Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: impose dataset ownership check on old API #12491

Merged
merged 4 commits into from
Jan 13, 2021

Conversation

dpgaspar
Copy link
Member

@dpgaspar dpgaspar commented Jan 13, 2021

SUMMARY

The old API does not check for ownership, this PR fixes it

When a user tries to changes a dataset they do not own (and their not admins):

Screenshot 2021-01-13 at 10 27 30

ADDITIONAL INFORMATION

  • Has associated issue:
  • Changes UI
  • Requires DB Migration.
  • Confirm DB Migration upgrade and downgrade tested.
  • Introduces new feature or API
  • Removes existing feature or API

Copy link
Member

@villebro villebro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM; we should probably add a note to UPDATING, as someone might currently be relying on being able to edit datasets that they're not owners of?

@dpgaspar
Copy link
Member Author

@villebro good point, adding it

@codecov-io
Copy link

codecov-io commented Jan 13, 2021

Codecov Report

Merging #12491 (e949170) into master (7aba4c2) will increase coverage by 0.34%.
The diff coverage is 50.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master   #12491      +/-   ##
==========================================
+ Coverage   66.29%   66.64%   +0.34%     
==========================================
  Files        1015     1015              
  Lines       49554    49582      +28     
  Branches     5079     5079              
==========================================
+ Hits        32854    33046     +192     
+ Misses      16562    16406     -156     
+ Partials      138      130       -8     
Flag Coverage Δ
cypress 50.99% <ø> (+3.89%) ⬆️
javascript 60.76% <ø> (-0.01%) ⬇️
python 63.79% <50.00%> (-0.30%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
superset/views/datasource.py 89.39% <42.85%> (-5.61%) ⬇️
superset/connectors/sqla/views.py 68.36% <50.00%> (-0.21%) ⬇️
superset/commands/exceptions.py 91.30% <100.00%> (ø)
superset/db_engines/hive.py 0.00% <0.00%> (-85.72%) ⬇️
superset/db_engine_specs/hive.py 54.61% <0.00%> (-29.24%) ⬇️
superset/databases/schemas.py 99.45% <0.00%> (-0.55%) ⬇️
superset/models/core.py 88.58% <0.00%> (-0.28%) ⬇️
...c/dashboard/components/nativeFilters/FilterBar.tsx 53.52% <0.00%> (+0.70%) ⬆️
superset/db_engine_specs/postgres.py 86.84% <0.00%> (+0.87%) ⬆️
...rset-frontend/src/explore/components/SaveModal.tsx 91.76% <0.00%> (+1.17%) ⬆️
... and 42 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7aba4c2...bc1cac1. Read the comment docs.

@adam-stasiak
Copy link
Contributor

Could you add this popup and prevent edition also for legacy editor?

legacy.mov

@villebro
Copy link
Member

It would be nice if we could disable the buttons that the user does not have access to, like edit and delete (not necessarily here, but in a follow-up PR)

@adam-stasiak
Copy link
Contributor

after latest commit:
for legacy editor: You don't have the rights to alter [FCC 2018 Survey2]
small question -> should we in [] display original name or the one we would like to set?

@dpgaspar
Copy link
Member Author

dpgaspar commented Jan 13, 2021

@adam-stasiak unfortunately it's sort of hard to get the old state at this point just by using FAB's pre FAB hook. These views are going to be removed I hope pretty soon, so probably not worth to invest too much time on it

@pull-request-size pull-request-size bot added size/M and removed size/S labels Jan 13, 2021
@dpgaspar dpgaspar added the v1.0 label Jan 13, 2021
@dpgaspar dpgaspar merged commit a078296 into apache:master Jan 13, 2021
@dpgaspar dpgaspar deleted the fix/check-owner-dataset branch January 13, 2021 18:06
amitmiran137 pushed a commit to nielsen-oss/superset that referenced this pull request Jan 14, 2021
* fix: impose dataset ownership check on old API

* update UPDATING.md

* partially protect the old MVC also

* prevent metric and column add and update
villebro pushed a commit that referenced this pull request Jan 15, 2021
* fix: impose dataset ownership check on old API

* update UPDATING.md

* partially protect the old MVC also

* prevent metric and column add and update
villebro pushed a commit to preset-io/superset that referenced this pull request Jan 15, 2021
* fix: impose dataset ownership check on old API

* update UPDATING.md

* partially protect the old MVC also

* prevent metric and column add and update
etr2460 pushed a commit that referenced this pull request Jan 25, 2021
* release: bump to 1.0.0 and CHANGELOG

* fix(explore): long metric name display (#12387)

* fix(explore): long metric name display

* add tooltip to control

* chore: Show datasets when search input is empty (#12391)

* chore: Fix typo “Rest” to “Reset” (#12392)

* chore: upgrade eslint, babel, and prettier (#12393)

* feat(explore): add tooltip to timepicker label (#12401)

* chore: change Datasource to Dataset in Explore ui (#12402)

* chore(explore):change dataset to datasource in ui

* modal

* Add space

* Changing it back🤦🏾‍♀️

* Chargeback

* fix: Refresh Interval Modal dropdown (#12406)

* fix(native-filters): incorrect queriesData state (#12409)

* refactor: from superset.utils.core break down date_parser (#12408)

* Fixes control panel fields styling (#12236) (#12326)

* feat: Resizable dataset and controls panels on Explore view (#12411)

* Implement resizable panels on explore view

* Optimize chart rendering while resizing

* Make dataset column narrower

Co-authored-by: Evan Rusackas <[email protected]>

* fix(dashboard): artefacts shown while drag and dropping deck.gl charts (#12418)

* [12181] Fix artifacts while drag and dropping deck.gl charts.

