Skip to content

Commit

Permalink
gamma: limit owners to dashboard to self
Browse files Browse the repository at this point in the history 
As we don't want to leak other users to unpriviliged users

Refs #359
  • Loading branch information
@xrmx
xrmx committed Aug 5, 2016
1 parent d94c961 commit 045233b
Showing 1 changed file with 16 additions and 2 deletions.
18 changes: 16 additions & 2 deletions caravel/views.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,6 +178,14 @@ def apply(self, query, value): # noqa
return qry


class FilterDashboardOwners(CaravelFilter):
def apply(self, query, value): # noqa
if any([r.name in ('Admin', 'Alpha') for r in get_user_roles()]):
return query
qry = query.filter_by(id=g.user.id)
return qry


def validate_json(form, field): # noqa
try:
json.loads(field.data)
Expand Down Expand Up @@ -674,8 +682,14 @@ class DashboardModelView(CaravelModelView, DeleteMixin): # noqa
'owners': _("Owners is a list of users who can alter the dashboard."),
}
base_filters = [['slice', FilterDashboard, lambda: []]]
add_form_query_rel_fields = {'slices': [['slices', FilterDashboardSlices, None]]}
edit_form_query_rel_fields = {'slices': [['slices', FilterDashboardSlices, None]]}
add_form_query_rel_fields = {
'slices': [['slices', FilterDashboardSlices, None]],
'owners': [['owners', FilterDashboardOwners, None]],
}
edit_form_query_rel_fields = {
'slices': [['slices', FilterDashboardSlices, None]],
'owners': [['owners', FilterDashboardOwners, None]],
}
label_columns = {
'dashboard_link': _("Dashboard"),
'dashboard_title': _("Title"),
Expand Down

0 comments on commit 045233b

Please sign in to comment.