Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: customize recent activity access #17589

Merged
merged 8 commits into from
Dec 8, 2021

Conversation

villebro
Copy link
Member

@villebro villebro commented Nov 30, 2021

SUMMARY

Adds a config flag ENABLE_BROAD_ACTIVITY_ACCESS that makes it possible to disable access to other users' recent activity data, both via the API and the profile page. In addition, a security manager method raise_for_user_activity_access is introduced to make it possible to fine tune who can and can't access recent activity data.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

When the flag is set to false, trying to access other users' activity data returns a 403 which is displayed on the profile page tables with the message "Access to user activity data is restricted" (in the screenshot the user is viewing another user's profile page):
image

With the default settings, accessing other users' activity data is allowed (current behavior unchanged):
image

TESTING INSTRUCTIONS

  1. set ENABLE_BROAD_ACTIVITY_ACCESS = False in superset_config.py
  2. login as admin
  3. create a user test
  4. go to /superset/profile/test
  5. notice the message "Access to user activity data is restricted" in all activity tables
  6. comment out ENABLE_BROAD_ACTIVITY_ACCESS flag in superset_config.py
  7. go to /superset/profile/test
  8. notice that access is unrestricted

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

superset/views/core.py Outdated Show resolved Hide resolved
superset/security/manager.py Outdated Show resolved Hide resolved
superset/views/core.py Outdated Show resolved Hide resolved
@codecov
Copy link

codecov bot commented Nov 30, 2021

Codecov Report

Merging #17589 (8a5ebce) into master (2ae83fa) will increase coverage by 0.01%.
The diff coverage is 91.83%.

❗ Current head 8a5ebce differs from pull request most recent head fda6f0a. Consider uploading reports for the commit fda6f0a to get more accurate results
Impacted file tree graph

@@            Coverage Diff             @@
##           master   #17589      +/-   ##
==========================================
+ Coverage   68.85%   68.86%   +0.01%     
==========================================
  Files        1597     1597              
  Lines       65251    65283      +32     
  Branches     6950     6950              
==========================================
+ Hits        44927    44959      +32     
  Misses      18439    18439              
  Partials     1885     1885              
Flag Coverage Δ
hive 81.71% <93.02%> (+0.01%) ⬆️
mysql 82.12% <93.02%> (+0.01%) ⬆️
postgres 82.13% <93.02%> (+0.01%) ⬆️
python 82.48% <93.02%> (+0.01%) ⬆️
sqlite 81.82% <93.02%> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
...ugins/legacy-plugin-chart-calendar/src/Calendar.js 0.00% <ø> (ø)
...legacy-plugin-chart-calendar/src/transformProps.js 0.00% <0.00%> (ø)
superset/views/core.py 77.80% <91.66%> (+0.42%) ⬆️
...rset-frontend/src/components/TableLoader/index.tsx 96.77% <100.00%> (ø)
superset/config.py 91.58% <100.00%> (+0.02%) ⬆️
superset/errors.py 94.28% <100.00%> (+0.08%) ⬆️
superset/security/manager.py 91.96% <100.00%> (+0.10%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2ae83fa...fda6f0a. Read the comment docs.

@villebro villebro force-pushed the villebro/activity_access branch from 8745955 to 055a20f Compare November 30, 2021 10:03
@villebro villebro force-pushed the villebro/activity_access branch from 055a20f to aae37fa Compare November 30, 2021 20:22
Copy link
Member

@kgabryje kgabryje left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 minor nits, otherwise looks and works great!

UPDATING.md Outdated Show resolved Hide resolved
Copy link
Member

@geido geido left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@villebro villebro merged commit c4b0495 into apache:master Dec 8, 2021
@villebro villebro deleted the villebro/activity_access branch January 5, 2022 07:37
@mistercrunch mistercrunch added 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 1.5.0 labels Mar 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels preset-io size/L 🚢 1.5.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants