[superset] 01/01: chore: add test to cover security around chart of a dashboard

Tue, 09 Mar 2021 05:52:24 -0800 

This is an automated email from the ASF dual-hosted git repository.

amitmiran pushed a commit to branch feat/get_charts_check_access
in repository https://gitbox.apache.org/repos/asf/superset.git

commit ee148a8ff786ec02322e57df61790e356d4b2e51
Author: amitmiran137 <[email protected]>
AuthorDate: Tue Mar 9 15:51:26 2021 +0200

    chore: add test to cover security around chart of a dashboard
---
 tests/dashboards/base_case.py                    |  4 ++++
 tests/dashboards/security/security_rbac_tests.py | 15 +++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/tests/dashboards/base_case.py b/tests/dashboards/base_case.py
index 42cd87b..f661c3b 100644
--- a/tests/dashboards/base_case.py
+++ b/tests/dashboards/base_case.py
@@ -50,6 +50,10 @@ class DashboardTestCase(SupersetTestCase):
         save_dash_url = SAVE_DASHBOARD_URL_FORMAT.format(dashboard_id)
         return self.get_resp(save_dash_url, 
data=dict(data=json.dumps(dashboard_data)))
 
+    def get_dashboard_charts_api_response(self, id_or_slug: str) -> Response:
+        uri = f"api/v1/dashboard/{id_or_slug}/charts"
+        return self.client.get(uri)
+
     def save_dashboard(
         self, dashboard_id: Union[str, int], dashboard_data: Dict[str, Any]
     ) -> Response:
diff --git a/tests/dashboards/security/security_rbac_tests.py 
b/tests/dashboards/security/security_rbac_tests.py
index 19885d9..a16f49d 100644
--- a/tests/dashboards/security/security_rbac_tests.py
+++ b/tests/dashboards/security/security_rbac_tests.py
@@ -359,6 +359,21 @@ class 
TestDashboardRoleBasedSecurity(BaseTestDashboardSecurity):
         # assert
         self.assert_dashboards_api_response(response, 0)
 
+    def test_get_charts_api__user_without_any_permissions_get_403(self):
+        username = random_str()
+        new_role = f"role_{random_str()}"
+        self.create_user_with_roles(username, [new_role], 
should_create_roles=True)
+        dashboard = create_dashboard_to_db(published=True)
+        self.login(username)
+
+        # act
+        uri = f"api/v1/dashboard/{dashboard.id}/charts"
+        response = self.get_dashboard_charts_api_response(uri)
+
+        # assert
+        self.assertEqual(response.status_code, 404)
+
+
     def 
test_get_dashboards_api__user_get_only_published_permitted_dashboards(self):
         (
             new_role,

Reply via email to