apache · mistercrunch · May 17, 2016 · Apr 29, 2016 · May 17, 2016
diff --git a/caravel/config.py b/caravel/config.py
@@ -93,6 +93,15 @@
 #    { 'name': 'AOL', 'url': 'http://openid.aol.com/<username>' },
 #    { 'name': 'Flickr', 'url': 'http://www.flickr.com/<username>' },
 #    { 'name': 'MyOpenID', 'url': 'https://www.myopenid.com' }]
+
+# ---------------------------------------------------
+# Roles config
+# ---------------------------------------------------
+# Grant public role the same set of permissions as for the GAMMA role.
+# This is useful if one wants to enable anonymous users to view
+# dashboards. Explicit grant on specific datasets is still required.
+PUBLIC_ROLE_LIKE_GAMMA = False
+
 # ---------------------------------------------------
 # Babel config for translations
 # ---------------------------------------------------

diff --git a/caravel/utils.py b/caravel/utils.py
@@ -154,6 +154,7 @@ def init(caravel):
     sm = caravel.appbuilder.sm
     alpha = sm.add_role("Alpha")
     admin = sm.add_role("Admin")
+    config = caravel.app.config
 
     merge_perm(sm, 'all_datasource_access', 'all_datasource_access')
 
@@ -167,24 +168,28 @@ def init(caravel):
             sm.add_permission_role(alpha, perm)
         sm.add_permission_role(admin, perm)
     gamma = sm.add_role("Gamma")
+    public_role = sm.find_role("Public")
+    public_role_like_gamma = \
+        public_role and config.get('PUBLIC_ROLE_LIKE_GAMMA', False)
     for perm in perms:
-        if(
-                perm.view_menu and perm.view_menu.name not in (
-                    'ResetPasswordView',
-                    'RoleModelView',
-                    'UserDBModelView',
-                    'Security') and
-                perm.permission.name not in (
-                    'all_datasource_access',
-                    'can_add',
-                    'can_download',
-                    'can_delete',
-                    'can_edit',
-                    'can_save',
-                    'datasource_access',
-                    'muldelete',
-                )):
+        if (perm.view_menu and perm.view_menu.name not in (
+                'ResetPasswordView',
+                'RoleModelView',
+                'UserDBModelView',
+                'Security') and
+            perm.permission.name not in (
+                'all_datasource_access',
+                'can_add',
+                'can_download',
+                'can_delete',
+                'can_edit',
+                'can_save',
+                'datasource_access',
+                'muldelete',
+            )):
             sm.add_permission_role(gamma, perm)
+            if public_role_like_gamma:
+                sm.add_permission_role(public_role, perm)
     session = db.session()
     table_perms = [
         table.perm for table in session.query(models.SqlaTable).all()]

diff --git a/tests/core_tests.py b/tests/core_tests.py
@@ -24,6 +24,7 @@
 app.config['CSRF_ENABLED'] = False
 app.config['SECRET_KEY'] = 'thisismyscretkey'
 app.config['WTF_CSRF_ENABLED'] = False
+app.config['PUBLIC_ROLE_LIKE_GAMMA'] = True
 BASE_DIR = app.config.get("BASE_DIR")
 cli = imp.load_source('cli', BASE_DIR + "/bin/caravel")
 
@@ -68,20 +69,9 @@ def setup_public_access_for_dashboard(self, dashboard_name):
         public_role = appbuilder.sm.find_role('Public')
         perms = db.session.query(ab_models.PermissionView).all()
         for perm in perms:
-            if perm.permission.name not in (
-                'can_list',
-                'can_dashboard',
-                'can_explore',
-                'datasource_access'):
-                continue
-            if not perm.view_menu:
-                continue
-            if perm.view_menu.name not in (
-                'SliceModelView',
-                'DashboardModelView',
-                'Caravel') and dashboard_name not in perm.view_menu.name:
-                continue
-            appbuilder.sm.add_permission_role(public_role, perm)
+            if (perm.permission.name == 'datasource_access' and
+                perm.view_menu and dashboard_name in perm.view_menu.name):
+                appbuilder.sm.add_permission_role(public_role, perm)
 
 
 class CoreTests(CaravelTestCase):
@@ -195,9 +185,9 @@ def test_public_user_dashboard_access(self):
         data = resp.data.decode('utf-8')
         assert '<a href="/caravel/dashboard/births/">' not in data
 
-        resp = self.client.get('/caravel/dashboard/births/')
+        resp = self.client.get('/caravel/explore/table/3/', follow_redirects=True)
         data = resp.data.decode('utf-8')
-        assert '[dashboard] Births' not in data
+        assert "You don&#39;t seem to have access to this datasource" in data
 
         self.setup_public_access_for_dashboard('birth_names')