fix: cache key with guest token rls (#19110)

* add guest rls clause to cache key * lint * pylint * add app back
2022-03-10 13:49:47 -08:00 · 2022-03-10 13:49:47 -08:00 · 27268169e4
parent a37a4ed35f
commit 27268169e4
3 changed files with 18 additions and 12 deletions
--- a/superset/common/query_context_processor.py
+++ b/superset/common/query_context_processor.py
@ -26,7 +26,7 @@ from flask_babel import _
 from pandas import DateOffset
 from typing_extensions import TypedDict

-from superset import app, is_feature_enabled
+from superset import app
 from superset.annotation_layers.dao import AnnotationLayerDAO
 from superset.charts.dao import ChartDAO
 from superset.common.chart_data import ChartDataResultFormat
@ -159,10 +159,7 @@ class QueryContextProcessor:
            query_obj.cache_key(
                datasource=datasource.uid,
                extra_cache_keys=extra_cache_keys,
-                rls=security_manager.get_rls_ids(datasource)
-                if is_feature_enabled("ROW_LEVEL_SECURITY")
-                and datasource.is_rls_supported
-                else [],
+                rls=security_manager.get_rls_cache_key(datasource),
                changed_on=datasource.changed_on,
                **kwargs,
            )
--- a/superset/security/manager.py
+++ b/superset/security/manager.py
@ -1222,6 +1222,20 @@ class SupersetSecurityManager(  # pylint: disable=too-many-public-methods
        ids.sort()  # Combinations rather than permutations
        return ids

+    def get_guest_rls_filters_str(self, table: "BaseDatasource") -> List[str]:
+        return [f.get("clause", "") for f in self.get_guest_rls_filters(table)]
+
+    def get_rls_cache_key(self, datasource: "BaseDatasource") -> List[str]:
+        # pylint: disable=import-outside-toplevel
+        from superset import is_feature_enabled
+
+        rls_ids = []
+        if is_feature_enabled("ROW_LEVEL_SECURITY") and datasource.is_rls_supported:
+            rls_ids = self.get_rls_ids(datasource)
+        rls_str = [str(rls_id) for rls_id in rls_ids]
+        guest_rls = self.get_guest_rls_filters_str(datasource)
+        return guest_rls + rls_str
+
    @staticmethod
    def raise_for_user_activity_access(user_id: int) -> None:
        user = g.user if g.user and g.user.get_id() else None
--- a/superset/viz.py
+++ b/superset/viz.py
@ -55,7 +55,7 @@ from flask_babel import lazy_gettext as _
 from geopy.point import Point
 from pandas.tseries.frequencies import to_offset

-from superset import app, is_feature_enabled
+from superset import app
 from superset.common.db_query_status import QueryStatus
 from superset.constants import NULL_STRING
 from superset.errors import ErrorLevel, SupersetError, SupersetErrorType
@ -458,12 +458,7 @@ class BaseViz:  # pylint: disable=too-many-public-methods
        cache_dict["time_range"] = self.form_data.get("time_range")
        cache_dict["datasource"] = self.datasource.uid
        cache_dict["extra_cache_keys"] = self.datasource.get_extra_cache_keys(query_obj)
-        cache_dict["rls"] = (
-            security_manager.get_rls_ids(self.datasource)
-            if is_feature_enabled("ROW_LEVEL_SECURITY")
-            and self.datasource.is_rls_supported
-            else []
-        )
+        cache_dict["rls"] = security_manager.get_rls_cache_key(self.datasource)
        cache_dict["changed_on"] = self.datasource.changed_on
        json_data = self.json_dumps(cache_dict, sort_keys=True)
        return md5_sha_from_str(json_data)