fix(alerts): restrict list view and gamma perms

[villebro]

SUMMARY

Currently Gamma users have read and write permissions for Alerts & Reports and menu access for "Alerts & Reports". However, since they don't have access to the "Manage" menu, they can't see the menu item. This means that they can actually access the list view if the URL is provided to them. In addition, the list view shows all entries in the report schedule, although users are only able to edit entries they own.

This PR does the following:

• Removes "can read on ReportSchedule", "can write on ReportSchedule" and "Alerts & Report" permissions from Gamma users
• Adds a new base filter to only show owned entries for users without the all_datasource_access perm
• Adds tests to assert that admin, alpha and gamma users see the all entries in the list view (admin sees all, alpha sees all, gamma with extra perms only sees owned entries)
• If the user doesn't have edit rights (=isn't owner or isn't Admin) do the following:
  • disable the toggle
  • remove trashcan
  • replace "Edit" + Pen icon with "View" + Binoculars icon
• Adds an entry to UPDATING.md with instructions on how to give perms to Gamma users

AFTER

When an Alpha user enters the list view, non-owned objects will appear with the toggle disabled, no trashcan and the "Edit" + Pen replaced with "View" + Binoculars (note that I didn't change the modal by dsabling fields etc, as changing that is a slightly bigger effort):

When a regular Gamma user tries to access the Alerts & Reports list view with the direct URL, they get an "Access denied" error:

When a Gamma user with the read on ReportSchedule perm accesses the list view, they can only see their own entries in the list view, despite there being four entries in the report schedule (see the Before screenshot):

BEFORE

Previously the Gamma and Alpha user saw and were able to edit all users' entries, despite not being able to change them (here I'm trying to enable another user's alert as a Gamma user, which fails due to missing perms).

Previously Gamma users were able to access the list view if they knew the URL, despite not having menu access:

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[codecov]

Codecov Report

Merging #21765 (58c27ce) into master (df3b5a8) will decrease coverage by 0.16%.
The diff coverage is 85.71%.

❗ Current head 58c27ce differs from pull request most recent head c2761a3. Consider uploading reports for the commit c2761a3 to get more accurate results

@@            Coverage Diff             @@
##           master   #21765      +/-   ##
==========================================
- Coverage   66.85%   66.68%   -0.17%     
==========================================
  Files        1805     1805              
  Lines       69061    69071      +10     
  Branches     7369     7369              
==========================================
- Hits        46169    46062     -107     
- Misses      20995    21112     +117     
  Partials     1897     1897              

Flag	Coverage Δ
hive	?
mysql	78.25% <91.30%> (+<0.01%)	⬆️
postgres	78.30% <91.30%> (-0.01%)	⬇️
presto	?
python	81.10% <91.30%> (-0.35%)	⬇️
sqlite	76.80% <91.30%> (+<0.01%)	⬆️
unit	51.06% <30.43%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
superset/security/manager.py	95.75% <ø> (ø)
...perset-frontend/src/views/CRUD/alert/AlertList.tsx	62.50% <60.00%> (ø)
superset/reports/commands/execute.py	91.98% <83.33%> (ø)
superset/reports/api.py	90.29% <100.00%> (+0.07%)	⬆️
superset/reports/dao.py	84.92% <100.00%> (+0.24%)	⬆️
superset/reports/filters.py	95.23% <100.00%> (+2.38%)	⬆️
superset/db_engines/hive.py	0.00% <0.00%> (-85.19%)	⬇️
superset/db_engine_specs/hive.py	71.14% <0.00%> (-16.21%)	⬇️
superset/db_engine_specs/presto.py	81.05% <0.00%> (-6.73%)	⬇️
superset/reports/commands/log_prune.py	85.71% <0.00%> (-3.58%)	⬇️
... and 8 more

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[eschutho]

@villebro I wonder if someone were to read this entry without seeing your explanation in the PR, if they would think that they need to grant access to Gamma users to keep the same functionality that we have now. This is tricky, because to most people it won't look like a breaking change.

[villebro]

Good point - I'll make the entry more explicit, specifically scoping this to deployments that have enabled the "ALERT_REPORTS" feature flag.

[eschutho]

@villebro I asked for some product/design feedback on what an alpha can see on the list page, too.

[yousoph]

hi @villebro !! I'm wondering if it might make sense for an Alpha user to see all Alerts & Reports in the list view, but with no actions in the actions column and a disabled "Active" toggle if they aren't the owner, like the bottom row here:

There could be a case where an Alpha user is a recipient of a report but not the owner, and not seeing it in the list view could be confusing or lead to duplicates being created unintentionally.

In the future, maybe there could be a "View Only" mode to see report details even if you can't edit (though that is probably out of the scope of this PR)

Open to feedback here though, what are your thoughts?

