From 21dfc0a1eb089da7ac68e6dacb1adcf36c074168 Mon Sep 17 00:00:00 2001
From: Daniel Gaspar <danielvazgaspar@gmail.com>
Date: Wed, 15 Feb 2023 14:18:22 +0000
Subject: [PATCH 1/2] fix: css template permissions for gamma role

---
 superset/security/manager.py              |  1 +
 tests/integration_tests/security_tests.py | 15 ++++++++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/superset/security/manager.py b/superset/security/manager.py
index b1be13b78270..4e174c420ddd 100644
--- a/superset/security/manager.py
+++ b/superset/security/manager.py
@@ -164,6 +164,7 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
     GAMMA_READ_ONLY_MODEL_VIEWS = {
         "Dataset",
         "Datasource",
+        "CssTemplate",
     } | READ_ONLY_MODEL_VIEWS
 
     ADMIN_ONLY_VIEW_MENUS = {
diff --git a/tests/integration_tests/security_tests.py b/tests/integration_tests/security_tests.py
index 58bfb36d69e6..a443012cca77 100644
--- a/tests/integration_tests/security_tests.py
+++ b/tests/integration_tests/security_tests.py
@@ -1328,13 +1328,26 @@ def assert_can_all(self, view_menu, permissions_set):
     def assert_can_menu(self, view_menu, permissions_set):
         self.assertIn(("menu_access", view_menu), permissions_set)
 
+    def assert_cannot_menu(self, view_menu, permissions_set):
+        self.assertNotIn(("menu_access", view_menu), permissions_set)
+
+    def assert_cannot_gamma(self, perm_set):
+        self.assert_cannot_write("CssTemplate", perm_set)
+        self.assert_cannot_menu("CSS Templates", perm_set)
+        self.assert_cannot_menu("Manage", perm_set)
+        self.assert_cannot_menu("Queries", perm_set)
+        self.assert_cannot_menu("Import dashboards", perm_set)
+        self.assert_cannot_menu("Upload a CSV", perm_set)
+        self.assert_cannot_menu("ReportSchedule", perm_set)
+        self.assert_cannot_menu("Alerts & Report", perm_set)
+
     def assert_can_gamma(self, perm_set):
+        self.assert_can_read("CssTemplate", perm_set)
         self.assert_can_read("Dataset", perm_set)
 
         # make sure that user can create slices and dashboards
         self.assert_can_all("Dashboard", perm_set)
         self.assert_can_all("Chart", perm_set)
-
         self.assertIn(("can_add_slices", "Superset"), perm_set)
         self.assertIn(("can_copy_dash", "Superset"), perm_set)
         self.assertIn(("can_created_dashboards", "Superset"), perm_set)

From e40523643aea5b7ce625263f5864f4479286acbc Mon Sep 17 00:00:00 2001
From: Daniel Gaspar <danielvazgaspar@gmail.com>
Date: Wed, 15 Feb 2023 14:46:39 +0000
Subject: [PATCH 2/2] fix tests

---
 tests/integration_tests/security_tests.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tests/integration_tests/security_tests.py b/tests/integration_tests/security_tests.py
index a443012cca77..6ee6bc6524c5 100644
--- a/tests/integration_tests/security_tests.py
+++ b/tests/integration_tests/security_tests.py
@@ -1490,6 +1490,7 @@ def test_is_gamma_pvm(self):
     def test_gamma_permissions_basic(self):
         self.assert_can_gamma(get_perm_tuples("Gamma"))
         self.assert_cannot_alpha(get_perm_tuples("Gamma"))
+        self.assert_cannot_gamma(get_perm_tuples("Gamma"))
 
     @pytest.mark.usefixtures("public_role_like_gamma")
     def test_public_permissions_basic(self):