Skip to content
Snippets Groups Projects
Unverified Commit 39627a3a authored by Noah Moss's avatar Noah Moss Committed by GitHub
Browse files

New default permissions for groups (#41323)

parent 97861b15
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 295 additions and 157 deletions
e2e/test/scenarios/permissions/download-permissions.cy.spec.js
+ 16
3
View file @ 39627a3a
......@@ -19,7 +19,7 @@ import {
setTokenFeatures,
} from "e2e/support/helpers";
const { ALL_USERS_GROUP } = USER_GROUPS;
const { ALL_USERS_GROUP, COLLECTION_GROUP, DATA_GROUP } = USER_GROUPS;
const {
PRODUCTS_ID,
......@@ -40,6 +40,19 @@ describeEE("scenarios > admin > permissions > data > downloads", () => {
restore();
cy.signInAsAdmin();
setTokenFeatures("all");
// Restrict downloads for Collection and Data groups before each test so that they don't override All Users
cy.updatePermissionsGraph({
[COLLECTION_GROUP]: {
[SAMPLE_DB_ID]: {
download: { schemas: "none" },
},
},
[DATA_GROUP]: {
[SAMPLE_DB_ID]: {
download: { schemas: "none" },
},
},
});
});
it("setting downloads permission UI flow should work", () => {
......@@ -96,9 +109,9 @@ describeEE("scenarios > admin > permissions > data > downloads", () => {
// When data permissions are set to `Blocked`, download permissions are automatically revoked
assertPermissionForItem("All Users", DOWNLOAD_PERMISSION_INDEX, "No");
// Normal user belongs to both "data" and "collections" groups.
// Normal user belongs to both "data" and "collection" groups.
// They both have restricted downloads so this user shouldn't have the right to download anything.
cy.signIn("normal");
cy.signInAsNormalUser();
visitQuestion(ORDERS_QUESTION_ID);
......
e2e/test/scenarios/permissions/view-data/blocked.cy.spec.js
+ 11
4
View file @ 39627a3a
......@@ -60,10 +60,17 @@ describeEE("scenarios > admin > permissions > view data > blocked", () => {
],
// expect that the view data permissions has been automatically droped to query builder only
["All Users", "Blocked", "No", "No", "No", "No"],
["collection", "Can view", "No", "No", "No", "No"],
["data", "Can view", "Query builder and native", "No", "No", "No"],
["nosql", "Can view", "Query builder only", "No", "No", "No"],
["readonly", "Can view", "No", "No", "No", "No"],
["collection", "Can view", "No", "1 million rows", "No", "No"],
[
"data",
"Can view",
"Query builder and native",
"1 million rows",
"No",
"No",
],
["nosql", "Can view", "Query builder only", "1 million rows", "No", "No"],
["readonly", "Can view", "No", "1 million rows", "No", "No"],
]);
});
});
e2e/test/scenarios/permissions/view-data/sandboxed.cy.spec.ts
+ 4
4
View file @ 39627a3a
......@@ -74,10 +74,10 @@ describeEE("scenarios > admin > permissions > view data > sandboxed", () => {
],
// expect that the view data permissions has been automatically droped to query builder only
["All Users", "Sandboxed", "Query builder only", "1 million rows", "No"],
["collection", "Can view", "No", "No", "No"],
["data", "Can view", "Query builder and native", "No", "No"],
["nosql", "Can view", "Query builder only", "No", "No"],
["readonly", "Can view", "No", "No", "No"],
["collection", "Can view", "No", "1 million rows", "No"],
["data", "Can view", "Query builder and native", "1 million rows", "No"],
["nosql", "Can view", "Query builder only", "1 million rows", "No"],
["readonly", "Can view", "No", "1 million rows", "No"],
];
assertPermissionTable(expectedFinalPermissions);
......
enterprise/backend/src/metabase_enterprise/advanced_permissions/common.clj
+ 31
0
View file @ 39627a3a
......@@ -5,6 +5,7 @@
[metabase.models.data-permissions :as data-perms]
[metabase.models.database :as database]
[metabase.models.permissions :as perms]
[metabase.models.permissions-group :as perms-group]
[metabase.public-settings.premium-features
:as premium-features
:refer [defenterprise]]
......@@ -175,3 +176,33 @@
:group_id group-id)))
:blocked
:unrestricted))
(defenterprise new-group-view-data-permission-level
"Returns the default view-data permission level for a new group for a given database. This is `blocked` if All Users
has block permissions for the database, or if any connection impersonation policies or sandboxes exist. Otherwise, it
is `unrestricted`."
