Skip to content

[log] fix, log model view permissions#8993

Merged
dpgaspar merged 6 commits into
apache:masterfrom
preset-io:fix/log-view-permissions
Jan 26, 2020
Merged

[log] fix, log model view permissions#8993
dpgaspar merged 6 commits into
apache:masterfrom
preset-io:fix/log-view-permissions

Conversation

@dpgaspar
Copy link
Copy Markdown
Member

@dpgaspar dpgaspar commented Jan 22, 2020
edited
Loading

CATEGORY

Choose one

  • Bug Fix
  • Enhancement (new features, refinement)
  • Refactor
  • Add tests
  • Build / Development Environment
  • Documentation

SUMMARY

Restrict LogModelView permissions

TEST PLAN

Tested that users don't have access to the View and Api through LogRestApi

ADDITIONAL INFORMATION

  • Has associated issue:
  • Changes UI
  • Requires DB Migration.
  • Confirm DB Migration upgrade and downgrade tested.
  • Introduces new feature or API
  • Removes existing feature or API

REVIEWERS

@dpgaspar dpgaspar changed the title [log] Only Admin's have log model view permissions [log] fix, Only Admin's have log model view permissions Jan 22, 2020
@dpgaspar dpgaspar changed the title [log] fix, Only Admin's have log model view permissions [log] fix, log model view permissions Jan 22, 2020
@dpgaspar dpgaspar marked this pull request as ready for review January 22, 2020 18:12
willbarrett
willbarrett requested changes Jan 22, 2020
View reviewed changes
Comment thread tests/security_tests.py Outdated
self.assertTrue(
security_manager._is_admin_only(
security_manager.find_permission_view_menu("can_delete", "DatabaseView")
log_permissions = ["can_list", "can_show", "can_add", "can_edit", "can_delete"]
Copy link
Copy Markdown
Member

@willbarrett willbarrett Jan 22, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By default, I think we don't want logs to be editable. I'd remove can_add, can_edit, and can_delete for all users.

Copy link
Copy Markdown
Member Author

@dpgaspar dpgaspar Jan 23, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right! but that is being handled on #8960. I would merge #8960 first then on the solution found, change this PR, or merge this and then make the change on #8960

Copy link
Copy Markdown
Member Author

@dpgaspar dpgaspar Jan 23, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's merged!

Copy link
Copy Markdown
Member

@willbarrett willbarrett Jan 23, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, works for me.

@dpgaspar dpgaspar changed the title [log] fix, log model view permissions [WiP] [log] fix, log model view permissions Jan 23, 2020
@dpgaspar dpgaspar changed the title [WiP] [log] fix, log model view permissions [log] fix, log model view permissions Jan 23, 2020
@dpgaspar dpgaspar changed the title [log] fix, log model view permissions [WiP] [log] fix, log model view permissions Jan 23, 2020
@dpgaspar dpgaspar changed the title [WiP] [log] fix, log model view permissions [log] fix, log model view permissions Jan 24, 2020
@pull-request-size pull-request-size Bot added size/L and removed size/S labels Jan 24, 2020
@dpgaspar dpgaspar merged commit 1f21bf8 into apache:master Jan 26, 2020
@dpgaspar dpgaspar deleted the fix/log-view-permissions branch January 26, 2020 12:16
@mistercrunch mistercrunch added 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 0.36.0 First shipped in 0.36.0 labels Feb 28, 2024
qfcwell pushed a commit to qfcwell/superset that referenced this pull request May 12, 2026
@dpgaspar
[log] fix, log model view permissions (apache#8993)
2abf0d3 
Limit MVC access to admin role only and limit REST API permissions
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@willbarrett willbarrett willbarrett approved these changes

Assignees

No one assigned

Labels

🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels size/L 🚢 0.36.0 First shipped in 0.36.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dpgaspar @willbarrett @mistercrunch