fix: REST API CSRF exempt list (#25590)

2023-10-10 12:53:37 +01:00 · 2023-10-10 12:53:37 +01:00 · 549abb542b
parent 512fb9a0bd
commit 549abb542b
3 changed files with 41 additions and 1 deletions
--- a/superset/views/base_api.py
+++ b/superset/views/base_api.py
@ -251,7 +251,7 @@ class BaseSupersetApi(BaseSupersetApiMixin, BaseApi):
    ...


-class BaseSupersetModelRestApi(ModelRestApi, BaseSupersetApiMixin):
+class BaseSupersetModelRestApi(BaseSupersetApiMixin, ModelRestApi):
    """
    Extends FAB's ModelResApi to implement specific superset generic functionality
    """
--- a/tests/unit_tests/conftest.py
+++ b/tests/unit_tests/conftest.py
@ -89,6 +89,15 @@ def app(request: SubRequest) -> Iterator[SupersetApp]:
    app.config["TESTING"] = True

    # loop over extra configs passed in by tests
+    # and update the app config
+    # to override the default configs use:
+    #
+    # @pytest.mark.parametrize(
+    #     "app",
+    #     [{"SOME_CONFIG": "SOME_VALUE"}],
+    #     indirect=True,
+    # )
+    # def test_some_test(app_context: None) -> None:
    if request and hasattr(request, "param"):
        for key, val in request.param.items():
            app.config[key] = val
--- a/tests/unit_tests/security/api_test.py
+++ b/tests/unit_tests/security/api_test.py
@ -0,0 +1,31 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+import pytest
+
+from superset.extensions import csrf
+
+
+@pytest.mark.parametrize(
+    "app",
+    [{"WTF_CSRF_ENABLED": True}],
+    indirect=True,
+)
+def test_csrf_not_exempt(app_context: None) -> None:
+    """
+    Test that REST API is not exempt from CSRF.
+    """
+    assert csrf._exempt_blueprints == {"MenuApi", "SecurityApi", "OpenApi"}