:feature :none
[db-id]
(let [all-users-group-id (u/the-id (perms-group/all-users))]
(if (or
(and
(premium-features/enable-advanced-permissions?)
(t2/exists? :model/DataPermissions
:perm_type :perms/view-data
:perm_value :blocked
:db_id db-id
:group_id all-users-group-id))
(and
(premium-features/enable-advanced-permissions?)
(t2/exists? :model/ConnectionImpersonation
:group_id all-users-group-id
:db_id db-id))
(and
(premium-features/enable-sandboxes?)
(t2/exists? :model/GroupTableAccessPolicy
:group_id all-users-group-id
{:from [[:sandboxes :s]]
:join [[:metabase_table :t] [:= :s.table_id :t.id]]
:where [:= :t.db_id db-id]})))
:blocked
:unrestricted)))
enterprise/backend/test/metabase_enterprise/advanced_permissions/common_test.clj
+ 33
3
View file @ 39627a3a
......@@ -69,8 +69,8 @@
(mt/with-additional-premium-features #{:sandboxes :advanced-permissions}
(mt/with-temp [:model/PermissionsGroup {group-id :id} {}
:model/Database {db-id :id} {}]
;; First delete the default permissions for the group so we start with a clean slate
(testing "A new database defaults to `:unrestricted` if no other perms are set"
;; First delete the default permissions for the group so we start with a clean slate
(t2/delete! :model/DataPermissions :group_id group-id)
(is (= :unrestricted (advanced-permissions.common/new-database-view-data-permission-level group-id))))
......@@ -80,8 +80,9 @@
(testing "A new database defaults to `:blocked` if the group has any connection impersonation"
(data-perms/set-database-permission! group-id db-id :perms/view-data :unrestricted)
(advanced-perms.api.tu/with-impersonations! {:impersonations [{:db-id db-id :attribute "impersonation_attr"
:attributes {"impersonation_attr" "impersonation_role"}}]}
(advanced-perms.api.tu/with-impersonations! {:impersonations [{:db-id db-id
:attribute "impersonation_attr"
:attributes {"impersonation_attr" "impersonation_role"}}]}
(is (= :blocked (advanced-permissions.common/new-database-view-data-permission-level (u/the-id &group))))))
(testing "A new database defaults to `:blocked` if the group has any sandbox"
......@@ -89,6 +90,35 @@
(met/with-gtaps! {:gtaps {:venues {}}, :attributes {"a" 50}}
(is (= :blocked (advanced-permissions.common/new-database-view-data-permission-level (u/the-id &group)))))))))
(deftest new-group-view-data-permission-level
(mt/with-additional-premium-features #{:sandboxes :advanced-permissions}
(mt/with-temp [:model/Database {db-id :id} {}]
(let [all-users-group-id (u/the-id (perms-group/all-users))]
(testing "A new group defaults to `:unrestricted` for a DB if All Users has `:unrestricted`"
(data-perms/set-database-permission! all-users-group-id db-id :perms/view-data :unrestricted)
(is (= :unrestricted (advanced-permissions.common/new-group-view-data-permission-level db-id))))
(testing "A new group defaults to `:blocked` for a DB if All Users has `:blocked`"
(data-perms/set-database-permission! all-users-group-id db-id :perms/view-data :blocked)
(is (= :blocked (advanced-permissions.common/new-group-view-data-permission-level db-id))))
(testing "A new group defaults to `:blocked` if All Users has any connection impersonation"
(data-perms/set-database-permission! all-users-group-id db-id :perms/view-data :unrestricted)
(advanced-perms.api.tu/with-impersonations! {:impersonations [{:db-id db-id
:attribute "impersonation_attr"
:attributes {"impersonation_attr" "impersonation_role"}}]}
(is (= :blocked (advanced-permissions.common/new-group-view-data-permission-level db-id)))))
(testing "A new database defaults to `:blocked` if All Users group has any sandbox"
(data-perms/set-database-permission! all-users-group-id db-id :perms/view-data :unrestricted)
(mt/with-temp [:model/Card {card-id :id} {}
:model/Table {table-id :id} {:db_id db-id}
:model/GroupTableAccessPolicy _ {:table_id table-id
:group_id all-users-group-id
:card_id card-id
:attribute_remappings {"foo" 1}}]
(is (= :blocked (advanced-permissions.common/new-group-view-data-permission-level db-id)))))))))
;;; +----------------------------------------------------------------------------------------------------------------+
;;; | Data model permission enforcement |
......
