=json.dumps({"name": "new_role"}),
content_type="application/json",
)
self.assert403(response)
@with_config({"FAB_ADD_SECURITY_API": True})
def test_put_security_roles_gamma(self):
"""
Security API: Gamma shouldnt be able to update roles
"""
self.login(GAMMA_USERNAME)
response = self.client.put(
f"{self.uri}1",
data=json.dumps({"name": "new_role"}),
content_type="application/json",
)
self.assert403(response)
@with_config({"FAB_ADD_SECURITY_API": True})
def test_delete_security_roles_gamma(self):
"""
Security API: Gamma shouldnt be able to delete roles
"""
self.login(GAMMA_USERNAME)
response = self.client.delete(
f"{self.uri}1",
data=json.dumps({"name": "new_role"}),
content_type="application/json",
)
self.assert403(response)

View File

@ -137,6 +137,8 @@ ALERT_REPORTS_WORKING_TIME_OUT_KILL = True
ALERT_REPORTS_QUERY_EXECUTION_MAX_TRIES = 3 ALERT_REPORTS_QUERY_EXECUTION_MAX_TRIES = 3
FAB_ADD_SECURITY_API = True
class CeleryConfig: class CeleryConfig:
broker_url = f"redis://{REDIS_HOST}:{REDIS_PORT}/{REDIS_CELERY_DB}" broker_url = f"redis://{REDIS_HOST}:{REDIS_PORT}/{REDIS_CELERY_DB}"