From cf20b3439c4a142e51955531a1439c77e7f50e91 Mon Sep 17 00:00:00 2001
From: "Michael S. Molina" <70410625+michael-s-molina@users.noreply.github.com>
Date: Thu, 18 Jan 2024 10:29:51 -0300
Subject: [PATCH] refactor: Removes the deprecated
 ENABLE_EXPLORE_JSON_CSRF_PROTECTION feature flag (#26344)

---
 RESOURCES/FEATURE_FLAGS.md                     |  1 -
 UPDATING.md                                    |  1 +
 .../docs/installation/configuring-superset.mdx |  1 -
 superset/config.py                             |  8 --------
 superset/views/core.py                         | 18 ++++++++++++------
 tests/integration_tests/core_tests.py          |  9 ++++++++-
 6 files changed, 21 insertions(+), 17 deletions(-)

diff --git a/RESOURCES/FEATURE_FLAGS.md b/RESOURCES/FEATURE_FLAGS.md
index 4a078d632..5c286ffa9 100644
--- a/RESOURCES/FEATURE_FLAGS.md
+++ b/RESOURCES/FEATURE_FLAGS.md
@@ -86,7 +86,6 @@ These features flags currently default to True and **will be removed in a future
 - DASHBOARD_CROSS_FILTERS
 - DASHBOARD_FILTERS_EXPERIMENTAL
 - DASHBOARD_NATIVE_FILTERS
-- ENABLE_EXPLORE_JSON_CSRF_PROTECTION
 - ENABLE_JAVASCRIPT_CONTROLS
 - GENERIC_CHART_AXES
 - KV_STORE
diff --git a/UPDATING.md b/UPDATING.md
index ccafa2c5c..7e5e2ea47 100644
--- a/UPDATING.md
+++ b/UPDATING.md
@@ -30,6 +30,7 @@ assists people when migrating to a new version.
 
 ### Breaking Changes
 
+- [26344](https://github.com/apache/superset/issues/26344): Removes the deprecated `ENABLE_EXPLORE_JSON_CSRF_PROTECTION` feature flag. The previous value of the feature flag was `False` and now the feature is permanently removed.
 - [26345](https://github.com/apache/superset/issues/26345): Removes the deprecated `ENABLE_TEMPLATE_REMOVE_FILTERS` feature flag. The previous value of the feature flag was `True` and now the feature is permanently enabled.
 - [26346](https://github.com/apache/superset/issues/26346): Removes the deprecated `REMOVE_SLICE_LEVEL_LABEL_COLORS` feature flag. The previous value of the feature flag was `False` and now the feature is permanently removed.
 - [26348](https://github.com/apache/superset/issues/26348): Removes the deprecated `CLIENT_CACHE` feature flag. The previous value of the feature flag was `False` and now the feature is permanently removed.
diff --git a/docs/docs/installation/configuring-superset.mdx b/docs/docs/installation/configuring-superset.mdx
index 820feaeec..30bc2f281 100644
--- a/docs/docs/installation/configuring-superset.mdx
+++ b/docs/docs/installation/configuring-superset.mdx
@@ -358,7 +358,6 @@ You can enable or disable features with flag from `superset_config.py`:
 
 ```python
 FEATURE_FLAGS = {
-    'ENABLE_EXPLORE_JSON_CSRF_PROTECTION': False,
     'PRESTO_EXPAND_DATA': False,
 }
 ```
diff --git a/superset/config.py b/superset/config.py
index 3999edb35..e750b2f09 100644
--- a/superset/config.py
+++ b/superset/config.py
@@ -409,14 +409,6 @@ DEFAULT_FEATURE_FLAGS: dict[str, bool] = {
     # editor no longer shows. Currently this is set to false so that the editor
     # option does show, but we will be depreciating it.
     "DISABLE_LEGACY_DATASOURCE_EDITOR": True,
-    # For some security concerns, you may need to enforce CSRF protection on
-    # all query request to explore_json endpoint. In Superset, we use
-    # `flask-csrf <https://sjl.bitbucket.io/flask-csrf/>`_ add csrf protection
-    # for all POST requests, but this protection doesn't apply to GET method.
-    # When ENABLE_EXPLORE_JSON_CSRF_PROTECTION is set to true, your users cannot
-    # make GET request to explore_json. explore_json accepts both GET and POST request.
-    # See `PR 7935 <https://github.com/apache/superset/pull/7935>`_ for more details.
-    "ENABLE_EXPLORE_JSON_CSRF_PROTECTION": False,  # deprecated
     "ENABLE_TEMPLATE_PROCESSING": False,
     # Allow for javascript controls components
     # this enables programmers to customize certain charts (like the
diff --git a/superset/views/core.py b/superset/views/core.py
index 5d23164fa..febebed34 100755
--- a/superset/views/core.py
+++ b/superset/views/core.py
@@ -15,6 +15,7 @@
 # specific language governing permissions and limitations
 # under the License.
 # pylint: disable=invalid-name
+# pylint: disable=too-many-lines
 from __future__ import annotations
 
 import contextlib
@@ -238,19 +239,24 @@ class Superset(BaseSupersetView):  # pylint: disable=too-many-public-methods
         except SupersetException as ex:
             return json_error_response(utils.error_msg_from_exception(ex), 400)
 
-    EXPLORE_JSON_METHODS = ["POST"]
-    if not is_feature_enabled("ENABLE_EXPLORE_JSON_CSRF_PROTECTION"):
-        EXPLORE_JSON_METHODS.append("GET")
-
     @api
     @has_access_api
     @handle_api_exception
     @event_logger.log_this
     @expose(
         "/explore_json/<datasource_type>/<int:datasource_id>/",
-        methods=EXPLORE_JSON_METHODS,
+        methods=(
+            "GET",
+            "POST",
+        ),
+    )
+    @expose(
+        "/explore_json/",
+        methods=(
+            "GET",
+            "POST",
+        ),
     )
-    @expose("/explore_json/", methods=EXPLORE_JSON_METHODS)
     @etag_cache()
     @check_resource_permissions(check_datasource_perms)
     @deprecated(eol_version="4.0.0")
diff --git a/tests/integration_tests/core_tests.py b/tests/integration_tests/core_tests.py
index c4a089733..6d1a62c7f 100644
--- a/tests/integration_tests/core_tests.py
+++ b/tests/integration_tests/core_tests.py
@@ -559,8 +559,15 @@ class TestCore(SupersetTestCase):
         self.assertEqual(clean_query, rendered_query)
 
     def test_slice_payload_no_datasource(self):
+        form_data = {
+            "viz_type": "dist_bar",
+        }
         self.login(username="admin")
-        data = self.get_json_resp("/superset/explore_json/", raise_on_error=False)
+        rv = self.client.post(
+            "/superset/explore_json/",
+            data={"form_data": json.dumps(form_data)},
+        )
+        data = json.loads(rv.data.decode("utf-8"))
 
         self.assertEqual(
             data["errors"][0]["message"],