enterprise/backend/test/metabase_enterprise/advanced_permissions/models/permissions/block_permissions_test.clj
+ 18
17
View file @ 39627a3a
......@@ -62,11 +62,12 @@
(testing (str "fails when a group has a block permission set, and the instance doesn't have the "
":advanced-permissions premium feature enabled")
(t2.with-temp/with-temp [PermissionsGroup {group-id :id}]
;; Revoke native perms so that we can set block perms
(data-perms/set-database-permission! group-id (mt/id) :perms/create-queries :query-builder)
(let [current-graph (data-perms.graph/api-graph)
new-graph (assoc-in current-graph [:groups group-id (mt/id) :view-data] :blocked)
result (mt/with-premium-features #{} ; disable premium features
(mt/user-http-request :crowberto :put 402 "permissions/graph" new-graph))]
(def result result)
(is (= "The blocked permissions functionality is only enabled if you have a premium token with the advanced-permissions feature."
result)))))))
......@@ -84,24 +85,24 @@
(testing "Group should have unrestricted view-data perms upon creation"
(is (= :unrestricted
(test-db-perms group-id))))
;; Revoke native perms so that we can set block perms
(data-perms/set-database-permission! group-id (mt/id) :perms/create-queries :query-builder)
(testing "group has no existing permissions"
(mt/with-model-cleanup [Permissions]
(mt/with-restored-data-perms-for-group! group-id
(grant! group-id)
(is (nil? (test-db-perms group-id))))))
(mt/with-restored-data-perms-for-group! group-id
(grant! group-id)
(is (nil? (test-db-perms group-id)))))
(testing "group has existing data permissions... :block should remove them"
(mt/with-model-cleanup [Permissions]
(mt/with-restored-data-perms-for-group! group-id
(data-perms/set-database-permission! group-id (mt/id) :perms/view-data :unrestricted)
(grant! group-id)
(is (nil? (test-db-perms group-id)))
(is (= #{:blocked}
(t2/select-fn-set :perm_value
:model/DataPermissions
{:where [:and
[:= :db_id (mt/id)]
[:= :group_id group-id]
[:= :perm_type (u/qualified-name :perms/view-data)]]})))))))))))
(mt/with-restored-data-perms-for-group! group-id
(data-perms/set-database-permission! group-id (mt/id) :perms/view-data :unrestricted)
(grant! group-id)
(is (nil? (test-db-perms group-id)))
(is (= #{:blocked}
(t2/select-fn-set :perm_value
:model/DataPermissions
{:where [:and
[:= :db_id (mt/id)]
[:= :group_id group-id]
[:= :perm_type (u/qualified-name :perms/view-data)]]}))))))))))
(deftest update-graph-delete-sandboxes-test
(testing "When setting `:blocked` permissions any GTAP rows for that Group/Database should get deleted."
