Allow Gamma and Alpha to access '/users/userinfo/' (apache#6936)

* Allow Gamma and Alpha to access '/users/userinfo/' closes apache#4919 * Fix unit test * Fix test
lussong · Apr 22, 2019 · 36a219d · 36a219d
1 parent aa1d9ae
commit 36a219d
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 7 deletions.
diff --git a/superset/security.py b/superset/security.py
@@ -81,19 +81,23 @@ class SupersetSecurityManager(SecurityManager):
         'can_list',
     }
 
-    ALPHA_ONLY_PERMISSIONS = set([
+    ALPHA_ONLY_PERMISSIONS = {
         'muldelete',
         'all_database_access',
         'all_datasource_access',
-    ])
+    }
 
-    OBJECT_SPEC_PERMISSIONS = set([
+    OBJECT_SPEC_PERMISSIONS = {
         'database_access',
         'schema_access',
         'datasource_access',
         'metric_access',
         'can_only_access_owned_queries',
-    ])
+    }
+
+    ACCESSIBLE_PERMS = {
+        'can_userinfo',
+    }
 
     def get_schema_perm(self, database, schema):
         if schema:
@@ -386,15 +390,21 @@ def is_alpha_only(self, pvm):
             pvm.permission.name in self.ALPHA_ONLY_PERMISSIONS
         )
 
+    def is_accessible_to_all(self, pvm):
+        return pvm.permission.name in self.ACCESSIBLE_PERMS
+
     def is_admin_pvm(self, pvm):
         return not self.is_user_defined_permission(pvm)
 
     def is_alpha_pvm(self, pvm):
-        return not (self.is_user_defined_permission(pvm) or self.is_admin_only(pvm))
+        return (
+            not (self.is_user_defined_permission(pvm) or self.is_admin_only(pvm)) or
+            self.is_accessible_to_all(pvm)
+        )
 
     def is_gamma_pvm(self, pvm):
         return not (self.is_user_defined_permission(pvm) or self.is_admin_only(pvm) or
-                    self.is_alpha_only(pvm))
+                    self.is_alpha_only(pvm)) or self.is_accessible_to_all(pvm)
 
     def is_sql_lab_pvm(self, pvm):
         return (

diff --git a/tests/core_tests.py b/tests/core_tests.py
@@ -189,7 +189,6 @@ def assert_admin_view_menus_in(role_name, assert_func):
             assert_func('ResetPasswordView', view_menus)
             assert_func('RoleModelView', view_menus)
             assert_func('Security', view_menus)
-            assert_func('UserDBModelView', view_menus)
             assert_func('SQL Lab',
                         view_menus)
 

diff --git a/tests/security_tests.py b/tests/security_tests.py
@@ -76,6 +76,7 @@ def assert_can_gamma(self, perm_set):
         self.assertIn(('can_slice', 'Superset'), perm_set)
         self.assertIn(('can_explore', 'Superset'), perm_set)
         self.assertIn(('can_explore_json', 'Superset'), perm_set)
+        self.assertIn(('can_userinfo', 'UserDBModelView'), perm_set)
 
     def assert_can_alpha(self, perm_set):
         self.assert_can_all('SqlMetricInlineView', perm_set)
@@ -231,6 +232,7 @@ def assert_can_all(view_menu):
         self.assertIn(('can_fave_slices', 'Superset'), gamma_perm_set)
         self.assertIn(('can_save_dash', 'Superset'), gamma_perm_set)
         self.assertIn(('can_slice', 'Superset'), gamma_perm_set)
+        self.assertIn(('can_userinfo', 'UserDBModelView'), gamma_perm_set)
 
     def test_views_are_secured(self):
         """Preventing the addition of unsecured views without has_access decorator"""