iop
/
superset
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(chart data): removing query from /chart/data payload when accessing as guest user (#30858)

This commit is contained in:
Jack 2024-11-07 11:24:15 -06:00 committed by GitHub
parent 5b2f005e80
commit dd39138e6e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 62 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
superset/charts/data/api.py
View File

@ -394,8 +394,13 @@ class ChartDataRestApi(ChartRestApi):
)
if result_format == ChartDataResultFormat.JSON:
queries = result["queries"]
if security_manager.is_guest_user():
for query in queries:
with contextlib.suppress(KeyError):
del query["query"]
response_data = json.dumps(
{"result": result["queries"]},
{"result": queries},
default=json.json_int_dttm_ser,
ignore_nan=True,
)

56
tests/integration_tests/charts/api_tests.py
View File

@ -24,6 +24,7 @@ from zipfile import is_zipfile, ZipFile
import prison
import pytest
import yaml
from flask import g
from flask_babel import lazy_gettext as _
from parameterized import parameterized
from sqlalchemy import and_
@ -62,6 +63,7 @@ from tests.integration_tests.fixtures.importexport import (
dataset_config,
dataset_metadata_config,
)
from tests.integration_tests.fixtures.query_context import get_query_context
from tests.integration_tests.fixtures.tags import (
create_custom_tags, # noqa: F401
get_filter_params,
@ -2327,3 +2329,57 @@ class TestChartApi(ApiOwnersTestCaseMixin, InsertChartMixin, SupersetTestCase):
security_manager.add_permission_role(alpha_role, write_tags_perm)
security_manager.add_permission_role(alpha_role, tag_charts_perm)
@patch("superset.security.manager.SupersetSecurityManager.has_guest_access")
@patch("superset.security.manager.SupersetSecurityManager.is_guest_user")
@pytest.mark.usefixtures("load_birth_names_dashboard_with_slices")
def test_get_chart_data_as_guest_user(
self, is_guest_user, has_guest_access
): # get_guest_rls_filters
"""
Chart API: Test create simple chart
"""
self.login(ADMIN_USERNAME)
g.user.rls = []
is_guest_user.return_value = True
has_guest_access.return_value = True
with mock.patch.object(Slice, "get_query_context") as mock_get_query_context:
mock_get_query_context.return_value = get_query_context("birth_names")
rv = self.client.post(
"api/v1/chart/data", # noqa: F541
json={
"datasource": {"id": 2, "type": "table"},
"queries": [
{
"extras": {"where": "", "time_grain_sqla": "P1D"},
"columns": ["name"],
"metrics": [{"label": "sum__num"}],
"orderby": [("sum__num", False)],
"row_limit": 100,
"granularity": "ds",
"time_range": "100 years ago : now",
"timeseries_limit": 0,
"timeseries_limit_metric": None,
"order_desc": True,
"filters": [
{"col": "gender", "op": "==", "val": "boy"},
{"col": "num", "op": "IS NOT NULL"},
{
"col": "name",
"op": "NOT IN",
"val": ["<NULL>", '"abc"'],
},
],
"having": "",
"where": "",
}
],
"result_format": "json",
"result_type": "full",
},
)
data = json.loads(rv.data.decode("utf-8"))
result = data["result"]
excluded_key = "query"
assert all([excluded_key not in query for query in result])