......
src/metabase/models/data_permissions.clj
+ 53
9
View file @ 39627a3a
......@@ -631,16 +631,53 @@
:group_id group-id))
lowest-to-highest-values))))
(defenterprise new-group-view-data-permission-level
"Returns the default view-data permission level for a new group for a given database. On OSS, this is always `unrestricted`."
metabase-enterprise.advanced-permissions.common
[_group-id]
:unrestricted)
(defn- new-group-permissions
"Returns a map of {perm-type value} to be set for a new group, for the provided database."
[db-or-id all-users-group-id]
(let [db-id (u/the-id db-or-id)
view-data-level (new-group-view-data-permission-level db-id)
create-queries-level (or (->> (t2/select-fn-set :value
[:model/DataPermissions [:perm_value :value]]
:perm_type :perms/create-queries
:db_id db-id
:group_id all-users-group-id)
(coalesce-most-restrictive :perms/create-queries))
:query-builder-and-native)
download-level (or (->> (t2/select-fn-set :value
[:model/DataPermissions [:perm_value :value]]
:perm_type :perms/download-results
:db_id db-id
:group_id all-users-group-id)
(coalesce-most-restrictive :perms/download-results))
:one-million-rows)]
{:perms/view-data view-data-level
:perms/create-queries create-queries-level
:perms/download-results download-level
:perms/manage-table-metadata :no
:perms/manage-database :no}))
(defn set-new-group-permissions!
"Sets permissions for a newly-added group to their appropriate values for a single database. This is generally based
on the permissions of the All Users group."
[group-or-id db-or-id all-users-group-id]
(doseq [[perm-type perm-value] (new-group-permissions db-or-id all-users-group-id)]
(set-database-permission! group-or-id db-or-id perm-type perm-value)))
(defenterprise new-database-view-data-permission-level
"Returns the default view-data permission level for a new database for a given group. On OSS, this is always `unrestricted`."
metabase-enterprise.advanced-permissions.common
[_group-id]
:unrestricted)
(defn set-new-database-permissions!
"Sets permissions for a newly-added database to their appropriate values for a single group. For certain permission
types, the value computed based on the existing permissions the group has for other databases."
[group-or-id db-or-id]
(defn- new-database-permissions
"Returns a map of {perm-type value} to be set for a new database, for the provided group."
[group-or-id]
(let [group-id (u/the-id group-or-id)
view-data-level (new-database-view-data-permission-level group-id)
create-queries-level (or (lowest-permission-level-in-any-database group-id :perms/create-queries)
......@@ -649,11 +686,18 @@
:no
(or (lowest-permission-level-in-any-database group-id :perms/download-results)
:one-million-rows))]
(set-database-permission! group-or-id db-or-id :perms/view-data view-data-level)
(set-database-permission! group-or-id db-or-id :perms/create-queries create-queries-level)
(set-database-permission! group-or-id db-or-id :perms/download-results download-level)
(set-database-permission! group-or-id db-or-id :perms/manage-table-metadata :no)
(set-database-permission! group-or-id db-or-id :perms/manage-database :no)))
{:perms/view-data view-data-level
:perms/create-queries create-queries-level
:perms/download-results download-level
:perms/manage-table-metadata :no
:perms/manage-database :no}))
(defn set-new-database-permissions!
"Sets permissions for a newly-added database to their appropriate values for a single group. For certain permission
types, the value computed based on the existing permissions the group has for other databases."
[group-or-id db-or-id]
(doseq [[perm-type perm-value] (new-database-permissions group-or-id)]
(set-database-permission! group-or-id db-or-id perm-type perm-value)))
(mu/defn set-table-permissions!
"Sets table permissions to specified values for a given group. If a permission value already exists for a specified
......
src/metabase/models/permissions_group.clj
+ 1
6
View file @ 39627a3a
......@@ -94,14 +94,9 @@
(defn- set-default-permission-values!
