Show only Slices and Dashboards users have access to (#404)

* Introducing more security features * Many to many owners for slices and dashboards * Slices are filtered to only slices that the user has access to * Adding unit tests
2016-04-26 16:44:51 -07:00 · 2016-04-26 16:44:51 -07:00 · b634d03ac3
parent ab64a26b5b
commit b634d03ac3
5 changed files with 205 additions and 42 deletions
--- a/caravel/migrations/versions/4fa88fe24e94_owners_many_to_many.py
+++ b/caravel/migrations/versions/4fa88fe24e94_owners_many_to_many.py
@ -0,0 +1,38 @@
+"""owners_many_to_many
+
+Revision ID: 4fa88fe24e94
+Revises: b4456560d4f3
+Create Date: 2016-04-15 17:58:33.842012
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = '4fa88fe24e94'
+down_revision = 'b4456560d4f3'
+
+from alembic import op
+import sqlalchemy as sa
+
+
+def upgrade():
+    op.create_table('dashboard_user',
+        sa.Column('id', sa.Integer(), nullable=False),
+        sa.Column('user_id', sa.Integer(), nullable=True),
+        sa.Column('dashboard_id', sa.Integer(), nullable=True),
+        sa.ForeignKeyConstraint(['dashboard_id'], [u'dashboards.id'], ),
+        sa.ForeignKeyConstraint(['user_id'], [u'ab_user.id'], ),
+        sa.PrimaryKeyConstraint('id'),
+    )
+    op.create_table('slice_user',
+        sa.Column('id', sa.Integer(), nullable=False),
+        sa.Column('user_id', sa.Integer(), nullable=True),
+        sa.Column('slice_id', sa.Integer(), nullable=True),
+        sa.ForeignKeyConstraint(['slice_id'], [u'slices.id'], ),
+        sa.ForeignKeyConstraint(['user_id'], [u'ab_user.id'], ),
+        sa.PrimaryKeyConstraint('id'),
+    )
+
+
+def downgrade():
+    op.drop_table('slice_user')
+    op.drop_table('dashboard_user')
--- a/caravel/migrations/versions/c3a8f8611885_materializing_permission.py
+++ b/caravel/migrations/versions/c3a8f8611885_materializing_permission.py
@ -0,0 +1,33 @@
+"""Materializing permission
+
+Revision ID: c3a8f8611885
+Revises: 4fa88fe24e94
+Create Date: 2016-04-25 08:54:04.303859
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = 'c3a8f8611885'
+down_revision = '4fa88fe24e94'
+
+from alembic import op
+import sqlalchemy as sa
+from caravel import db
+from caravel import models
+
+
+def upgrade():
+    bind = op.get_bind()
+    op.add_column('slices', sa.Column('perm', sa.String(length=2000), nullable=True))
+    session = db.Session(bind=bind)
+
+    for slc in session.query(models.Slice).all():
+        if slc.datasource:
+            slc.perm = slc.datasource.perm
+            session.merge(slc)
+            session.commit()
+    db.session.close()
+
+
+def downgrade():
+    op.drop_column('slices', 'perm')
--- a/caravel/models.py
+++ b/caravel/models.py
@ -22,6 +22,7 @@ from flask import request, g
 from flask.ext.appbuilder import Model
 from flask.ext.appbuilder.models.mixins import AuditMixin
 from pydruid.client import PyDruid
+from flask.ext.appbuilder.models.decorators import renders
 from pydruid.utils.filters import Dimension, Filter
 from six import string_types
 from sqlalchemy import (
@ -66,15 +67,15 @@ class AuditMixinNullable(AuditMixin):
            Integer, ForeignKey('ab_user.id'),
            default=cls.get_user_id, onupdate=cls.get_user_id, nullable=True)

-    @property
-    def created_by_(self):  # noqa
+    @renders('created_by')
+    def creator(self):  # noqa
        return '{}'.format(self.created_by or '')

-    @property  # noqa
+    @renders('changed_by')
    def changed_by_(self):
        return '{}'.format(self.changed_by or '')

