gkneighb commented on code in PR #41843: URL: https://github.com/apache/superset/pull/41843#discussion_r3541068520
########## tests/unit_tests/security/test_permission_instructions_link.py: ########## @@ -0,0 +1,133 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +"""Unit tests for templated PERMISSION_INSTRUCTIONS_LINK rendering.""" + +from unittest.mock import MagicMock, patch + +from superset.security.manager import ( + _render_permission_instructions_link, + SupersetSecurityManager, +) + +MANAGER = "superset.security.manager" + + +def _render(template, *, username="alice", anonymous=False, **kwargs): Review Comment: Annotations added in 33e2b572ee. ########## tests/unit_tests/security/test_permission_instructions_link.py: ########## @@ -0,0 +1,133 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +"""Unit tests for templated PERMISSION_INSTRUCTIONS_LINK rendering.""" + +from unittest.mock import MagicMock, patch + +from superset.security.manager import ( + _render_permission_instructions_link, + SupersetSecurityManager, +) + +MANAGER = "superset.security.manager" + + +def _render(template, *, username="alice", anonymous=False, **kwargs): + with ( + patch( + f"{MANAGER}.get_conf", + return_value={"PERMISSION_INSTRUCTIONS_LINK": template}, + ), + patch(f"{MANAGER}.g") as g_mock, + ): + g_mock.user.is_anonymous = anonymous + g_mock.user.username = username + return _render_permission_instructions_link(**kwargs) + + +def test_empty_or_unset_link_returns_none(): Review Comment: Annotations added in 33e2b572ee. ########## tests/unit_tests/security/test_permission_instructions_link.py: ########## @@ -0,0 +1,133 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +"""Unit tests for templated PERMISSION_INSTRUCTIONS_LINK rendering.""" + +from unittest.mock import MagicMock, patch + +from superset.security.manager import ( + _render_permission_instructions_link, + SupersetSecurityManager, +) + +MANAGER = "superset.security.manager" + + +def _render(template, *, username="alice", anonymous=False, **kwargs): + with ( + patch( + f"{MANAGER}.get_conf", + return_value={"PERMISSION_INSTRUCTIONS_LINK": template}, + ), + patch(f"{MANAGER}.g") as g_mock, + ): + g_mock.user.is_anonymous = anonymous + g_mock.user.username = username + return _render_permission_instructions_link(**kwargs) + + +def test_empty_or_unset_link_returns_none(): + assert _render("") is None + assert _render(None) is None + + +def test_plain_link_without_placeholders_is_unchanged(): Review Comment: Annotations added in 33e2b572ee. ########## tests/unit_tests/security/test_permission_instructions_link.py: ########## @@ -0,0 +1,133 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +"""Unit tests for templated PERMISSION_INSTRUCTIONS_LINK rendering.""" + +from unittest.mock import MagicMock, patch + +from superset.security.manager import ( + _render_permission_instructions_link, + SupersetSecurityManager, +) + +MANAGER = "superset.security.manager" + + +def _render(template, *, username="alice", anonymous=False, **kwargs): + with ( + patch( + f"{MANAGER}.get_conf", + return_value={"PERMISSION_INSTRUCTIONS_LINK": template}, + ), + patch(f"{MANAGER}.g") as g_mock, + ): + g_mock.user.is_anonymous = anonymous + g_mock.user.username = username + return _render_permission_instructions_link(**kwargs) + + +def test_empty_or_unset_link_returns_none(): + assert _render("") is None + assert _render(None) is None + + +def test_plain_link_without_placeholders_is_unchanged(): + assert _render("https://wiki.example.com/data-access") == ( + "https://wiki.example.com/data-access" + ) + + +def test_datasource_placeholders_are_filled_and_url_encoded(): + out = _render( + "https://acme.example.com/req?id={datasource_id}" + "&name={datasource_name}&u={username}", + datasource_id="12", + datasource_name="Quarterly Sales", + ) + # space in the dataset name is URL-encoded; username injected from g.user + assert out == ( + "https://acme.example.com/req?id=12&name=Quarterly%20Sales&u=alice" + ) + + +def test_table_names_filled_and_encoded(): + out = _render( + "https://acme.example.com/req?tables={table_names}", + table_names="public.sales,public.users", + ) + assert out == ( + "https://acme.example.com/req?tables=public.sales%2Cpublic.users" + ) + + +def test_anonymous_user_renders_empty_username(): + out = _render( + "https://acme.example.com/req?u={username}", + anonymous=True, + ) + assert out == "https://acme.example.com/req?u=" + + +def test_unreferenced_placeholders_left_untouched(): + # datasource link doesn't supply table_names; that token stays literal + out = _render( + "https://acme.example.com/req?id={datasource_id}&t={table_names}", + datasource_id="9", + ) + assert out == "https://acme.example.com/req?id=9&t=" + + +def test_get_datasource_access_link_pulls_from_datasource_data(): Review Comment: Annotations added in 33e2b572ee. ########## tests/unit_tests/security/test_permission_instructions_link.py: ########## @@ -0,0 +1,133 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +"""Unit tests for templated PERMISSION_INSTRUCTIONS_LINK rendering.""" + +from unittest.mock import MagicMock, patch + +from superset.security.manager import ( + _render_permission_instructions_link, + SupersetSecurityManager, +) + +MANAGER = "superset.security.manager" + + +def _render(template, *, username="alice", anonymous=False, **kwargs): + with ( + patch( + f"{MANAGER}.get_conf", + return_value={"PERMISSION_INSTRUCTIONS_LINK": template}, + ), + patch(f"{MANAGER}.g") as g_mock, + ): + g_mock.user.is_anonymous = anonymous + g_mock.user.username = username + return _render_permission_instructions_link(**kwargs) + + +def test_empty_or_unset_link_returns_none(): + assert _render("") is None + assert _render(None) is None + + +def test_plain_link_without_placeholders_is_unchanged(): + assert _render("https://wiki.example.com/data-access") == ( + "https://wiki.example.com/data-access" + ) + + +def test_datasource_placeholders_are_filled_and_url_encoded(): + out = _render( + "https://acme.example.com/req?id={datasource_id}" + "&name={datasource_name}&u={username}", + datasource_id="12", + datasource_name="Quarterly Sales", + ) + # space in the dataset name is URL-encoded; username injected from g.user + assert out == ( + "https://acme.example.com/req?id=12&name=Quarterly%20Sales&u=alice" + ) + + +def test_table_names_filled_and_encoded(): + out = _render( + "https://acme.example.com/req?tables={table_names}", + table_names="public.sales,public.users", + ) + assert out == ( + "https://acme.example.com/req?tables=public.sales%2Cpublic.users" + ) + + +def test_anonymous_user_renders_empty_username(): + out = _render( + "https://acme.example.com/req?u={username}", + anonymous=True, + ) + assert out == "https://acme.example.com/req?u=" + + +def test_unreferenced_placeholders_left_untouched(): + # datasource link doesn't supply table_names; that token stays literal + out = _render( + "https://acme.example.com/req?id={datasource_id}&t={table_names}", + datasource_id="9", + ) + assert out == "https://acme.example.com/req?id=9&t=" + + +def test_get_datasource_access_link_pulls_from_datasource_data(): + ds = MagicMock() + ds.data = {"id": 12, "name": "Quarterly Sales"} + with ( + patch( + f"{MANAGER}.get_conf", + return_value={ + "PERMISSION_INSTRUCTIONS_LINK": ( + "https://acme.example.com/req?id={datasource_id}" + "&name={datasource_name}" + ) + }, + ), + patch(f"{MANAGER}.g") as g_mock, + ): + g_mock.user.is_anonymous = False + g_mock.user.username = "alice" + out = SupersetSecurityManager.get_datasource_access_link(ds) + assert out == "https://acme.example.com/req?id=12&name=Quarterly%20Sales" + + +def test_get_table_access_link_joins_table_names(): Review Comment: Annotations added in 33e2b572ee. ########## superset-frontend/src/components/ErrorMessage/DatasourceSecurityAccessErrorMessage.tsx: ########## @@ -0,0 +1,128 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +import { ReactNode } from 'react'; +import { t, tn } from '@apache-superset/core/translation'; +import { Typography } from '@superset-ui/core/components'; + +import type { ErrorMessageComponentProps } from './types'; +import { IssueCode } from './IssueCode'; +import { ErrorAlert } from './ErrorAlert'; + +interface DatasourceSecurityAccessExtra { + owners?: string[]; + link?: string; + datasource?: number | string; + datasource_name?: string; + tables?: string[]; + issue_codes?: { + code: number; + message: string; + }[]; +} + +/** + * Shown when a viewer opens a chart but lacks permission to its underlying data + * (DATASOURCE_SECURITY_ACCESS_ERROR / TABLE_SECURITY_ACCESS_ERROR). Surfaces a + * plain-language explanation, who to contact, and a "Request access" link when + * the deployment configures PERMISSION_INSTRUCTIONS_LINK. + */ +export function DatasourceSecurityAccessErrorMessage({ + error, + source, + closable, +}: ErrorMessageComponentProps<DatasourceSecurityAccessExtra | null>) { + const { extra, level, message } = error; + const isVisualization = ['dashboard', 'explore'].includes(source || ''); + + let explanation: string; + if (extra?.datasource_name) { + explanation = t( + 'This chart uses the "%s" dataset, which you do not have permission ' + + 'to view.', + extra.datasource_name, + ); + } else if (extra?.tables?.length) { + explanation = t( + 'You do not have access to the data behind this chart ' + '(tables: %s).', + extra.tables.join(', '), + ); Review Comment: Fixed in 33e2b572ee — the copy now branches by source: SQL Lab gets query/table wording ('This query uses the ...' / 'You do not have access to the following tables') and a source-neutral title, with a test. ########## superset-frontend/src/setup/setupErrorMessages.ts: ########## @@ -94,6 +95,14 @@ export default function setupErrorMessages() { ErrorTypeEnum.QUERY_SECURITY_ACCESS_ERROR, DatabaseErrorMessage, ); + errorMessageComponentRegistry.registerValue( + ErrorTypeEnum.DATASOURCE_SECURITY_ACCESS_ERROR, + DatasourceSecurityAccessErrorMessage, + ); Review Comment: Confirmed and fixed in 33e2b572ee — superset/connectors/sqla/utils.py does reuse DATASOURCE_SECURITY_ACCESS_ERROR for SQL-validation failures ('Only SELECT statements are allowed'). Those carry no access payload, so the component now gates the request-access UI on extra.datasource_name/extra.tables and renders a plain error otherwise, with a test covering exactly that message. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