[group]
;; New groups get data access but no query permissions by default, and no other perms
(t2/with-transaction [_conn]
(doseq [db-id (t2/select-pks-vec :model/Database)]
(data-perms/set-database-permission! group db-id :perms/view-data :unrestricted)
(data-perms/set-database-permission! group db-id :perms/create-queries :no)
(data-perms/set-database-permission! group db-id :perms/download-results :no)
(data-perms/set-database-permission! group db-id :perms/manage-table-metadata :no)
(data-perms/set-database-permission! group db-id :perms/manage-database :no))))
(data-perms/set-new-group-permissions! group db-id (u/the-id (all-users))))))
(t2/define-after-insert :model/PermissionsGroup
[group]
......
test/metabase/api/permissions_test.clj
+ 12
8
View file @ 39627a3a
......@@ -192,13 +192,15 @@
(testing "make sure we can update the perms graph from the API"
(testing "Table-specific perms"
(t2.with-temp/with-temp [PermissionsGroup group]
(data-perms/set-database-permission! group (mt/id) :perms/create-queries :no)
(mt/user-http-request
:crowberto :put 200 "permissions/graph"
(assoc-in (data-perms.graph/api-graph)
[:groups (u/the-id group) (mt/id) :create-queries]
{"PUBLIC" {(mt/id :venues) :query-builder
(mt/id :orders) :no}}))
(is (= {(mt/id :venues) :query-builder}
(mt/id :orders) :query-builder}}))
(is (= {(mt/id :venues) :query-builder
(mt/id :orders) :query-builder}
(get-in (data-perms.graph/api-graph) [:groups (u/the-id group) (mt/id) :create-queries "PUBLIC"]))))))))
(deftest update-perms-graph-perms-for-new-db-test
......@@ -213,9 +215,10 @@
[:groups (u/the-id group) db-id]
{:view-data :unrestricted
:create-queries :query-builder}))
(is (= {:view-data :unrestricted
:create-queries :query-builder}
(get-in (data-perms.graph/api-graph) [:groups (u/the-id group) db-id])))))))
(is (partial=
{:view-data :unrestricted
:create-queries :query-builder}
(get-in (data-perms.graph/api-graph) [:groups (u/the-id group) db-id])))))))
(deftest update-perms-graph-perms-for-new-db-with-no-tables-test
(testing "PUT /api/permissions/graph"
......@@ -228,9 +231,10 @@
[:groups (u/the-id group) db-id]
{:view-data :unrestricted
:create-queries :query-builder}))
(is (= {:view-data :unrestricted
:create-queries :query-builder}
(get-in (data-perms.graph/api-graph) [:groups (u/the-id group) db-id])))))))
(is (partial=
{:view-data :unrestricted
:create-queries :query-builder}
(get-in (data-perms.graph/api-graph) [:groups (u/the-id group) db-id])))))))
(deftest update-perms-graph-with-skip-graph-skips-graph-test
(testing "PUT /api/permissions/graph"
......
test/metabase/models/data_permissions/graph_test.clj
+ 1
0
View file @ 39627a3a
......@@ -427,6 +427,7 @@
(deftest graph-set-partial-permissions-for-table-test
(testing "Test that setting partial permissions for a table retains permissions for other tables -- #3888"
(mt/with-temp [:model/PermissionsGroup group]
(data-perms/set-database-permission! group (mt/id) :perms/create-queries :no)
(testing "before"
;; first, graph permissions only for VENUES
(data-perms/set-table-permission! group (mt/id :venues) :perms/create-queries :query-builder)
......
test/metabase/models/data_permissions_test.clj
+ 35
41
View file @ 39627a3a
......@@ -177,33 +177,37 @@
:model/Database {database-id :id} {}
:model/Table {table-id-1 :id} {:db_id database-id}
:model/Table {table-id-2 :id} {:db_id database-id}]
(mt/with-restored-data-perms-for-groups! [group-id-1 group-id-2]
(testing "`table-permission-for-user` coalesces permissions from all groups a user is in"
(data-perms/set-table-permission! group-id-1 table-id-1 :perms/create-queries :query-builder)
(data-perms/set-table-permission! group-id-2 table-id-1 :perms/create-queries :no)
(data-perms/set-table-permission! (perms-group/all-users) table-id-1 :perms/create-queries :no)
(is (= :query-builder (data-perms/table-permission-for-user user-id :perms/create-queries database-id table-id-1))))
;; Revoke All Users perms so that it doesn't override perms in the new groups
(mt/with-no-data-perms-for-all-users!
(mt/with-restored-data-perms-for-groups! [group-id-1 group-id-2]
(testing "`table-permission-for-user` coalesces permissions from all groups a user is in"
(data-perms/set-table-permission! group-id-1 table-id-1 :perms/create-queries :query-builder)
(data-perms/set-table-permission! group-id-2 table-id-1 :perms/create-queries :no)
(data-perms/set-table-permission! (perms-group/all-users) table-id-1 :perms/create-queries :no)
(is (= :query-builder (data-perms/table-permission-for-user user-id :perms/create-queries database-id table-id-1))))
(testing "`table-permission-for-user` falls back to the least permissive value if no value exists for the user"
(t2/delete! :model/DataPermissions :db_id database-id)
(is (= :no (data-perms/table-permission-for-user user-id :perms/create-queries database-id table-id-2))))
(testing "`table-permission-for-user` falls back to the least permissive value if no value exists for the user"
(t2/delete! :model/DataPermissions :db_id database-id)
(is (= :no (data-perms/table-permission-for-user user-id :perms/create-queries database-id table-id-2))))
(testing "Admins always have the most permissive value, regardless of group membership"
(is (= :query-builder-and-native (data-perms/table-permission-for-user (mt/user->id :crowberto) :perms/create-queries database-id table-id-2)))))
(testing "Admins always have the most permissive value, regardless of group membership"
(is (= :query-builder-and-native (data-perms/table-permission-for-user (mt/user->id :crowberto) :perms/create-queries database-id table-id-2))))
(mt/with-restored-data-perms-for-groups! [group-id-1 group-id-2]
(testing "caching works as expected"
(binding [api/*current-user-id* user-id]
(data-perms/set-table-permission! group-id-1 table-id-1 :perms/create-queries :query-builder)
(data-perms/with-relevant-permissions-for-user user-id
;; retrieve the cache now so it doesn't get counted in the call count
@data-perms/*permissions-for-user*
;; make the cache wrong
(data-perms/set-table-permission! group-id-1 table-id-1 :perms/create-queries :no)
;; the cached value is used
(t2/with-call-count [call-count]
(mt/with-restored-data-perms-for-groups! [group-id-1 group-id-2]
(testing "caching works as expected"
(binding [api/*current-user-id* user-id]
(data-perms/set-table-permission! group-id-1 table-id-1 :perms/create-queries :query-builder)
(data-perms/set-table-permission! group-id-2 table-id-1 :perms/create-queries :query-builder)
(is (= :query-builder (data-perms/table-permission-for-user user-id :perms/create-queries database-id table-id-1)))
(is (zero? (call-count))))))))))
(data-perms/with-relevant-permissions-for-user user-id
;; retrieve the cache now so it doesn't get counted in the call count
@data-perms/*permissions-for-user*
;; make the cache wrong
(data-perms/set-table-permission! group-id-1 table-id-1 :perms/create-queries :no)
;; the cached value is used
(t2/with-call-count [call-count]
(is (= :query-builder (data-perms/table-permission-for-user user-id :perms/create-queries database-id table-id-1)))
(is (zero? (call-count))))))))))))
(deftest permissions-for-user-test
(mt/with-temp [:model/PermissionsGroup {group-id-1 :id} {}
......@@ -540,25 +544,15 @@
:perm_type :perms/download-results)))
(t2/delete! :model/Database :id new-db-id)))
(testing "A new database gets `ten-thousnad-rows` download permissions if a group has `ten-thousand-rows` for any database"
(data-perms/set-database-permission! group-id db-id-2 :perms/download-results :ten-thousand-rows)
(testing "A new database gets `no` download permissions if a group has `no` for any database"
(data-perms/set-database-permission! group-id db-id-2 :perms/download-results :no)
(let [new-db-id (t2/insert-returning-pk! :model/Database {:name "Test" :engine "h2" :details "{}"})]
(is (= :ten-thousand-rows (t2/select-one-fn :perm_value
:model/DataPermissions
:db_id new-db-id
:group_id group-id
:perm_type :perms/download-results)))
(t2/delete! :model/Database :id new-db-id)))
(testing "A new database gets `no` download permissions if a group has `no` for any database"
(data-perms/set-database-permission! group-id db-id-2 :perms/download-results :no)
(let [new-db-id (t2/insert-returning-pk! :model/Database {:name "Test" :engine "h2" :details "{}"})]
(is (= :no (t2/select-one-fn :perm_value
:model/DataPermissions
:db_id new-db-id
:group_id group-id
:perm_type :perms/download-results)))
(t2/delete! :model/Database :id new-db-id)))))))
(is (= :no (t2/select-one-fn :perm_value
:model/DataPermissions
:db_id new-db-id
:group_id group-id
:perm_type :perms/download-results)))
(t2/delete! :model/Database :id new-db-id)))))))
(deftest set-new-table-permissions!-test
(mt/with-temp [:model/PermissionsGroup {group-id :id} {}
......
