betodealmeida commented on a change in pull request #5186: Implement a
React-based table editor
URL:
https://github.com/apache/incubator-superset/pull/5186#discussion_r206956565
##########
File path: superset/views/base.py
##########
@@ -266,3 +274,49 @@ class CsvResponse(Response):
Override Response to take into account csv encoding from config.py
"""
charset = conf.get('CSV_EXPORT').get('encoding', 'utf-8')
+
+
+def check_ownership(obj, raise_if_false=True):
+ """Meant to be used in `pre_update` hooks on models to enforce ownership
+
+ Admin have all access, and other users need to be referenced on either
+ the created_by field that comes with the ``AuditMixin``, or in a field
+ named ``owners`` which is expected to be a one-to-many with the User
+ model. It is meant to be used in the ModelView's pre_update hook in
+ which raising will abort the update.
+ """
+ if not obj:
+ return False
+
+ security_exception = SupersetSecurityException(
+ "You don't have the rights to alter [{}]".format(obj))
+
+ if g.user.is_anonymous():
+ if raise_if_false:
+ raise security_exception
+ return False
+ roles = (r.name for r in get_user_roles())
+ if 'Admin' in roles:
+ return True
+ session = db.create_scoped_session()
+ orig_obj = session.query(obj.__class__).filter_by(id=obj.id).first()
+
+ # Making a list of owners that works across ORM models
+ owners = []
+ if hasattr(orig_obj, 'owners'):
+ owners += orig_obj.owners
+ if hasattr(orig_obj, 'owner'):
+ owners += [orig_obj.owner]
+ if hasattr(orig_obj, 'created_by'):
+ owners += [orig_obj.created_by]
+
+ owner_names = (o.username for o in owners)
Review comment:
Same here.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
