villebro opened a new pull request, #21765: URL: https://github.com/apache/superset/pull/21765
### SUMMARY Currently Gamma users have read and write permissions for Alerts & Reports and access the "Alerts & Reports" menu. However, since they don't have access to the "Manage" menu, they can't see the menu. This means that they can actually access the list view if the URL is provided to them. In addition, the list view shows all entries in the report schedule, although users are only able to edit entries they own. This PR does the following: - Removes "can read on ReportSchedule", "can write on ReportSchedule" and "Alerts & Report" permissions from Gamma users - Adds a new base filter to only show owned entries for non-admin users - Updates existing tests where attempting to change non-owned entries resulted in a 403 (these are now 404) - Adds tests to assert that admin and alpha users see the correct entries in the list view (admin sees all, alpha only owned entries) - Adds test to assert that gamma user gets a 403 on the list view. - Adds an entry to `UPDATING.md` with instructions on ### AFTER Now an Alpha user can only see their own entries in the list view, despite there being four entries in the report schedule:  When a Gamma user tries to access the Alerts & Reports list view with the direct URL, they get an "Access denied" error:  ### BEFORE Previously the same user saw all users' entries, despite not being able to change them (here I'm trying to enable another user's alert as an Alpha user, which fails due to missing perms).  Previously Gamma users were able to access the list view if they knew the URL, despite not having menu access:  ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF <!--- Skip this if not applicable --> ### TESTING INSTRUCTIONS <!--- Required! What steps can be taken to manually verify the changes? --> ### ADDITIONAL INFORMATION <!--- Check any relevant boxes with "x" --> <!--- HINT: Include "Fixes #nnn" if you are fixing an existing issue --> - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351)) - [ ] Migration is atomic, supports rollback & is backwards-compatible - [ ] Confirm DB migration upgrade and downgrade tested - [ ] Runtime estimates and downtime expectations provided - [ ] Introduces new feature or API - [ ] Removes existing feature or API -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
