allow security manager provide error message

apache · Jul 27, 2018 · a0c4858 · a0c4858
1 parent 54fba0f
commit a0c4858
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 19 deletions.
diff --git a/superset/security.py b/superset/security.py
@@ -117,6 +117,18 @@ def datasource_access(self, datasource, user=None):
             self.can_access('datasource_access', datasource.perm, user=user)
         )
 
+    def get_datasource_access_error_msg(self, datasource):
+        return """This endpoint requires the datasource {}, database or
+            `all_datasource_access` permission""".format(datasource.name)
+
+    def get_datasource_access_link(self, datasource):
+        from superset import conf
+        return conf.get('PERMISSION_INSTRUCTIONS_LINK')
+
+    def get_table_access_error_msg(self, table_name):
+        return """You need access to the following tables: {}, all database access or
+              `all_datasource_access` permission""".format(table_name)
+
     def datasource_access_by_name(
             self, database, datasource_name, schema=None):
         from superset import db

diff --git a/superset/views/core.py b/superset/views/core.py
@@ -68,7 +68,6 @@
 ACCESS_REQUEST_MISSING_ERR = __(
     'The access requests seem to have been deleted')
 USER_MISSING_ERR = __('The user seems to have been deleted')
-DATASOURCE_ACCESS_ERR = __("You don't have access to this datasource")
 
 FORM_DATA_KEY_BLACKLIST = []
 if not config.get('ENABLE_JAVASCRIPT_CONTROLS'):
@@ -84,11 +83,6 @@ def get_database_access_error_msg(database_name):
               '`all_datasource_access` permission', name=database_name)
 
 
-def get_datasource_access_error_msg(datasource_name):
-    return __('This endpoint requires the datasource %(name)s, database or '
-              '`all_datasource_access` permission', name=datasource_name)
-
-
 def json_success(json_msg, status=200):
     return Response(json_msg, status=status, mimetype='application/json')
 
@@ -1094,8 +1088,9 @@ def generate_json(self, datasource_type, datasource_id, form_data,
 
         if not security_manager.datasource_access(viz_obj.datasource, g.user):
             return json_error_response(
-                DATASOURCE_ACCESS_ERR, status=404, link=config.get(
-                    'PERMISSION_INSTRUCTIONS_LINK'))
+                security_manager.get_datasource_access_error_msg(viz_obj.datasource),
+                status=404,
+                link=security_manager.get_datasource_access_error_msg(viz_obj.datasource))
 
         if csv:
             return CsvResponse(
@@ -1260,9 +1255,11 @@ def explore(self, datasource_type=None, datasource_id=None):
             flash(DATASOURCE_MISSING_ERR, 'danger')
             return redirect(error_redirect)
 
-        if not security_manager.datasource_access(datasource):
+        if config.get('ENABLE_ACCESS_REQUEST') and (
+            not security_manager.datasource_access(datasource)
+        ):
             flash(
-                __(get_datasource_access_error_msg(datasource.name)),
+                __(security_manager.get_datasource_access_error_msg(datasource)),
                 'danger')
             return redirect(
                 'superset/request_access/?'
@@ -1364,7 +1361,8 @@ def filter(self, datasource_type, datasource_id, column):
         if not datasource:
             return json_error_response(DATASOURCE_MISSING_ERR)
         if not security_manager.datasource_access(datasource):
-            return json_error_response(DATASOURCE_ACCESS_ERR)
+            return json_error_response(
+                security_manager.get_datasource_access_error_msg(datasource))
 
         payload = json.dumps(
             datasource.values_for_column(
@@ -2086,7 +2084,7 @@ def dashboard(self, dashboard_id):
             for datasource in datasources:
                 if datasource and not security_manager.datasource_access(datasource):
                     flash(
-                        __(get_datasource_access_error_msg(datasource.name)),
+                        __(security_manager.get_datasource_access_error_msg(datasource)),
                         'danger')
                     return redirect(
                         'superset/request_access/?'
@@ -2384,7 +2382,7 @@ def results(self, key):
         rejected_tables = security_manager.rejected_datasources(
             query.sql, query.database, query.schema)
         if rejected_tables:
-            return json_error_response(get_datasource_access_error_msg(
+            return json_error_response(security_manager.get_table_access_error_msg(
                 '{}'.format(rejected_tables)))
 
         return json_success(utils.zlib_decompress_to_string(blob))
@@ -2426,8 +2424,10 @@ def sql_json(self):
 
         rejected_tables = security_manager.rejected_datasources(sql, mydb, schema)
         if rejected_tables:
-            return json_error_response(get_datasource_access_error_msg(
-                '{}'.format(rejected_tables)))
+            return json_error_response(
+                security_manager.get_datasource_access_error_msg('{}'.format(
+                    rejected_tables)),
+                link=security_manager.get_table_error_link(rejected_tables))
         session.commit()
 
         select_as_cta = request.form.get('select_as_cta') == 'true'
@@ -2540,7 +2540,8 @@ def csv(self, client_id):
         rejected_tables = security_manager.rejected_datasources(
             query.sql, query.database, query.schema)
         if rejected_tables:
-            flash(get_datasource_access_error_msg('{}'.format(rejected_tables)))
+            flash(
+                security_manager.get_table_access_error_msg('{}'.format(rejected_tables)))
             return redirect('/')
         blob = None
         if results_backend and query.results_key:
@@ -2582,7 +2583,9 @@ def fetch_datasource_metadata(self):
 
         # Check permission for datasource
         if not security_manager.datasource_access(datasource):
-            return json_error_response(DATASOURCE_ACCESS_ERR)
+            return json_error_response(
+                security_manager.get_datasource_access_error_msg(datasource),
+                link=security_manager.get_datasource_error_link(datasource))
         return json_success(json.dumps(datasource.data))
 
     @expose('/queries/<last_updated_ms>')
@@ -2760,8 +2763,9 @@ def sliceQuery(self, slice_id):
         viz_obj = self.get_viz(slice_id)
         if not security_manager.datasource_access(viz_obj.datasource):
             return json_error_response(
-                DATASOURCE_ACCESS_ERR, status=401, link=config.get(
-                    'PERMISSION_INSTRUCTIONS_LINK'))
+                security_manager.get_datasource_access_error_msg(viz_obj.datasource),
+                status=401,
+                link=security_manager.get_datasource_error_link(viz_obj.datasource))
         return self.get_query_string_response(viz_obj)