fix: Gamma users shouldn't be able to create roles (#29687)

Author: hughhhh

superset/security/manager.py

@@ -238,6 +238,12 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
         "SQL Lab",
         "User Registrations",
         "User's Statistics",
+        # Guarding all AB_ADD_SECURITY_API = True REST APIs
+        "Role",
+        "Permission",
+        "PermissionViewMenu",
+        "ViewMenu",
+        "User",
     } | USER_MODEL_VIEWS
 
     ALPHA_ONLY_VIEW_MENUS = {

tests/integration_tests/security/api_tests.py

@@ -26,6 +26,7 @@
 from superset.models.dashboard import Dashboard
 from superset.utils.urls import get_url_host
 from superset.utils import json
+from tests.integration_tests.conftest import with_config
 from tests.integration_tests.base_tests import SupersetTestCase
 from tests.integration_tests.constants import ADMIN_USERNAME, GAMMA_USERNAME
 from tests.integration_tests.fixtures.birth_names_dashboard import (
@@ -135,3 +136,64 @@ def test_post_guest_token_bad_resources(self):
         )
 
         self.assert400(response)
+
+
+class TestSecurityRolesApi(SupersetTestCase):
+    uri = "api/v1/security/roles/"  # noqa: F541
+
+    @with_config({"FAB_ADD_SECURITY_API": True})
+    def test_get_security_roles_admin(self):
+        """
+        Security API: Admin should be able to get roles
+        """
+        self.login(ADMIN_USERNAME)
+        response = self.client.get(self.uri)
+        self.assert200(response)
+
+    @with_config({"FAB_ADD_SECURITY_API": True})
+    def test_get_security_roles_gamma(self):
+        """
+        Security API: Gamma should not be able to get roles
+        """
+        self.login(GAMMA_USERNAME)
+        response = self.client.get(self.uri)
+        self.assert403(response)
+
+    @with_config({"FAB_ADD_SECURITY_API": True})
+    def test_post_security_roles_gamma(self):
+        """
+        Security API: Gamma should not be able to create roles
+        """
+        self.login(GAMMA_USERNAME)
+        response = self.client.post(
+            self.uri,
+            data=json.dumps({"name": "new_role"}),
+            content_type="application/json",
+        )
+        self.assert403(response)
+
+    @with_config({"FAB_ADD_SECURITY_API": True})
+    def test_put_security_roles_gamma(self):
+        """
+        Security API: Gamma shouldnt be able to update roles
+        """
+        self.login(GAMMA_USERNAME)
+        response = self.client.put(
+            f"{self.uri}1",
+            data=json.dumps({"name": "new_role"}),
+            content_type="application/json",
+        )
+        self.assert403(response)
+
+    @with_config({"FAB_ADD_SECURITY_API": True})
+    def test_delete_security_roles_gamma(self):
+        """
+        Security API: Gamma shouldnt be able to delete roles
+        """
+        self.login(GAMMA_USERNAME)
+        response = self.client.delete(
+            f"{self.uri}1",
+            data=json.dumps({"name": "new_role"}),
+            content_type="application/json",
+        )
+        self.assert403(response)

tests/integration_tests/superset_test_config.py

@@ -137,6 +137,8 @@ def GET_FEATURE_FLAGS_FUNC(ff):
 
 ALERT_REPORTS_QUERY_EXECUTION_MAX_TRIES = 3
 
+FAB_ADD_SECURITY_API = True
+
 
 class CeleryConfig:
     broker_url = f"redis://{REDIS_HOST}:{REDIS_PORT}/{REDIS_CELERY_DB}"