superset-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From maximebeauche...@apache.org
Subject [incubator-superset] branch master updated: Add permission checks to save_or_overwrite_slice (#4346)
Date Fri, 09 Feb 2018 00:40:50 GMT
This is an automated email from the ASF dual-hosted git repository.

maximebeauchemin pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-superset.git


The following commit(s) were added to refs/heads/master by this push:
     new 54d3875  Add permission checks to save_or_overwrite_slice (#4346)
54d3875 is described below

commit 54d387598d9257185d09ec6916461c1d4166f264
Author: Jay Lindquist <jay@bitwiseor.com>
AuthorDate: Thu Feb 8 18:40:46 2018 -0600

    Add permission checks to save_or_overwrite_slice (#4346)
    
    * Add permissions checks for save_or_overwrite_slice
    
    * Change is_owner to check_ownership
    
    * Add translation to chart and dashboard error messages
    
    * Appease the python linter by using single quotes
---
 superset/views/core.py | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/superset/views/core.py b/superset/views/core.py
index 8e8a95d..87adb6e 100755
--- a/superset/views/core.py
+++ b/superset/views/core.py
@@ -1192,7 +1192,12 @@ class Superset(BaseSupersetView):
 
         if action == 'overwrite' and not slice_overwrite_perm:
             return json_error_response(
-                "You don't have the rights to alter this slice",
+                _('You don\'t have the rights to ') + _('alter this ') + _('chart'),
+                status=400)
+
+        if action == 'saveas' and not slice_add_perm:
+            return json_error_response(
+                _('You don\'t have the rights to ') + _('create a ') + _('chart'),
                 status=400)
 
         if action in ('saveas', 'overwrite'):
@@ -1300,12 +1305,28 @@ class Superset(BaseSupersetView):
                 .filter_by(id=int(request.args.get('save_to_dashboard_id')))
                 .one()
             )
+
+            # check edit dashboard permissions
+            dash_overwrite_perm = check_ownership(dash, raise_if_false=False)
+            if not dash_overwrite_perm:
+                return json_error_response(
+                    _('You don\'t have the rights to ') + _('alter this ') +
+                    _('dashboard'),
+                    status=400)
+
             flash(
                 'Slice [{}] was added to dashboard [{}]'.format(
                     slc.slice_name,
                     dash.dashboard_title),
                 'info')
         elif request.args.get('add_to_dash') == 'new':
+            # check create dashboard permissions
+            dash_add_perm = self.can_access('can_add', 'DashboardModelView')
+            if not dash_add_perm:
+                return json_error_response(
+                    _('You don\'t have the rights to ') + _('create a ') + _('dashboard'),
+                    status=400)
+
             dash = models.Dashboard(
                 dashboard_title=request.args.get('new_dashboard_name'),
                 owners=[g.user] if g.user else [])

-- 
To stop receiving notification emails like this one, please contact
maximebeauchemin@apache.org.

Mime
View raw message