limiting more endpoints

.gitignore

@@ -20,6 +20,7 @@
 *.pyc
 *.sqllite
 *.swp
+.bento*
 .cache-loader
 .coverage
 .DS_Store

superset/app.py

@@ -154,7 +154,6 @@ def init_views(self) -> None:
         from superset.views.dashboard.views import (
             DashboardModelView,
             Dashboard,
-            DashboardAddView,
             DashboardModelViewAsync,
         )
         from superset.views.database.api import DatabaseRestApi
@@ -213,6 +212,16 @@ def init_views(self) -> None:
             category_label=__("Sources"),
             category_icon="fa-database",
         )
+        appbuilder.add_link(
+            "Tables",
+            label=__("Tables"),
+            href="/tablemodelview/list/?_flt_1_is_sqllab_view=y",
+            icon="fa-table",
+            category="Sources",
+            category_label=__("Sources"),
+            category_icon="fa-table",
+        )
+        appbuilder.add_separator("Sources")
         appbuilder.add_view(
             SliceModelView,
             "Charts",
@@ -254,7 +263,6 @@ def init_views(self) -> None:
         appbuilder.add_view_no_menu(CssTemplateAsyncModelView)
         appbuilder.add_view_no_menu(CsvToDatabaseView)
         appbuilder.add_view_no_menu(Dashboard)
-        appbuilder.add_view_no_menu(DashboardAddView)
         appbuilder.add_view_no_menu(DashboardModelViewAsync)
         appbuilder.add_view_no_menu(Datasource)
         appbuilder.add_view_no_menu(KV)
@@ -274,12 +282,6 @@ def init_views(self) -> None:
         #
         # Add links
         #
-        appbuilder.add_link(
-            __("Saved Queries"),
-            href="/sqllab/my_queries/",
-            icon="fa-save",
-            category="SQL Lab",
-        )
         appbuilder.add_link(
             "Import Dashboards",
             label=__("Import Dashboards"),
@@ -298,6 +300,12 @@ def init_views(self) -> None:
             category="SQL Lab",
             category_label=__("SQL Lab"),
         )
+        appbuilder.add_link(
+            __("Saved Queries"),
+            href="/sqllab/my_queries/",
+            icon="fa-save",
+            category="SQL Lab",
+        )
         appbuilder.add_link(
             "Query Search",
             label=_("Query Search"),
@@ -316,15 +324,6 @@ def init_views(self) -> None:
             category_label=__("Sources"),
             category_icon="fa-wrench",
         )
-        appbuilder.add_link(
-            "Tables",
-            label=__("Tables"),
-            href="/tablemodelview/list/?_flt_1_is_sqllab_view=y",
-            icon="fa-table",
-            category="Sources",
-            category_label=__("Sources"),
-            category_icon="fa-table",
-        )
 
         #
         # Conditionally setup log views

superset/connectors/druid/views.py

@@ -30,6 +30,7 @@
 from superset import app, appbuilder, db, security_manager
 from superset.connectors.base.views import DatasourceModelView
 from superset.connectors.connector_registry import ConnectorRegistry
+from superset.constants import CRUD_ROUTE_METHODS, RELATED_VIEWS_ROUTE_METHODS
 from superset.utils import core as utils
 from superset.views.base import (
     BaseSupersetView,
@@ -41,7 +42,6 @@
     validate_json,
     YamlExportMixin,
 )
-from superset.views.constants import CRUD_ROUTE_METHODS, RELATED_VIEWS_ROUTE_METHODS
 
 from . import models
 

superset/connectors/sqla/views.py

@@ -31,6 +31,7 @@
 
 from superset import appbuilder, db, security_manager
 from superset.connectors.base.views import DatasourceModelView
+from superset.constants import CRUD_ROUTE_METHODS, RELATED_VIEWS_ROUTE_METHODS
 from superset.utils import core as utils
 from superset.views.base import (
     DatasourceFilter,
@@ -40,7 +41,6 @@
     SupersetModelView,
     YamlExportMixin,
 )
-from superset.views.constants import CRUD_ROUTE_METHODS, RELATED_VIEWS_ROUTE_METHODS
 
 from . import models
 

superset/constants.py

@@ -19,3 +19,6 @@
 
 # string to use when None values *need* to be converted to/from strings
 NULL_STRING = "<NULL>"
+CRUD_ROUTE_METHODS = {"list", "add", "edit", "delete", "action_post"}
+RELATED_VIEWS_ROUTE_METHODS = {"list"}
+API_READ_ROUTE_METHODS = {"api_read"}

superset/security/manager.py

@@ -40,6 +40,7 @@
 
 from superset import sql_parse
 from superset.connectors.connector_registry import ConnectorRegistry
+from superset.constants import CRUD_ROUTE_METHODS
 from superset.exceptions import SupersetSecurityException
 from superset.utils.core import DatasourceName
 
@@ -76,6 +77,12 @@ def __init__(self, **kwargs):
 PermissionViewModelView.list_widget = SupersetSecurityListWidget
 PermissionModelView.list_widget = SupersetSecurityListWidget
 
+# Limiting routes on FAB model views
+UserModelView.include_route_methods = CRUD_ROUTE_METHODS | {"userinfo"}
+RoleModelView.include_route_methods = CRUD_ROUTE_METHODS
+PermissionViewModelView.include_route_methods = CRUD_ROUTE_METHODS
+PermissionModelView.include_route_methods = CRUD_ROUTE_METHODS
+
 
 class SupersetSecurityManager(SecurityManager):
     READ_ONLY_MODEL_VIEWS = {"DatabaseAsync", "DatabaseView", "DruidClusterModelView"}

superset/views/annotations.py

@@ -18,8 +18,8 @@
 from flask_babel import lazy_gettext as _
 from wtforms.validators import StopValidation
 
+from superset.constants import CRUD_ROUTE_METHODS
 from superset.models.annotations import Annotation, AnnotationLayer
-from superset.views.constants import CRUD_ROUTE_METHODS
 
 from .base import DeleteMixin, SupersetModelView
 

superset/views/core.py

@@ -70,6 +70,7 @@
 )
 from superset.connectors.connector_registry import ConnectorRegistry
 from superset.connectors.sqla.models import AnnotationDatasource
+from superset.constants import API_READ_ROUTE_METHODS, CRUD_ROUTE_METHODS
 from superset.exceptions import (
     DatabaseNotFound,
     SupersetException,

superset/views/dashboard/views.py

@@ -26,8 +26,8 @@
 
 import superset.models.core as models
 from superset import db, event_logger
+from superset.constants import API_READ_ROUTE_METHODS, CRUD_ROUTE_METHODS
 from superset.utils import core as utils
-from superset.views.constants import API_READ_ROUTE_METHODS, CRUD_ROUTE_METHODS
 
 from ..base import (
     BaseSupersetView,
@@ -139,18 +139,3 @@ class DashboardModelViewAsync(DashboardModelView):  # pylint: disable=too-many-a
         "creator": _("Creator"),
         "modified": _("Modified"),
     }
-
-
-class DashboardAddView(DashboardModelView):  # pylint: disable=too-many-ancestors
-    route_base = "/dashboardaddview"
-    list_columns = [
-        "id",
-        "dashboard_link",
-        "creator",
-        "modified",
-        "dashboard_title",
-        "changed_on",
-        "url",
-        "changed_by_name",
-    ]
-    show_columns = list(set(DashboardModelView.edit_columns + list_columns))

superset/views/database/views.py

@@ -27,9 +27,9 @@
 import superset.models.core as models
 from superset import app, db
 from superset.connectors.sqla.models import SqlaTable
+from superset.constants import CRUD_ROUTE_METHODS
 from superset.utils import core as utils
 from superset.views.base import DeleteMixin, SupersetModelView, YamlExportMixin
-from superset.views.constants import CRUD_ROUTE_METHODS
 
 from .forms import CsvToDatabaseForm
 from .mixins import DatabaseMixin

superset/views/log/views.py

@@ -18,11 +18,10 @@
 
 import superset.models.core as models
 from superset.views.base import SupersetModelView
-from superset.views.constants import CRUD_ROUTE_METHODS
 
 from . import LogMixin
 
 
 class LogModelView(LogMixin, SupersetModelView):  # pylint: disable=too-many-ancestors
     datamodel = SQLAInterface(models.Log)
-    include_route_methods = CRUD_ROUTE_METHODS
+    include_route_methods = {"list"}

superset/views/schedules.py

@@ -27,6 +27,7 @@
 from wtforms import BooleanField, StringField
 
 from superset import db, security_manager
+from superset.constants import CRUD_ROUTE_METHODS
 from superset.exceptions import SupersetException
 from superset.models.dashboard import Dashboard
 from superset.models.schedules import (
@@ -37,7 +38,6 @@
 from superset.models.slice import Slice
 from superset.tasks.schedules import schedule_email_report
 from superset.utils.core import get_email_address_list, json_iso_dttm_ser
-from superset.views.constants import CRUD_ROUTE_METHODS
 from superset.views.core import json_success
 
 from .base import DeleteMixin, SupersetModelView

superset/views/sql_lab.py

@@ -25,9 +25,9 @@
 from flask_sqlalchemy import BaseQuery
 
 from superset import db, get_feature_flags, security_manager
+from superset.constants import API_READ_ROUTE_METHODS, CRUD_ROUTE_METHODS
 from superset.models.sql_lab import Query, SavedQuery, TableSchema, TabState
 from superset.utils import core as utils
-from superset.views.constants import API_READ_ROUTE_METHODS, CRUD_ROUTE_METHODS
 
 from .base import (
     BaseFilter,
@@ -53,6 +53,7 @@ def apply(self, query: BaseQuery, value: Callable) -> BaseQuery:
 
 class QueryView(SupersetModelView):
     datamodel = SQLAInterface(Query)
+    include_route_methods = {"list"}
 
     list_title = _("List Query")
     show_title = _("Show Query")