diff --git a/tests/unit_tests/security/manager_test.py b/tests/unit_tests/security/manager_test.py index 03344629087c9..cf7587b11b3a3 100644 --- a/tests/unit_tests/security/manager_test.py +++ b/tests/unit_tests/security/manager_test.py @@ -561,3 +561,51 @@ def test_get_schema_perm() -> None: ) assert sm.get_schema_perm("my_db", None, None) is None assert sm.get_schema_perm("my_db", "my_catalog", None) is None + + +def test_raise_for_access_catalog( + mocker: MockFixture, + app_context: None, +) -> None: + """ + Test catalog-level permissions. + """ + sm = SupersetSecurityManager(appbuilder) + mocker.patch.object(sm, "can_access_database", return_value=False) + mocker.patch.object( + sm, + "get_catalog_perm", + return_value="[PostgreSQL].[db1].[public]", + ) + mocker.patch.object(sm, "is_guest_user", return_value=False) + SqlaTable = mocker.patch("superset.connectors.sqla.models.SqlaTable") + SqlaTable.query_datasources_by_name.return_value = [] + + database = mocker.MagicMock() + database.get_default_catalog.return_value = "db1" + database.get_default_schema_for_query.return_value = "public" + query = mocker.MagicMock() + query.database = database + query.sql = "SELECT * FROM ab_user" + + can_access = mocker.patch.object(sm, "can_access", return_value=True) + sm.raise_for_access(query=query) + can_access.assert_called_with("catalog_access", "[PostgreSQL].[db1].[public]") + + mocker.patch.object(sm, "can_access", return_value=False) + with pytest.raises(SupersetSecurityException) as excinfo: + sm.raise_for_access(query=query) + assert ( + str(excinfo.value) + == """You need access to the following tables: `db1.public.ab_user`, + `all_database_access` or `all_datasource_access` permission""" + ) + + query.sql = "SELECT * FROM db2.public.ab_user" + with pytest.raises(SupersetSecurityException) as excinfo: + sm.raise_for_access(query=query) + assert ( + str(excinfo.value) + == """You need access to the following tables: `db2.public.ab_user`, + `all_database_access` or `all_datasource_access` permission""" + )