-    @property
+    @renders('changed_on')
    def modified(self):
        s = humanize.naturaltime(datetime.now() - self.changed_on)
        return '<span class="no-wrap">{}</nobr>'.format(s)
@ -110,6 +111,13 @@ class CssTemplate(Model, AuditMixinNullable):
    css = Column(Text, default='')


+slice_user = Table('slice_user', Model.metadata,
+    Column('id', Integer, primary_key=True),
+    Column('user_id', Integer, ForeignKey('ab_user.id')),
+    Column('slice_id', Integer, ForeignKey('slices.id'))
+)
+
+
 class Slice(Model, AuditMixinNullable):

    """A slice is essentially a report or a view on data"""
@ -125,11 +133,13 @@ class Slice(Model, AuditMixinNullable):
    params = Column(Text)
    description = Column(Text)
    cache_timeout = Column(Integer)
+    perm = Column(String(2000))

    table = relationship(
        'SqlaTable', foreign_keys=[table_id], backref='slices')
    druid_datasource = relationship(
        'DruidDatasource', foreign_keys=[druid_datasource_id], backref='slices')
+    owners = relationship("User", secondary=slice_user)

    def __repr__(self):
        return self.slice_name
@ -211,6 +221,20 @@ class Slice(Model, AuditMixinNullable):
            url=url, obj=self)


+def set_perm(mapper, connection, target):  # noqa
+    if target.table_id:
+        src_class = SqlaTable
+        id_ = target.table_id
+    elif target.druid_datasource_id:
+        src_class = DruidDatasource
+        id_ = target.druid_datasource_id
+    ds = db.session.query(src_class).filter_by(id=int(id_)).first()
+    target.perm = ds.perm
+
+sqla.event.listen(Slice, 'before_insert', set_perm)
+sqla.event.listen(Slice, 'before_update', set_perm)
+
+
 dashboard_slices = Table(
    'dashboard_slices', Model.metadata,
    Column('id', Integer, primary_key=True),
@ -218,6 +242,13 @@ dashboard_slices = Table(
    Column('slice_id', Integer, ForeignKey('slices.id')),
 )

+dashboard_user = Table(
+    'dashboard_user', Model.metadata,
+    Column('id', Integer, primary_key=True),
+    Column('user_id', Integer, ForeignKey('ab_user.id')),
+    Column('dashboard_id', Integer, ForeignKey('dashboards.id'))
+)
+

 class Dashboard(Model, AuditMixinNullable):

@ -233,6 +264,7 @@ class Dashboard(Model, AuditMixinNullable):
    slug = Column(String(255), unique=True)
    slices = relationship(
        'Slice', secondary=dashboard_slices, backref='dashboards')
+    owners = relationship("User", secondary=dashboard_user)

    def __repr__(self):
        return self.dashboard_title
@ -1165,11 +1197,13 @@ class Log(Model):
                user_id = g.user.id
            d = request.args.to_dict()
            d.update(kwargs)
+            slice_id = d.get('slice_id', 0)
+            slice_id = int(slice_id) if slice_id else 0
            log = cls(
                action=f.__name__,
                json=json.dumps(d),
                dashboard_id=d.get('dashboard_id') or None,
-                slice_id=d.get('slice_id') or None,
+                slice_id=slice_id,
                user_id=user_id)
            db.session.add(log)
            db.session.commit()
--- a/caravel/views.py
+++ b/caravel/views.py
@ -19,9 +19,9 @@ from flask.ext.appbuilder import ModelView, CompactCRUDMixin, BaseView, expose
 from flask.ext.appbuilder.actions import action
 from flask.ext.appbuilder.models.sqla.interface import SQLAInterface
 from flask.ext.appbuilder.security.decorators import has_access
+from flask_appbuilder.models.sqla.filters import BaseFilter
 from pydruid.client import doublesum
-from sqlalchemy import create_engine
-from sqlalchemy import select, text
+from sqlalchemy import create_engine, select, text
 from sqlalchemy.sql.expression import TextAsFrom
 from werkzeug.routing import BaseConverter
 from wtforms.validators import ValidationError
@ -32,6 +32,42 @@ config = app.config
 log_this = models.Log.log_this


