[security] Moving set/merge perm to security manager

apache · Aug 21, 2018 · 0480c1f · 0480c1f
1 parent 2d23ae1
commit 0480c1f
Show file tree

Hide file tree

Showing 5 changed files with 52 additions and 60 deletions.
diff --git a/superset/connectors/druid/models.py b/superset/connectors/druid/models.py
@@ -41,7 +41,7 @@
 from superset.connectors.base.models import BaseColumn, BaseDatasource, BaseMetric
 from superset.exceptions import MetricPermException, SupersetException
 from superset.models.helpers import (
-    AuditMixinNullable, ImportMixin, QueryResult, set_perm,
+    AuditMixinNullable, ImportMixin, QueryResult,
 )
 from superset.utils import (
     DimSelector, DTTM_ALIAS, flasher,
@@ -1601,5 +1601,5 @@ def external_metadata(self):
         ]
 
 
-sa.event.listen(DruidDatasource, 'after_insert', set_perm)
-sa.event.listen(DruidDatasource, 'after_update', set_perm)
+sa.event.listen(DruidDatasource, 'after_insert', security_manager.set_perm)
+sa.event.listen(DruidDatasource, 'after_update', security_manager.set_perm)
diff --git a/superset/connectors/sqla/models.py b/superset/connectors/sqla/models.py
@@ -29,7 +29,6 @@
 from superset.models.annotations import Annotation
 from superset.models.core import Database
 from superset.models.helpers import QueryResult
-from superset.models.helpers import set_perm
 from superset.utils import DTTM_ALIAS, QueryStatus
 
 config = app.config
@@ -892,5 +891,5 @@ def default_query(qry):
         return qry.filter_by(is_sqllab_view=False)
 
 
-sa.event.listen(SqlaTable, 'after_insert', set_perm)
-sa.event.listen(SqlaTable, 'after_update', set_perm)
+sa.event.listen(SqlaTable, 'after_insert', security_manager.set_perm)
+sa.event.listen(SqlaTable, 'after_update', security_manager.set_perm)
diff --git a/superset/models/core.py b/superset/models/core.py
@@ -39,7 +39,7 @@
 from superset import app, db, db_engine_specs, security_manager, utils
 from superset.connectors.connector_registry import ConnectorRegistry
 from superset.legacy import update_time_range
-from superset.models.helpers import AuditMixinNullable, ImportMixin, set_perm
+from superset.models.helpers import AuditMixinNullable, ImportMixin
 from superset.models.user_attributes import UserAttribute
 from superset.utils import MediumText
 from superset.viz import viz_types
@@ -959,8 +959,8 @@ def get_dialect(self):
         return sqla_url.get_dialect()()
 
 
-sqla.event.listen(Database, 'after_insert', set_perm)
-sqla.event.listen(Database, 'after_update', set_perm)
+sqla.event.listen(Database, 'after_insert', security_manager.set_perm)
+sqla.event.listen(Database, 'after_update', security_manager.set_perm)
 
 
 class Log(Model):

diff --git a/superset/models/helpers.py b/superset/models/helpers.py
@@ -21,7 +21,6 @@
 from sqlalchemy.orm.exc import MultipleResultsFound
 import yaml
 
-from superset import security_manager
 from superset.utils import QueryStatus
 
 
@@ -312,53 +311,3 @@ def __init__(  # noqa
         self.duration = duration
         self.status = status
         self.error_message = error_message
-
-
-def merge_perm(sm, permission_name, view_menu_name, connection):
-
-    permission = sm.find_permission(permission_name)
-    view_menu = sm.find_view_menu(view_menu_name)
-    pv = None
-
-    if not permission:
-        permission_table = sm.permission_model.__table__
-        connection.execute(
-            permission_table.insert()
-            .values(name=permission_name),
-        )
-    if not view_menu:
-        view_menu_table = sm.viewmenu_model.__table__
-        connection.execute(
-            view_menu_table.insert()
-            .values(name=view_menu_name),
-        )
-
-    permission = sm.find_permission(permission_name)
-    view_menu = sm.find_view_menu(view_menu_name)
-
-    if permission and view_menu:
-        pv = sm.get_session.query(sm.permissionview_model).filter_by(
-            permission=permission, view_menu=view_menu).first()
-    if not pv and permission and view_menu:
-        permission_view_table = sm.permissionview_model.__table__
-        connection.execute(
-            permission_view_table.insert()
-            .values(
-                permission_id=permission.id,
-                view_menu_id=view_menu.id,
-            ),
-        )
-
-
-def set_perm(mapper, connection, target):  # noqa
-
-    if target.perm != target.get_perm():
-        link_table = target.__table__
-        connection.execute(
-            link_table.update()
-            .where(link_table.c.id == target.id)
-            .values(perm=target.get_perm()),
-        )
-
-    # add to view menu if not already exists
-    merge_perm(security_manager, 'datasource_access', target.get_perm(), connection)
diff --git a/superset/security.py b/superset/security.py
@@ -383,3 +383,47 @@ def is_granter_pvm(self, pvm):
         return pvm.permission.name in {
             'can_override_role_permissions', 'can_approve',
         }
+
+    def set_perm(self, mapper, connection, target):  # noqa
+        if target.perm != target.get_perm():
+            link_table = target.__table__
+            connection.execute(
+                link_table.update()
+                .where(link_table.c.id == target.id)
+                .values(perm=target.get_perm()),
+            )
+
+        # add to view menu if not already exists
+        permission_name = 'datasource_access'
+        view_menu_name = target.get_perm()
+        permission = self.find_permission(permission_name)
+        view_menu = self.find_view_menu(view_menu_name)
+        pv = None
+
+        if not permission:
+            permission_table = self.permission_model.__table__  # noqa: E501 pylint: disable=no-member
+            connection.execute(
+                permission_table.insert()
+                .values(name=permission_name),
+            )
+            permission = self.find_permission(permission_name)
+        if not view_menu:
+            view_menu_table = self.viewmenu_model.__table__  # pylint: disable=no-member
+            connection.execute(
+                view_menu_table.insert()
+                .values(name=view_menu_name),
+            )
+            view_menu = self.find_view_menu(view_menu_name)
+
+        if permission and view_menu:
+            pv = self.get_session.query(self.permissionview_model).filter_by(
+                permission=permission, view_menu=view_menu).first()
+        if not pv and permission and view_menu:
+            permission_view_table = self.permissionview_model.__table__  # noqa: E501 pylint: disable=no-member
+            connection.execute(
+                permission_view_table.insert()
+                .values(
+                    permission_id=permission.id,
+                    view_menu_id=view_menu.id,
+                ),
+            )