From 0c8c4d6895bc98a830f623eaba5a696458c46730 Mon Sep 17 00:00:00 2001
From: Daniel Vaz Gaspar <danielvazgaspar@gmail.com>
Date: Thu, 12 Mar 2020 18:55:33 +0000
Subject: [PATCH] [api] Fix, related fields need to be explicitly defined
 (#9283)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* [api] Fix, related fields need to be explicitly defined

* [api] Fix, lint

* Update superset/datasets/api.py

Co-Authored-By: ʈᵃᵢ <tdupreetan@gmail.com>

Co-authored-by: ʈᵃᵢ <tdupreetan@gmail.com>
---
 superset/datasets/api.py        | 1 +
 superset/views/base_api.py      | 5 ++++-
 superset/views/chart/api.py     | 3 ++-
 superset/views/dashboard/api.py | 3 ++-
 4 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/superset/datasets/api.py b/superset/datasets/api.py
index 64821dbfd..f0f4b7f5e 100644
--- a/superset/datasets/api.py
+++ b/superset/datasets/api.py
@@ -98,6 +98,7 @@ class DatasetRestApi(BaseSupersetModelRestApi):
 
     filter_rel_fields_field = {"owners": "first_name", "database": "database_name"}
     filter_rel_fields = {"database": [["id", DatabaseFilter, lambda: []]]}
+    allowed_rel_fields = {"database", "owners"}
 
     @expose("/", methods=["POST"])
     @protect()
diff --git a/superset/views/base_api.py b/superset/views/base_api.py
index 86a86a6ca..fdfafe170 100644
--- a/superset/views/base_api.py
+++ b/superset/views/base_api.py
@@ -16,7 +16,7 @@
 # under the License.
 import functools
 import logging
-from typing import Dict, Tuple
+from typing import Dict, Set, Tuple
 
 from flask import request
 from flask_appbuilder import ModelRestApi
@@ -101,6 +101,7 @@ class BaseSupersetModelRestApi(ModelRestApi):
             "<RELATED_FIELD>": "<FILTER>")
         }
     """  # pylint: disable=pointless-string-statement
+    allowed_rel_fields: Set[str] = set()
 
     def __init__(self):
         super().__init__()
@@ -191,6 +192,8 @@ class BaseSupersetModelRestApi(ModelRestApi):
             500:
               $ref: '#/components/responses/500'
         """
+        if column_name not in self.allowed_rel_fields:
+            return self.response_404()
         args = kwargs.get("rison", {})
         # handle pagination
         page, page_size = self._handle_page_args(args)
diff --git a/superset/views/chart/api.py b/superset/views/chart/api.py
index da72f9b61..bd2118152 100644
--- a/superset/views/chart/api.py
+++ b/superset/views/chart/api.py
@@ -178,4 +178,5 @@ class ChartRestApi(SliceMixin, BaseOwnedModelRestApi):
         "slices": ("slice_name", "asc"),
         "owners": ("first_name", "asc"),
     }
-    filter_rel_fields_field = {"owners": "first_name", "dashboards": "dashboard_title"}
+    filter_rel_fields_field = {"owners": "first_name"}
+    allowed_rel_fields = {"owners"}
diff --git a/superset/views/dashboard/api.py b/superset/views/dashboard/api.py
index 6f6e010b3..496aa2fe4 100644
--- a/superset/views/dashboard/api.py
+++ b/superset/views/dashboard/api.py
@@ -173,7 +173,8 @@ class DashboardRestApi(DashboardMixin, BaseOwnedModelRestApi):
         "slices": ("slice_name", "asc"),
         "owners": ("first_name", "asc"),
     }
-    filter_rel_fields_field = {"owners": "first_name", "slices": "slice_name"}
+    filter_rel_fields_field = {"owners": "first_name"}
+    allowed_rel_fields = {"owners"}
 
     @expose("/", methods=["DELETE"])
     @protect()