-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(saved queries): security perm simplification #11764
feat(saved queries): security perm simplification #11764
Conversation
Codecov Report
@@ Coverage Diff @@
## master #11764 +/- ##
===========================================
- Coverage 67.56% 55.08% -12.49%
===========================================
Files 916 411 -505
Lines 44545 14583 -29962
Branches 4227 3749 -478
===========================================
- Hits 30098 8033 -22065
+ Misses 14344 6550 -7794
+ Partials 103 0 -103
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
@dpgaspar I gather that other than one test file and one implementation place, there were no front-end changes required to support this? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good start! The main delta I see is unit testing of the stuff in security_converge.py
- given the importance of these utilities it would be good to get tests around them.
Base = declarative_base() | ||
|
||
PvmType = Tuple[str, str] | ||
PvmMigrationMapType = Dict[PvmType, Tuple[PvmType, ...]] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why the tuple? Will these ever be anything other than 1:1?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They will, on downgrade we need 1:N
because I'm "recovering" for example: "can_read" -> ("can_show", "can_list", ...)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The new perms look much more intuitive than the old ones 👍 One small non-blocking proposal.
MODEL_VIEW_RW_METHOD_PERMISSION_MAP = { | ||
"add": "write", | ||
"api": "read", | ||
"api_column_add": "write", | ||
"api_column_edit": "write", | ||
"api_create": "write", | ||
"api_delete": "write", | ||
"api_get": "read", | ||
"api_read": "read", | ||
"api_readvalues": "read", | ||
"api_update": "write", | ||
"delete": "write", | ||
"download": "read", | ||
"edit": "write", | ||
"list": "read", | ||
"muldelete": "write", | ||
"show": "read", | ||
} | ||
|
||
MODEL_API_RW_METHOD_PERMISSION_MAP = { | ||
"bulk_delete": "write", | ||
"delete": "write", | ||
"distinct": "read", | ||
"export": "read", | ||
"get": "read", | ||
"get_list": "read", | ||
"info": "read", | ||
"post": "write", | ||
"put": "write", | ||
"related": "read", | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we add Enum
s for these, like PermissionType.WRITE
?
SUMMARY
First PR for security permission simplification. Scope
SavedQuery
for API and MVC FAB classes.The DB migration step is ready to upgrade and downgrade, note that downgrade will work just fine with superset default roles, but on custom made roles some granularity may be lost, since after converging (upgrading) there is information loss
Existing permissions:
Future permissions:
TEST PLAN
Test REACT CRUD views
Test MVC CRUD views
ADDITIONAL INFORMATION