move redirect to backend

apache · Jan 3, 2023 · aaf3a71 · aaf3a71
1 parent 03c73a2
commit aaf3a71
Show file tree

Hide file tree

Showing 7 changed files with 46 additions and 52 deletions.
diff --git a/superset-frontend/src/SqlLab/App.jsx b/superset-frontend/src/SqlLab/App.jsx
@@ -30,7 +30,6 @@ import {
   FeatureFlag,
 } from 'src/featureFlags';
 import setupExtensions from 'src/setup/setupExtensions';
-import { canUserAccessSqlLab } from 'src/dashboard/util/permissionUtils';
 import getInitialState from './reducers/getInitialState';
 import rootReducer from './reducers/index';
 import { initEnhancer } from '../reduxUtils';
@@ -55,7 +54,6 @@ const bootstrapData = JSON.parse(appContainer.getAttribute('data-bootstrap'));
 initFeatureFlags(bootstrapData.common.feature_flags);
 
 const initialState = getInitialState(bootstrapData);
-
 const sqlLabPersistStateConfig = {
   paths: ['sqlLab'],
   config: {
@@ -138,22 +136,15 @@ if (sqlLabMenu) {
   }
 }
 
-const Application = () => {
-  if (!canUserAccessSqlLab(bootstrapData.user)) {
-    window.location.href = '/';
-    return <></>;
-  }
-
-  return (
-    <QueryProvider>
-      <Provider store={store}>
-        <ThemeProvider theme={theme}>
-          <GlobalStyles />
-          <App />
-        </ThemeProvider>
-      </Provider>
-    </QueryProvider>
-  );
-};
+const Application = () => (
+  <QueryProvider>
+    <Provider store={store}>
+      <ThemeProvider theme={theme}>
+        <GlobalStyles />
+        <App />
+      </ThemeProvider>
+    </Provider>
+  </QueryProvider>
+);
 
 export default hot(Application);
diff --git a/superset-frontend/src/views/CRUD/data/query/QueryList.test.tsx b/superset-frontend/src/views/CRUD/data/query/QueryList.test.tsx
@@ -89,15 +89,7 @@ fetchMock.get('glob:*/api/v1/query/disting/status*', {
 });
 
 describe('QueryList', () => {
-  const mockedProps = {
-    user: {
-      username: 'user',
-      permissions: [],
-      roles: {
-        Admin: [],
-      },
-    },
-  };
+  const mockedProps = {};
   const wrapper = mount(
     <Provider store={store}>
       <QueryList {...mockedProps} />

diff --git a/superset-frontend/src/views/CRUD/data/query/QueryList.tsx b/superset-frontend/src/views/CRUD/data/query/QueryList.tsx
@@ -49,7 +49,6 @@ import { DATETIME_WITH_TIME_ZONE, TIME_WITH_MS } from 'src/constants';
 import { QueryObject, QueryObjectColumns } from 'src/views/CRUD/types';
 
 import Icons from 'src/components/Icons';
-import { canUserAccessSqlLab } from 'src/dashboard/util/permissionUtils';
 import { BootstrapUser } from 'src/types/bootstrapTypes';
 import QueryPreviewModal from './QueryPreviewModal';
 
@@ -420,11 +419,6 @@ function QueryList({ addDangerToast, user }: QueryListProps) {
     [addDangerToast],
   );
 
-  if (!canUserAccessSqlLab(user)) {
-    window.location.href = '/';
-    return <></>;
-  }
-
   return (
     <>
       <SubMenu {...menuData} />

diff --git a/superset-frontend/src/views/CRUD/data/savedquery/SavedQueryList.test.jsx b/superset-frontend/src/views/CRUD/data/savedquery/SavedQueryList.test.jsx
@@ -134,20 +134,10 @@ fetchMock.get(queriesDistinctEndpoint, {
 // Mock utils module
 jest.mock('src/views/CRUD/utils');
 