* Run prettier

* bump superset-ui packages for rolling window change (#12426)

* chore: bump superset-ui deckgl plugin (#12466)

* fix: do not show vertical scrollbar for charts in dashboard (#12478)

* fix: do not show vertical scrollbar for charts in dashboard

* Proper fix for #11419

Co-authored-by: Jesse Yang <[email protected]>

* fix(dashboard): use datasource id from slice metadata (#12483)

* fix(timepicker): make pyparsing thread safe (#12489)

* fix: make pyparsing thread safe

* remove parenthesis for decorator

* fix (SQL Lab): disappearing results on tab switch (#12472)

* fix (SQL Lab): disappearing results on tab switch

* Remove state

* Fix test

* fix: import ZIP files that have been modified (#12425)

* fix: import ZIP files that have been modified

* Add unit test

* update changelog with rc2 entries

* fix: impose dataset ownership check on old API (#12491)

* fix: impose dataset ownership check on old API

* update UPDATING.md

* partially protect the old MVC also

* prevent metric and column add and update

* ci: remove refs/tags from docker tags on a release (#12518)

* ci: remove refs/tags from docker tags on a release

* wider head

* fix: lowercase all columns in examples (#12530)

* fix(explore): time table control panel (#12532)

* fix(explore): Add Time section back to FilterBox (#12537)

* Fixing Pinot queries for time granularities: WEEKS/MONTHS/QUARTERS/YEARS (#12536)

* fix: Select options overflowing Save chart modal on Explore view (#12522)

* Fix select options overflowing modal

* fix unit test

Co-authored-by: Ville Brofeldt <[email protected]>

* Fix list filters vertical alignment (#12497)

* feat(db-engine): Add support for Apache Solr (#12403)

* [db engine] Add support for Apache Solr

* Fixing typo

* chore: rename docker image in build_docker_image.sh, docker-compose.yml and helm values.yaml (#12337)

* add rc3 changelog entries

* fix: Popover closes on change of dropdowns values (#12410)

* fix: Add MAX_SQL_ROW value to LIMIT_DROPDOWN (#12555)

* fix(viz): missing groupby and broken adhoc metrics for boxplot (#12556)

* fix: height on grid results (#12558)

* fix: case expression should not have double quotes (#12562)

* Fix 500 error when loading dashboards with slice having deleted dataset (#12535)

* add rc4 changelog entries

* Fixed typo on line 348

* Added files

Co-authored-by: Daniel Gaspar <[email protected]>
Co-authored-by: Yongjie Zhao <[email protected]>
Co-authored-by: Geido <[email protected]>
Co-authored-by: Junlin Chen <[email protected]>
Co-authored-by: Jesse Yang <[email protected]>
Co-authored-by: Agata Stawarz <[email protected]>
Co-authored-by: Ville Brofeldt <[email protected]>
Co-authored-by: Michael S. Molina <[email protected]>
Co-authored-by: Kamil Gabryjelski <[email protected]>
Co-authored-by: Evan Rusackas <[email protected]>
Co-authored-by: Kasia Kucharczyk <[email protected]>
Co-authored-by: Phillip Kelley-Dotson <[email protected]>
Co-authored-by: Grace Guo <[email protected]>
Co-authored-by: Beto Dealmeida <[email protected]>
Co-authored-by: Ville Brofeldt <[email protected]>
Co-authored-by: Xiang Fu <[email protected]>
Co-authored-by: Ahmed Adel <[email protected]>
Co-authored-by: Amit Miran <[email protected]>
Co-authored-by: Hugh A. Miles II <[email protected]>
Co-authored-by: Shuyao Bi <[email protected]>
Co-authored-by: Lyndsi Kay Williams <[email protected]>
@serenajiang
Copy link
Contributor

A lot of our users rely on editing datasets they're not owners of, so this was a breaking change. I've had to manually alter the owners of ~10 important datasets that were owned by users who are no longer active, and we're concerned that this feature might inadvertently encourage users to create duplicate datasets to avoid this restriction.

It'd be nice if we could enable this feature again with a permission (instead of a role), feature flag, or similar.

@villebro @dpgaspar

@ktmud ktmud added the risk:breaking-change Issues or PRs that will introduce breaking changes label Feb 5, 2021
@mistercrunch mistercrunch added 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 1.2.0 labels Mar 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels preset-io risk:breaking-change Issues or PRs that will introduce breaking changes size/M v1.0 🍒 1.0.0 🍒 1.0.1 🚢 1.2.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants