mirror of
https://github.com/valitydev/redash.git
synced 2024-11-09 02:06:49 +00:00
f7b57fa580
This is one huge change for the permissions system and related: * (Backward incompatible:) Remove the table based permissions in favour of the new model. * Manage permission to view or query datasources based on groups. * Add the concept of Organization. It's irrelevant for most deployments, but allows for multi-tenant support in re:dash. * Replace ActivityLog with Event based rows (old data in activity_log table is retained). * Enforce permissions on the server-side. There were some permissions that were only enforced on the client side. This is no more. All permissions are enforced by the server. * Added new permission: 'super-admin' to access the status and Flask-Admin interface. * Make sure that html is never cached by the browser - this is to make sure that the browser will always ask for the new Javascript/CSS resources (if such are available).
53 lines
2.3 KiB
Python
53 lines
2.3 KiB
Python
from tests import BaseTestCase
|
|
from tests.factories import org_factory
|
|
from redash.models import Group, DataSource
|
|
|
|
|
|
class TestGroupDataSourceListResource(BaseTestCase):
|
|
def test_returns_only_groups_for_current_org(self):
|
|
group = self.factory.create_group(org=self.factory.create_org())
|
|
data_source = self.factory.create_data_source(group=group)
|
|
|
|
response = self.make_request('get', '/api/groups/{}/data_sources'.format(group.id), user=self.factory.create_admin())
|
|
self.assertEqual(response.status_code, 404)
|
|
|
|
|
|
class TestGroupResourcePost(BaseTestCase):
|
|
def test_doesnt_change_builtin_groups(self):
|
|
current_name = self.factory.default_group.name
|
|
|
|
response = self.make_request('post', '/api/groups/{}'.format(self.factory.default_group.id),
|
|
user=self.factory.create_admin(),
|
|
data={'name': 'Another Name'})
|
|
|
|
self.assertEqual(response.status_code, 400)
|
|
self.assertEqual(current_name, Group.get_by_id(self.factory.default_group.id).name)
|
|
|
|
|
|
class TestGroupResourceDelete(BaseTestCase):
|
|
def test_allowed_only_to_admin(self):
|
|
group = self.factory.create_group()
|
|
|
|
response = self.make_request('delete', '/api/groups/{}'.format(group.id))
|
|
self.assertEqual(response.status_code, 403)
|
|
|
|
response = self.make_request('delete', '/api/groups/{}'.format(group.id), user=self.factory.create_admin())
|
|
self.assertEqual(response.status_code, 200)
|
|
|
|
self.assertRaises(Group.DoesNotExist, Group.get_by_id, group.id)
|
|
|
|
def test_cant_delete_builtin_group(self):
|
|
for group in [self.factory.default_group, self.factory.admin_group]:
|
|
response = self.make_request('delete', '/api/groups/{}'.format(group.id), user=self.factory.create_admin())
|
|
self.assertEqual(response.status_code, 400)
|
|
|
|
def test_can_delete_group_with_data_sources(self):
|
|
group = self.factory.create_group()
|
|
data_source = self.factory.create_data_source(group=group)
|
|
|
|
response = self.make_request('delete', '/api/groups/{}'.format(group.id), user=self.factory.create_admin())
|
|
|
|
self.assertEqual(response.status_code, 200)
|
|
|
|
self.assertEqual(data_source, DataSource.get_by_id(data_source.id))
|