test/metabase/models/permissions_group_test.clj
+ 27
12
View file @ 39627a3a
......@@ -147,15 +147,30 @@
(is (= #{db-id} (->> graph :groups vals (mapcat keys) set)))))))))
(deftest set-default-permission-values!-test
(testing "A new group has no permissions for any DBs by default"
(mt/with-temp [:model/Database {db-id :id} {}
:model/PermissionsGroup {group-id :id} {}]
(is
(= {group-id
{db-id
{:perms/view-data :unrestricted,
:perms/create-queries :no,
:perms/download-results :no,
:perms/manage-table-metadata :no,
:perms/manage-database :no}}}
(data-perms/data-permissions-graph :group-id group-id :db-id db-id))))))
(testing "A new group has permissions dynamically set for each DB based on the All Users group"
(mt/with-premium-features #{}
(mt/with-temp [:model/Database {db-id :id} {}]
(mt/with-full-data-perms-for-all-users!
(mt/with-temp [:model/PermissionsGroup {group-id :id} {}]
(is
(= {group-id
{db-id
{:perms/view-data :unrestricted
:perms/create-queries :query-builder-and-native
:perms/download-results :one-million-rows
:perms/manage-table-metadata :no
:perms/manage-database :no}}}
(data-perms/data-permissions-graph :group-id group-id :db-id db-id))))))
(mt/with-temp [:model/Database {db-id :id} {}]
(mt/with-no-data-perms-for-all-users!
(mt/with-temp [:model/PermissionsGroup {group-id :id} {}]
(is
(= {group-id
{db-id
{:perms/view-data :unrestricted
:perms/create-queries :no
:perms/download-results :no
:perms/manage-table-metadata :no
:perms/manage-database :no}}}
(data-perms/data-permissions-graph :group-id group-id :db-id db-id)))))))))
test/metabase/models/table_test.clj
+ 53
50
View file @ 39627a3a
......@@ -85,60 +85,63 @@
(deftest set-new-table-permissions!-test
(testing "New permissions are set appropriately for a new table, for all groups"
(mt/with-temp [:model/PermissionsGroup {group-id :id} {}
:model/Database {db-id :id} {}
:model/Table {table-id-1 :id} {:db_id db-id
:schema "PUBLIC"}
:model/Table {table-id-2 :id} {:db_id db-id
:schema "PUBLIC"}]
;; All Users group should have full data access, full download abilities, and full metadata management
(let [all-users-group-id (u/the-id (perms-group/all-users))]
(is (partial=
{all-users-group-id
{db-id
{:perms/view-data :unrestricted
:perms/create-queries :query-builder-and-native
:perms/download-results :one-million-rows
:perms/manage-table-metadata :no
:perms/manage-database :no}}}
(data-perms/data-permissions-graph :group-id all-users-group-id :db-id db-id))))
;; Other groups should have no-self-service data access and no download abilities or metadata management
(is (partial=
{group-id
{db-id
{:perms/view-data :unrestricted
:perms/create-queries :no
:perms/download-results :no
:perms/manage-table-metadata :no
:perms/manage-database :no}}}
(data-perms/data-permissions-graph :group-id group-id :db-id db-id)))
(testing "A new table has appropriate defaults, when perms are already set granularly for the DB"
(data-perms/set-table-permission! group-id table-id-1 :perms/create-queries :query-builder)
(data-perms/set-table-permission! group-id table-id-1 :perms/view-data :unrestricted)
(data-perms/set-table-permission! group-id table-id-1 :perms/download-results :one-million-rows)
(data-perms/set-table-permission! group-id table-id-1 :perms/manage-table-metadata :yes)
(mt/with-temp [:model/Table {table-id-3 :id} {:db_id db-id
:schema "PUBLIC"}]
(mt/with-full-data-perms-for-all-users!