[dpgaspar]

LGTM

[dpgaspar]

since this method always runs on a celery async context I see no issue here, but what are we trying to solve?

[zhaoyongjie]

i think it for switching current user to the user = security_manager.find_user(username=app.config["THUMBNAIL_SELENIUM_USER"])

[dpgaspar]

@zhaoyongjie yes it switches the user, just wondering why we need g.user set on async tasks, to set changed_by fields?

[villebro]

The new BaseFilter checks sm.is_admin(), which in turn checks the roles of g.user, which otherwise will be unset. So without this change executing Alerts and Reports fails (the integration tests thankfully picked this up 👍 )

[zhaoyongjie]

Thanks for the fixing. I have tested it in my local, it works as expected. leave some non-blocking suggestions for testing code style.

[zhaoyongjie]

one nit, in order to avoid extra indeed and context grammar, we should use app_context and login_admin fixtures

def create_working_report_schedule(app_context, login_admin):
    ....
    ....

[villebro]

For some reason I'm having trouble using these fixtures with the class-based tests. Let's leave this for a follow-up refactor PR when these tests are refactored into functional tests.

[zhaoyongjie]

there is a fixture called login_as might help for this case.

[villebro]

Same here

[villebro]

hi @villebro !! I'm wondering if it might make sense for an Alpha user to see all Alerts & Reports in the list view, but with no actions in the actions column and a disabled "Active" toggle if they aren't the owner, like the bottom row here: There could be a case where an Alpha user is a recipient of a report but not the owner, and not seeing it in the list view could be confusing or lead to duplicates being created unintentionally.

In the future, maybe there could be a "View Only" mode to see report details even if you can't edit (though that is probably out of the scope of this PR)

Open to feedback here though, what are your thoughts?

I see where you're coming from, and I agree in the context of Alerts and Reports it could make sense to have elevated privileges for the Alpha role. However, in the current context, this would go against current RBAC conventions, as Alpha is only able to see owned Charts and Dashboards. Having different logic for what Alpha can see on Dashboards and Charts vs Alerts and Reports could be confusing. For this reason I'd almost propose starting a separate discussion about what Alpha should and should not be able to see, and then apply this consistently throughout all object types.

Ping @dpgaspar , do you have any thoughts on this topic?

[villebro]

hi @villebro !! I'm wondering if it might make sense for an Alpha user to see all Alerts & Reports in the list view, but with no actions in the actions column and a disabled "Active" toggle if they aren't the owner, like the bottom row here: There could be a case where an Alpha user is a recipient of a report but not the owner, and not seeing it in the list view could be confusing or lead to duplicates being created unintentionally.
In the future, maybe there could be a "View Only" mode to see report details even if you can't edit (though that is probably out of the scope of this PR)
Open to feedback here though, what are your thoughts?

I see where you're coming from, and I agree in the context of Alerts and Reports it could make sense to have elevated privileges for the Alpha role. However, in the current context, this would go against current RBAC conventions, as Alpha is only able to see owned Charts and Dashboards. Having different logic for what Alpha can see on Dashboards and Charts vs Alerts and Reports could be confusing. For this reason I'd almost propose starting a separate discussion about what Alpha should and should not be able to see, and then apply this consistently throughout all object types.

@yousoph I stand corrected - the Alpha role does indeed have the all_datasource_access, which gives the Alpha user full visibility into all dashboards, datasets and charts. I'm going to change this logic so that instead of checking is_admin, I'm going to check for all_datasource_access, and if that's the case, it will show all Alerts & Reports.

[villebro]

@yousoph I've changed the frontend so that non-admins will have a slightly different UX depending on whether or not they are owners (see screenshots in description)

[villebro]

/testenv up FEATURE_ALERT_REPORTS=true

[github-actions]

@villebro Ephemeral environment spinning up at http://54.202.241.131:8080. Credentials are admin/admin. Please allow several minutes for bootstrapping and startup.

[yousoph]

Thanks for the updates, this is looking great!!

One thing I noticed for the Alpha user - when they try to save changes on a report that they don't own, they see a toast with this message:
An error occurred while fetching reports: "Forbidden"

I think the buttons on the modal should be hidden (or disabled)... or if that's not doable we should at least update the toast message to clarify to the user why the save failed.

[villebro]

Thanks for the updates, this is looking great!!

One thing I noticed for the Alpha user - when they try to save changes on a report that they don't own, they see a toast with this message:

An error occurred while fetching reports: "Forbidden"

I think the buttons on the modal should be hidden (or disabled)... or if that's not doable we should at least update the toast message to clarify to the user why the save failed.

I noticed the same (there's also an annoying pluralization on the model name, making it "Reportss" 😄 I checked that fixing these is slightly more work than I have time for now, but I'll try to find time to fix these in a follow up PR.

[github-actions]

Ephemeral environment shutdown and build artifacts deleted.