+class CaravelFilter(BaseFilter):
+    def get_perms(self):
+        perms = []
+        for role in g.user.roles:
+            for perm_view in role.permissions:
+                if perm_view.permission.name == 'datasource_access':
+                    perms.append(perm_view.view_menu.name)
+        return perms
+
+
+class FilterSlice(CaravelFilter):
+    def apply(self, query, func):  # noqa
+        if any([r.name in ('Admin', 'Alpha') for r in g.user.roles]):
+            return query
+        qry = query.filter(self.model.perm.in_(self.get_perms()))
+        print(qry)
+        return qry
+
+
+class FilterDashboard(CaravelFilter):
+    def apply(self, query, func):  # noqa
+        if any([r.name in ('Admin', 'Alpha') for r in g.user.roles]):
+            return query
+        Slice = models.Slice  # noqa
+        slice_ids_qry = (
+            db.session
+            .query(Slice.id)
+            .filter(Slice.perm.in_(self.get_perms()))
+        )
+        return query.filter(
+            self.model.slices.any(
+                models.Slice.id.in_(slice_ids_qry)
+            )
+        )
+
+
 def validate_json(form, field):  # noqa
    try:
        json.loads(field.data)
@ -136,8 +172,7 @@ appbuilder.add_view_no_menu(DruidMetricInlineView)

 class DatabaseView(CaravelModelView, DeleteMixin):  # noqa
    datamodel = SQLAInterface(models.Database)
-    list_columns = ['database_name', 'sql_link', 'created_by_', 'changed_on']
-    order_columns = utils.list_minus(list_columns, ['created_by_'])
+    list_columns = ['database_name', 'sql_link', 'creator', 'changed_on']
    add_columns = [
        'database_name', 'sqlalchemy_uri', 'cache_timeout', 'extra']
    search_exclude_columns = ('password',)
@ -183,7 +218,7 @@ class TableModelView(CaravelModelView, DeleteMixin):  # noqa
    datamodel = SQLAInterface(models.SqlaTable)
    list_columns = [
        'table_link', 'database', 'sql_link', 'is_featured',
-        'changed_by_', 'changed_on']
+        'changed_by_', 'changed_on', 'perm']
    add_columns = [
        'table_name', 'database', 'schema',
        'default_endpoint', 'offset', 'cache_timeout']
@ -246,21 +281,19 @@ if config['DRUID_IS_ACTIVE']:
        category_icon='fa-database',)


+
 class SliceModelView(CaravelModelView, DeleteMixin):  # noqa
    datamodel = SQLAInterface(models.Slice)
    add_template = "caravel/add_slice.html"
    can_add = False
    label_columns = {
-        'created_by_': 'Creator',
        'datasource_link': 'Datasource',
    }
    list_columns = [
-        'slice_link', 'viz_type',
-        'datasource_link', 'created_by_', 'modified']
-    order_columns = utils.list_minus(list_columns, ['created_by_', 'modified'])
+        'slice_link', 'viz_type', 'datasource_link', 'creator', 'modified']
    edit_columns = [
        'slice_name', 'description', 'viz_type', 'druid_datasource',
-        'table', 'dashboards', 'params', 'cache_timeout']
+        'table', 'owners', 'dashboards', 'params', 'cache_timeout']
    base_order = ('changed_on', 'desc')
    description_columns = {
        'description': Markup(
@ -269,6 +302,7 @@ class SliceModelView(CaravelModelView, DeleteMixin):  # noqa
            "<a href='https://daringfireball.net/projects/markdown/'>"
            "markdown</a>"),
    }
+    base_filters = [['id', FilterSlice, lambda: []]]

 appbuilder.add_view(
    SliceModelView,
@ -281,10 +315,9 @@ appbuilder.add_view(
 class SliceAsync(SliceModelView):  # noqa
    list_columns = [
        'slice_link', 'viz_type',
-        'created_by_', 'modified', 'icons']
+        'creator', 'modified', 'icons']
    label_columns = {
        'icons': ' ',
-        'created_by_': 'Creator',
        'viz_type': 'Type',
        'slice_link': 'Slice',
    }
@ -294,13 +327,9 @@ appbuilder.add_view_no_menu(SliceAsync)

 class DashboardModelView(CaravelModelView, DeleteMixin):  # noqa
    datamodel = SQLAInterface(models.Dashboard)
-    label_columns = {
-        'created_by_': 'Creator',
-    }
-    list_columns = ['dashboard_link', 'created_by_', 'modified']
-    order_columns = utils.list_minus(list_columns, ['created_by_', 'modified'])
+    list_columns = ['dashboard_link', 'creator', 'modified']
    edit_columns = [
-        'dashboard_title', 'slug', 'slices', 'position_json', 'css',
+        'dashboard_title', 'slug', 'slices', 'owners', 'position_json', 'css',
        'json_metadata']
    add_columns = edit_columns
    base_order = ('changed_on', 'desc')
@ -316,6 +345,7 @@ class DashboardModelView(CaravelModelView, DeleteMixin):  # noqa
            "visible"),
        'slug': "To get a readable URL for your dashboard",
    }
+    base_filters = [['slice', FilterDashboard, lambda: []]]

    def pre_add(self, obj):
        obj.slug = obj.slug.strip() or None
@ -336,9 +366,8 @@ appbuilder.add_view(


 class DashboardModelViewAsync(DashboardModelView):  # noqa
-    list_columns = ['dashboard_link', 'created_by_', 'modified']
+    list_columns = ['dashboard_link', 'creator', 'modified']
    label_columns = {
-        'created_by_': 'Creator',
        'dashboard_link': 'Dashboard',
    }

@ -362,11 +391,10 @@ class DruidDatasourceModelView(CaravelModelView, DeleteMixin):  # noqa
    datamodel = SQLAInterface(models.DruidDatasource)
    list_columns = [
        'datasource_link', 'cluster', 'owner',
-        'created_by_', 'created_on',
+        'creator', 'created_on',
        'changed_by_', 'changed_on',
        'offset']
-    related_views = [
-        DruidColumnInlineView, DruidMetricInlineView]
+    related_views = [DruidColumnInlineView, DruidMetricInlineView]
    edit_columns = [
        'datasource_name', 'cluster', 'description', 'owner',
        'is_featured', 'is_hidden', 'default_endpoint', 'offset',
--- a/tests/core_tests.py
+++ b/tests/core_tests.py
@ -32,18 +32,36 @@ class CaravelTestCase(unittest.TestCase):
    def __init__(self, *args, **kwargs):
        super(CaravelTestCase, self).__init__(*args, **kwargs)
        self.client = app.test_client()
-        role_admin = appbuilder.sm.find_role('Admin')
-        user = appbuilder.sm.find_user('admin')
-        if not user:
+
+        utils.init(caravel)
+        admin = appbuilder.sm.find_user('admin')
+        if not admin:
            appbuilder.sm.add_user(
                'admin', 'admin',' user', 'admin@fab.org',
-                role_admin, 'general')
+                appbuilder.sm.find_role('Admin'),
+                password='general')

-    def login(self):
-        self.client.post(
+        gamma = appbuilder.sm.find_user('gamma')
+        if not gamma:
+            appbuilder.sm.add_user(
+                'gamma', 'gamma', 'user', 'gamma@fab.org',
+                appbuilder.sm.find_role('Gamma'),
+                password='general')
+        utils.init(caravel)
+
+    def login_admin(self):
+        resp = self.client.post(
            '/login/',
            data=dict(username='admin', password='general'),
            follow_redirects=True)
+        assert 'Welcome' in resp.data.decode('utf-8')
+
+    def login_gamma(self):
+        resp = self.client.post(
+            '/login/',
+            data=dict(username='gamma', password='general'),
+            follow_redirects=True)
+        assert 'Welcome' in resp.data.decode('utf-8')


 class CoreTests(CaravelTestCase):
@ -55,7 +73,6 @@ class CoreTests(CaravelTestCase):
            .query(models.SqlaTable)
            .all()
        )}
-        utils.init(caravel)
        self.load_examples()

    def setUp(self):
@ -68,9 +85,13 @@ class CoreTests(CaravelTestCase):
        cli.load_examples(sample=True)

    def test_save_slice(self):
-        self.login()
+        self.login_admin()
+
+        slice_id = (
+            db.session.query(models.Slice.id)
+            .filter_by(slice_name="Energy Sankey")
+            .scalar())

