fix(permissions): alpha role has all full features (apache#10241)

* fix(permissions): alpha role is inconsistent

* reverse and allow Alpha to access manager menu

* Bump FAB to 3.0.1rc1 to include del permission fix

* add docs, tests and UPDATING

* EOL

* Fix query view for Alpha

UPDATING.md

@@ -23,6 +23,8 @@ assists people when migrating to a new version.
 
 ## Next
 
+* [10241](https://github.com/apache/incubator-superset/pull/10241): change on Alpha role, users started to have access to "Annotation Layers", "Css Templates" and "Import Dashboards".
+
 * [10324](https://github.com/apache/incubator-superset/pull/10324): Facebook Prophet has been introduced as an optional dependency to add support for timeseries forecasting in the chart data API. To enable this feature, install Superset with the optional dependency `prophet` or directly `pip install fbprophet`.
 
 * [10320](https://github.com/apache/incubator-superset/pull/10320): References to blacklst/whitelist language have been replaced with more appropriate alternatives. All configs refencing containing `WHITE`/`BLACK` have been replaced with `ALLOW`/`DENY`. Affected config variables that need to be updated: `TIME_GRAIN_BLACKLIST`, `VIZ_TYPE_BLACKLIST`, `DRUID_DATA_SOURCE_BLACKLIST`.

docs/security.rst

@@ -46,8 +46,9 @@ other users and altering other people's slices and dashboards.
 
 Alpha
 """""
-Alpha users have access to all data sources, but they cannot grant or revoke access
-from other users. They are also limited to altering the objects that they
+Alpha users have access to all data sources, and all features except SQLLab and
+security, so they cannot grant or revoke access from other users.
+They are also limited to altering the objects that they
 own. Alpha users can add and alter data sources.
 
 Gamma

superset/security/manager.py

@@ -128,9 +128,7 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
 
     ADMIN_ONLY_VIEW_MENUS = {
         "AccessRequestsModelView",
-        "Manage",
         "SQL Lab",
-        "Queries",
         "Refresh Druid Metadata",
         "ResetPasswordView",
         "RoleModelView",
@@ -139,7 +137,13 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
         "RowLevelSecurityFiltersModelView",
     } | USER_MODEL_VIEWS
 
-    ALPHA_ONLY_VIEW_MENUS = {"Upload a CSV"}
+    ALPHA_ONLY_VIEW_MENUS = {
+        "Manage",
+        "CSS Templates",
+        "Queries",
+        "Import dashboards",
+        "Upload a CSV",
+    }
 
     ADMIN_ONLY_PERMISSIONS = {
         "can_sql_json",  # TODO: move can_sql_json to sql_lab role

tests/security_tests.py

@@ -570,6 +570,9 @@ def assert_can_all(self, view_menu, permissions_set):
         self.assert_can_read(view_menu, permissions_set)
         self.assert_can_write(view_menu, permissions_set)
 
+    def assert_can_menu(self, view_menu, permissions_set):
+        self.assertIn(("menu_access", view_menu), permissions_set)
+
     def assert_can_gamma(self, perm_set):
         self.assert_can_read("TableModelView", perm_set)
 
@@ -592,10 +595,24 @@ def assert_can_gamma(self, perm_set):
         self.assertIn(("can_explore", "Superset"), perm_set)
         self.assertIn(("can_explore_json", "Superset"), perm_set)
         self.assertIn(("can_userinfo", "UserDBModelView"), perm_set)
+        self.assert_can_menu("Databases", perm_set)
+        self.assert_can_menu("Tables", perm_set)
+        self.assert_can_menu("Sources", perm_set)
+        self.assert_can_menu("Charts", perm_set)
+        self.assert_can_menu("Dashboards", perm_set)
 
     def assert_can_alpha(self, perm_set):
+        self.assert_can_all("AnnotationLayerModelView", perm_set)
+        self.assert_can_all("CssTemplateModelView", perm_set)
         self.assert_can_all("TableModelView", perm_set)
-
+        self.assert_can_read("QueryView", perm_set)
+        self.assertIn(("can_import_dashboards", "Superset"), perm_set)
+        self.assertIn(("can_this_form_post", "CsvToDatabaseView"), perm_set)
+        self.assertIn(("can_this_form_get", "CsvToDatabaseView"), perm_set)
+        self.assert_can_menu("Manage", perm_set)
+        self.assert_can_menu("Annotation Layers", perm_set)
+        self.assert_can_menu("CSS Templates", perm_set)
+        self.assert_can_menu("Upload a CSV", perm_set)
         self.assertIn(("all_datasource_access", "all_datasource_access"), perm_set)
 
     def assert_cannot_alpha(self, perm_set):
@@ -617,6 +634,10 @@ def assert_can_admin(self, perm_set):
         self.assertIn(("can_override_role_permissions", "Superset"), perm_set)
         self.assertIn(("can_approve", "Superset"), perm_set)
 
+        self.assert_can_menu("Security", perm_set)
+        self.assert_can_menu("List Users", perm_set)
+        self.assert_can_menu("List Roles", perm_set)
+
     def test_is_admin_only(self):
         self.assertFalse(
             security_manager._is_admin_only(