From d70bac0a26f89d28486b13f43056571a7be6e1b4 Mon Sep 17 00:00:00 2001
From: akushniarevich <axelet3@gmail.com>
Date: Tue, 24 Mar 2020 14:46:18 +0300
Subject: [PATCH 1/2] fix: Row Level Security get_rls_filters func SELECT
 statement

---
 superset/security/manager.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/superset/security/manager.py b/superset/security/manager.py
index fe39b1924d602..b82c7137b70e9 100644
--- a/superset/security/manager.py
+++ b/superset/security/manager.py
@@ -918,7 +918,7 @@ def get_rls_filters(self, table: "BaseDatasource"):
                 .subquery()
             )
             filter_roles = (
-                db.session.query(RLSFilterRoles.c.id)
+                db.session.query(RLSFilterRoles.c.rls_filter_id)
                 .filter(RLSFilterRoles.c.role_id.in_(user_roles))
                 .subquery()
             )

From de77f2ff3d6ed0637d59b3b1e3c6f48443ebee52 Mon Sep 17 00:00:00 2001
From: axelet <axelet3@gmail.com>
Date: Mon, 30 Mar 2020 21:18:38 +0300
Subject: [PATCH 2/2] More general RowLevelSecurityTests case to avoid improper
 ids matching

---
 tests/security_tests.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/tests/security_tests.py b/tests/security_tests.py
index 7b8df262fea42..476b67019f15a 100644
--- a/tests/security_tests.py
+++ b/tests/security_tests.py
@@ -833,10 +833,11 @@ def setUp(self):
         self.rls_entry.table = (
             session.query(SqlaTable).filter_by(table_name="birth_names").first()
         )
-        self.rls_entry.clause = "gender = 'male'"
+        self.rls_entry.clause = "gender = 'boy'"
         self.rls_entry.roles.append(
             security_manager.find_role("Gamma")
         )  # db.session.query(Role).filter_by(name="Gamma").first())
+        self.rls_entry.roles.append(security_manager.find_role("Alpha"))
         db.session.add(self.rls_entry)
 
         db.session.commit()
@@ -849,7 +850,7 @@ def tearDown(self):
     # Do another test to make sure it doesn't alter another query
     def test_rls_filter_alters_query(self):
         g.user = self.get_user(
-            username="gamma"
+            username="alpha"
         )  # self.login() doesn't actually set the user
         tbl = self.get_table_by_name("birth_names")
         query_obj = dict(
@@ -864,7 +865,7 @@ def test_rls_filter_alters_query(self):
             extras={},
         )
         sql = tbl.get_query_str(query_obj)
-        self.assertIn("gender = 'male'", sql)
+        self.assertIn("gender = 'boy'", sql)
 
     def test_rls_filter_doesnt_alter_query(self):
         g.user = self.get_user(
@@ -883,4 +884,4 @@ def test_rls_filter_doesnt_alter_query(self):
             extras={},
         )
         sql = tbl.get_query_str(query_obj)
-        self.assertNotIn("gender = 'male'", sql)
+        self.assertNotIn("gender = 'boy'", sql)