(mt/with-temp [:model/PermissionsGroup {group-id :id} {}
:model/Database {db-id :id} {}
:model/Table {table-id-1 :id} {:db_id db-id
:schema "PUBLIC"}
:model/Table {table-id-2 :id} {:db_id db-id
:schema "PUBLIC"}]
;; Perms for new tables are the same as the DB-level perms, if they exist
(let [all-users-group-id (u/the-id (perms-group/all-users))]
(is (partial=
{group-id
{all-users-group-id
{db-id
{:perms/view-data :unrestricted
:perms/create-queries {"PUBLIC"
{table-id-1 :query-builder
table-id-2 :no
table-id-3 :no}}
:perms/download-results {"PUBLIC"
{table-id-1 :one-million-rows
table-id-2 :no
table-id-3 :no}}
:perms/manage-table-metadata {"PUBLIC"
{table-id-1 :yes
table-id-2 :no
table-id-3 :no}}
:perms/create-queries :query-builder-and-native
:perms/download-results :one-million-rows
:perms/manage-table-metadata :no
:perms/manage-database :no}}}
(data-perms/data-permissions-graph :group-id all-users-group-id :db-id db-id))))
;; A new group starts with the same perms as All Users
(is (partial=
{group-id
{db-id
{:perms/view-data :unrestricted
:perms/create-queries :query-builder-and-native
:perms/download-results :one-million-rows
:perms/manage-table-metadata :no
:perms/manage-database :no}}}
(data-perms/data-permissions-graph :group-id group-id :db-id db-id))))))))
(data-perms/data-permissions-graph :group-id group-id :db-id db-id)))
(testing "A new table has appropriate defaults, when perms are already set granularly for the DB"
(data-perms/set-table-permission! group-id table-id-1 :perms/create-queries :no)
(data-perms/set-table-permission! group-id table-id-1 :perms/download-results :no)
(data-perms/set-table-permission! group-id table-id-1 :perms/manage-table-metadata :no)
(data-perms/set-table-permission! group-id table-id-2 :perms/create-queries :query-builder)
(data-perms/set-table-permission! group-id table-id-2 :perms/download-results :one-million-rows)
(data-perms/set-table-permission! group-id table-id-2 :perms/manage-table-metadata :yes)
(mt/with-temp [:model/Table {table-id-3 :id} {:db_id db-id
:schema "PUBLIC"}]
(is (partial=
{group-id
{db-id
{:perms/view-data :unrestricted
:perms/create-queries {"PUBLIC"
{table-id-1 :no
table-id-2 :query-builder
table-id-3 :no}}
:perms/download-results {"PUBLIC"
{table-id-1 :no
table-id-2 :one-million-rows
table-id-3 :no}}
:perms/manage-table-metadata {"PUBLIC"
{table-id-1 :no
table-id-2 :yes
table-id-3 :no}}
:perms/manage-database :no}}}
(data-perms/data-permissions-graph :group-id group-id :db-id db-id)))))))))
(deftest cleanup-permissions-after-delete-table-test
(mt/with-temp
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment