diff --git a/superset/datasets/api.py b/superset/datasets/api.py index 64821dbfd..f0f4b7f5e 100644 --- a/superset/datasets/api.py +++ b/superset/datasets/api.py @@ -98,6 +98,7 @@ class DatasetRestApi(BaseSupersetModelRestApi): filter_rel_fields_field = {"owners": "first_name", "database": "database_name"} filter_rel_fields = {"database": [["id", DatabaseFilter, lambda: []]]} + allowed_rel_fields = {"database", "owners"} @expose("/", methods=["POST"]) @protect() diff --git a/superset/views/base_api.py b/superset/views/base_api.py index 86a86a6ca..fdfafe170 100644 --- a/superset/views/base_api.py +++ b/superset/views/base_api.py @@ -16,7 +16,7 @@ # under the License. import functools import logging -from typing import Dict, Tuple +from typing import Dict, Set, Tuple from flask import request from flask_appbuilder import ModelRestApi @@ -101,6 +101,7 @@ class BaseSupersetModelRestApi(ModelRestApi): "": "") } """ # pylint: disable=pointless-string-statement + allowed_rel_fields: Set[str] = set() def __init__(self): super().__init__() @@ -191,6 +192,8 @@ class BaseSupersetModelRestApi(ModelRestApi): 500: $ref: '#/components/responses/500' """ + if column_name not in self.allowed_rel_fields: + return self.response_404() args = kwargs.get("rison", {}) # handle pagination page, page_size = self._handle_page_args(args) diff --git a/superset/views/chart/api.py b/superset/views/chart/api.py index da72f9b61..bd2118152 100644 --- a/superset/views/chart/api.py +++ b/superset/views/chart/api.py @@ -178,4 +178,5 @@ class ChartRestApi(SliceMixin, BaseOwnedModelRestApi): "slices": ("slice_name", "asc"), "owners": ("first_name", "asc"), } - filter_rel_fields_field = {"owners": "first_name", "dashboards": "dashboard_title"} + filter_rel_fields_field = {"owners": "first_name"} + allowed_rel_fields = {"owners"} diff --git a/superset/views/dashboard/api.py b/superset/views/dashboard/api.py index 6f6e010b3..496aa2fe4 100644 --- a/superset/views/dashboard/api.py +++ b/superset/views/dashboard/api.py @@ -173,7 +173,8 @@ class DashboardRestApi(DashboardMixin, BaseOwnedModelRestApi): "slices": ("slice_name", "asc"), "owners": ("first_name", "asc"), } - filter_rel_fields_field = {"owners": "first_name", "slices": "slice_name"} + filter_rel_fields_field = {"owners": "first_name"} + allowed_rel_fields = {"owners"} @expose("/", methods=["DELETE"]) @protect()