Skip to content

Commit

Permalink
fix: Add migration to add created_by_fk as explicit owner for charts …
Browse files Browse the repository at this point in the history
…and datasets (#20617)

* fix: Add migration to add created_by_fk as owner

* Update 2022-07-05_15-48_409c7b420ab0_add_created_by_fk_as_owner.py

Co-authored-by: John Bodley <john.bodley@airbnb.com>
  • Loading branch information
john-bodley and john-bodley committed Jul 26, 2022
1 parent a69f016 commit e1094e2
Show file tree
Hide file tree
Showing 2 changed files with 135 additions and 13 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,134 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
"""add created_by_fk as owner
Revision ID: 409c7b420ab0
Revises: a39867932713
Create Date: 2022-07-05 15:48:06.029190
"""

# revision identifiers, used by Alembic.
revision = "409c7b420ab0"
down_revision = "a39867932713"

from alembic import op
from sqlalchemy import and_, Column, insert, Integer
from sqlalchemy.ext.declarative import declarative_base

from superset import db

Base = declarative_base()


class Dataset(Base):
__tablename__ = "sl_datasets"

id = Column(Integer, primary_key=True)
created_by_fk = Column(Integer)


class DatasetUser(Base):
__tablename__ = "sl_dataset_users"

id = Column(Integer, primary_key=True)
user_id = Column(Integer)
dataset_id = Column(Integer)


class Slice(Base):
__tablename__ = "slices"

id = Column(Integer, primary_key=True)
created_by_fk = Column(Integer)


class SliceUser(Base):
__tablename__ = "slice_user"

id = Column(Integer, primary_key=True)
user_id = Column(Integer)
slice_id = Column(Integer)


class SqlaTable(Base):
__tablename__ = "tables"

id = Column(Integer, primary_key=True)
created_by_fk = Column(Integer)


class SqlaTableUser(Base):
__tablename__ = "sqlatable_user"

id = Column(Integer, primary_key=True)
user_id = Column(Integer)
table_id = Column(Integer)


def upgrade():
bind = op.get_bind()
session = db.Session(bind=bind)

op.execute(
insert(DatasetUser).from_select(
["user_id", "dataset_id"],
session.query(Dataset.created_by_fk, Dataset.id)
.outerjoin(
DatasetUser,
and_(
DatasetUser.dataset_id == Dataset.id,
DatasetUser.user_id == Dataset.created_by_fk,
),
)
.filter(DatasetUser.dataset_id == None),
)
)

op.execute(
insert(SliceUser).from_select(
["user_id", "slice_id"],
session.query(Slice.created_by_fk, Slice.id)
.outerjoin(
SliceUser,
and_(
SliceUser.slice_id == Slice.id,
SliceUser.user_id == Slice.created_by_fk,
),
)
.filter(SliceUser.slice_id == None),
)
)

op.execute(
insert(SqlaTableUser).from_select(
["user_id", "table_id"],
session.query(SqlaTable.created_by_fk, SqlaTable.id)
.outerjoin(
SqlaTableUser,
and_(
SqlaTableUser.table_id == SqlaTable.id,
SqlaTableUser.user_id == SqlaTable.created_by_fk,
),
)
.filter(SqlaTableUser.table_id == None),
)
)


def downgrade():
pass
14 changes: 1 addition & 13 deletions superset/security/manager.py
Original file line number Diff line number Diff line change
Expand Up @@ -1534,20 +1534,8 @@ def raise_for_ownership(self, resource: Model) -> None:
if self.is_admin():
return

# Set of wners that works across ORM models.
owners: List[User] = []

orig_resource = db.session.query(resource.__class__).get(resource.id)

if orig_resource:
if hasattr(resource, "owners"):
owners += orig_resource.owners

if hasattr(resource, "owner"):
owners.append(orig_resource.owner)

if hasattr(resource, "created_by"):
owners.append(orig_resource.created_by)
owners = orig_resource.owners if hasattr(orig_resource, "owners") else []

if g.user.is_anonymous or g.user not in owners:
raise SupersetSecurityException(
Expand Down

0 comments on commit e1094e2

Please sign in to comment.