-const mockedProps = {
-  user: {
-    username: 'user',
-    permissions: [],
-    roles: {
-      Admin: [],
-    },
-  },
-};
-
 describe('SavedQueryList', () => {
   const wrapper = mount(
     <Provider store={store}>
-      <SavedQueryList {...mockedProps} />
+      <SavedQueryList />
     </Provider>,
   );
 
@@ -256,7 +246,7 @@ describe('RTL', () => {
     const mounted = act(async () => {
       render(
         <QueryParamProvider>
-          <SavedQueryList {...mockedProps} />
+          <SavedQueryList />
         </QueryParamProvider>,
         { useRedux: true },
       );

diff --git a/superset-frontend/src/views/CRUD/data/savedquery/SavedQueryList.tsx b/superset-frontend/src/views/CRUD/data/savedquery/SavedQueryList.tsx
@@ -50,7 +50,6 @@ import copyTextToClipboard from 'src/utils/copy';
 import { isFeatureEnabled, FeatureFlag } from 'src/featureFlags';
 import ImportModelsModal from 'src/components/ImportModal/index';
 import Icons from 'src/components/Icons';
-import { canUserAccessSqlLab } from 'src/dashboard/util/permissionUtils';
 import { BootstrapUser } from 'src/types/bootstrapTypes';
 import SavedQueryPreviewModal from './SavedQueryPreviewModal';
 
@@ -473,11 +472,6 @@ function SavedQueryList({
     [addDangerToast],
   );
 
-  if (!canUserAccessSqlLab(user)) {
-    window.location.href = '/';
-    return <></>;
-  }
-
   return (
     <>
       <SubMenu {...menuData} />

diff --git a/superset/views/core.py b/superset/views/core.py
@@ -2777,6 +2777,13 @@ def _get_sqllab_tabs(user_id: Optional[int]) -> Dict[str, Any]:
     @expose("/sqllab/", methods=["GET", "POST"])
     def sqllab(self) -> FlaskResponse:
         """SQL Editor"""
+        if not (
+            security_manager.is_admin()
+            or "sql_lab" in (role.name for role in security_manager.get_user_roles())
+        ):
+            flash(__("You do not have access to SQL Lab"), "danger")
+            return redirect("/")
+
         payload = {
             "defaultDbId": config["SQLLAB_DEFAULT_DBID"],
             "common": common_bootstrap_payload(g.user),
@@ -2804,6 +2811,13 @@ def sqllab(self) -> FlaskResponse:
     @expose("/sqllab/history/", methods=["GET"])
     @event_logger.log_this
     def sqllab_history(self) -> FlaskResponse:
+        if not (
+            security_manager.is_admin()
+            or "sql_lab" in (role.name for role in security_manager.get_user_roles())
+        ):
+            flash(__("You do not have access to SQL Lab"), "danger")
+            return redirect("/")
+
         return super().render_app_template()
 
     @api

diff --git a/tests/integration_tests/sqllab_tests.py b/tests/integration_tests/sqllab_tests.py
@@ -257,6 +257,25 @@ def test_sql_json_has_access(self):
         db.session.commit()
         self.assertLess(0, len(data["data"]))
 
+    def test_sqllab_has_access(self):
+        self.create_user_with_roles("sqluser", ["Gamma", "sql_lab"])
+
+        self.login("sqluser")
+        for endpoint in ("/superset/sqllab/", "/superset/sqllab/history/"):
+            resp = self.client.get(endpoint)
+            self.assertEqual(200, resp.status_code)
+
+        user = self.get_user("sqluser")
+        db.session.delete(user)
+        db.session.commit()
+
+    def test_sqllab_no_access(self):
+        self.login("gamma")
+        for endpoint in ("/superset/sqllab/", "/superset/sqllab/history/"):
+            resp = self.client.get(endpoint)
+            # Redirects to the main page
+            self.assertEqual(302, resp.status_code)
+
     def test_sql_json_schema_access(self):
         examples_db = get_example_database()
         db_backend = examples_db.backend