-        slice_id = db.session.query(models.Slice.id).filter_by(slice_name="Energy Sankey").scalar()
        copy_name = "Test Sankey Save"
        tbl_id = self.table_ids.get('energy_usage')
        url = "/caravel/explore/table/{}/?viz_type=sankey&groupby=source&groupby=target&metric=sum__value&row_limit=5000&where=&having=&flt_col_0=source&flt_op_0=in&flt_eq_0=&slice_id={}&slice_name={}&collapsed_fieldsets=&action={}&datasource_name=energy_usage&datasource_id=1&datasource_type=table&previous_viz_type=sankey"
@ -87,7 +108,7 @@ class CoreTests(CaravelTestCase):

    def test_slices(self):
        # Testing by running all the examples
-        self.login()
+        self.login_admin()
        Slc = models.Slice
        urls = []
        for slc in db.session.query(Slc).all():
@ -99,7 +120,7 @@ class CoreTests(CaravelTestCase):
            self.client.get(url)

    def test_dashboard(self):
-        self.login()
+        self.login_admin()
        urls = {}
        for dash in db.session.query(models.Dashboard).all():
            urls[dash.dashboard_title] = dash.url
@ -118,19 +139,28 @@ class CoreTests(CaravelTestCase):
        assert self.client.get('/ping').data.decode('utf-8') == "OK"

    def test_shortner(self):
-        self.login()
+        self.login_admin()
        data = "//caravel/explore/table/1/?viz_type=sankey&groupby=source&groupby=target&metric=sum__value&row_limit=5000&where=&having=&flt_col_0=source&flt_op_0=in&flt_eq_0=&slice_id=78&slice_name=Energy+Sankey&collapsed_fieldsets=&action=&datasource_name=energy_usage&datasource_id=1&datasource_type=table&previous_viz_type=sankey"
        resp = self.client.post('/r/shortner/', data=data)
        assert '/r/' in resp.data.decode('utf-8')

    def test_save_dash(self):
-        self.login()
+        self.login_admin()
        dash = db.session.query(models.Dashboard).filter_by(slug="births").first()
        data = """{"positions":[{"slice_id":"131","col":8,"row":8,"size_x":2,"size_y":4},{"slice_id":"132","col":10,"row":8,"size_x":2,"size_y":4},{"slice_id":"133","col":1,"row":1,"size_x":2,"size_y":2},{"slice_id":"134","col":3,"row":1,"size_x":2,"size_y":2},{"slice_id":"135","col":5,"row":4,"size_x":3,"size_y":3},{"slice_id":"136","col":1,"row":7,"size_x":7,"size_y":4},{"slice_id":"137","col":9,"row":1,"size_x":3,"size_y":3},{"slice_id":"138","col":5,"row":1,"size_x":4,"size_y":3},{"slice_id":"139","col":1,"row":3,"size_x":4,"size_y":4},{"slice_id":"140","col":8,"row":4,"size_x":4,"size_y":4}],"css":"None","expanded_slices":{}}"""
        url = '/caravel/save_dash/{}/'.format(dash.id)
        resp = self.client.post(url, data=dict(data=data))
        assert "SUCCESS" in resp.data.decode('utf-8')

+    def test_gamma(self):
+        self.login_gamma()
+        resp = self.client.get('/slicemodelview/list/')
+        print(resp.data.decode('utf-8'))
+        assert "List Slice" in resp.data.decode('utf-8')
+
+        resp = self.client.get('/dashboardmodelview/list/')
+        assert "List Dashboard" in resp.data.decode('utf-8')
+

 SEGMENT_METADATA = [{
  "id": "some_id",
@ -188,7 +218,7 @@ class DruidTests(CaravelTestCase):

    @patch('caravel.models.PyDruid')
    def test_client(self, PyDruid):
-        self.login()
+        self.login_admin()
        instance = PyDruid.return_value
        instance.time_boundary.return_value = [
            {'result': {'maxTime': '2016-01-01'}}]