Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency flask-appbuilder to v4 [SECURITY] (master) #126

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Apr 21, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
flask-appbuilder ==2.3.0 -> ==4.5.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2021-29621

Impact

User enumeration in database authentication in Flask-AppBuilder <= 3.2.3. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in.

Patches

Upgrade to 3.3.0

For more information

If you have any questions or comments about this advisory:

CVE-2021-32805

Impact

If using Flask-AppBuilder OAuth, an attacker can share a carefully crafted URL with a trusted domain for an application built with Flask-AppBuilder, this URL can redirect a user to a malicious site. This is an open redirect vulnerability

Patches

Install Flask-AppBuilder 3.2.2 or above

Workarounds

Filter HTTP traffic containing ?next={next-site} where the next-site domain is different from the application you are protecting

CVE-2021-41265

Impact

Improper authentication on the REST API. Allows for a malicious actor with a carefully crafted request to successfully authenticate and gain access to existing protected REST API endpoints. Only affects non database authentication types, and new REST API endpoints.

Patches

Upgrade to Flask-AppBuilder 3.3.4

For more information

If you have any questions or comments about this advisory:

CVE-2022-21659

Impact

User enumeration in database authentication in Flask-AppBuilder < 3.4.4. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in.

Patches

Upgrade to 3.4.4

Workarounds

References

For more information

If you have any questions or comments about this advisory:

CVE-2022-24776

Flask-AppBuilder is an application development framework built on top of Flask. Versions prior to 3.4.5 contain an open redirect vulnerability when using the database authentication login page. There are no known workarounds. Users are recommended to upgrade to version 3.4.5 or later.

For more information

If you have any questions or comments about this advisory:

CVE-2022-31177

Impact

An authenticated Admin user could craft HTTP requests to filter users by their salted and hashed passwords strings. These filters could be made by using partial hashed password strings. The response would not include the hashed passwords, but an attacker could infer partial password hashes and their respective users.

Only when using AUTH_DB database authentication option.

Patches

Fixed on 4.1.3

For more information

If you have any questions or comments about this advisory:

CVE-2023-29005

Impact

Lack of rate limiting will allow an attacker to brute-force user credentials.

Patches

Ability to enable rate limiting on Flask-AppBuilder >= 4.3.0. Use AUTH_RATE_LIMITED = True and RATELIMIT_ENABLED = True set the limit itself by using AUTH_RATE_LIMIT. Will apply only to database authentication.

Workarounds

Implement rate limiting using a reverse proxy or other strategies.

CVE-2023-34110

Impact

An authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the pbkdf2:sha256 hashed password.

Patches

Fixed on 4.3.2

CVE-2024-25128

Impact

When Flask-AppBuilder is set to AUTH_TYPE AUTH_OID, allows an attacker to forge an HTTP request, that could deceive the backend into using any requested OpenID service. This vulnerability could grant an attacker unauthorised privilege access if a custom OpenID service is deployed by the attacker and accessible by the backend.

This vulnerability is only exploitable when the application is using the old (deprecated 10 years ago) OpenID 2.0 authorization protocol (which is very different from the popular OIDC - Open ID Connect - popular protocol used today). Currently, this protocol is regarded as legacy, with significantly reduced usage and not supported for several years by major authorization providers.

Patches

Upgrade to Flask-AppBuilder 4.3.11

Workarounds

If upgrade is not possible add the following to your config:

from flask import flash, redirect
from flask_appbuilder import expose
from flask_appbuilder.security.sqla.manager import SecurityManager
from flask_appbuilder.security.views import AuthOIDView
from flask_appbuilder.security.forms import LoginForm_oid

basedir = os.path.abspath(os.path.dirname(__file__))

class FixedOIDView(AuthOIDView):
    @&#8203;expose("/login/", methods=["GET", "POST"])
    def login(self, flag=True):
        form = LoginForm_oid()
        if form.validate_on_submit():
            identity_url = None
            for provider in self.appbuilder.sm.openid_providers:
                if provider.get("url") == form.openid.data:
                    identity_url = form.openid.data
            if identity_url is None:
                flash(self.invalid_login_message, "warning")
                return redirect(self.appbuilder.get_url_for_login)
        return super().login(flag=flag)

class FixedSecurityManager(SecurityManager):
    authoidview = FixedOIDView

FAB_SECURITY_MANAGER_CLASS = "config.FixedSecurityManager"

CVE-2024-45314

Impact

Auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources.

Patches

Upgrade flask-appbuilder to version 4.5.1

Workarounds

If upgrading is not possible configure your web server to send the following HTTP headers for /login:
"Cache-Control": "no-store, no-cache, must-revalidate, max-age=0"
"Pragma": "no-cache"
"Expires": "0"


Release Notes

dpgaspar/flask-appbuilder (flask-appbuilder)

v4.5.1

Compare Source

  • feat: add no cache directive to login forms (#​2266) [Daniel Vaz Gaspar]
  • chore: bump cryptography to 42.0.4 (#​2238) [Daniel Vaz Gaspar]
  • docs: Fixing broken link (#​2252) [Chase Jones]
  • fix: rate limiter key function (#​2254) [Daniel Vaz Gaspar]
  • chore: bump dnspython to fix vulnerability (#​2255) [Daniel Vaz Gaspar]

v4.5.0

Compare Source

  • feat: REST API new select columns query param (#​2242) [Daniel Vaz Gaspar]
  • chore: bump werkzeug to 3.0.3 (#​2237) [Daniel Vaz Gaspar]
  • fix: Keycloak OAuth2, get groups as role_keys per default (#​2235) [Andreas 'count' Kotes]
  • fix: Check if Oauth login with OKTA is correct (#​1926) [Hojjat Ali Mohammadi]
  • docs: Update quickcharts.rst for typo gold to goal (#​2217) [Abhinav Pareek]

v4.4.1

Compare Source

  • fix: user search list on stats (#​2211) [Daniel Vaz Gaspar]
  • fix: performance issues on user and roles list (#​2209) [Daniel Vaz Gaspar]

v4.4.0

Compare Source

  • chore(deps): bump the github-actions group with 4 updates (#​2201) [dependabot[bot]]
  • fix: python versions setup.py (#​2204) [Daniel Vaz Gaspar]
  • ci: refactor requirements structure and improve dependabot config (#​2198) [Daniel Vaz Gaspar]
  • chore(deps): bump jinja2 from 3.0.3 to 3.1.3 (#​2180) [dependabot[bot]]
  • fix: authentik test (#​2199) [Daniel Vaz Gaspar]
  • feat: Added authentik as new identity provider (#​2168) [Jasper Schoenmaker]
  • chore(deps): bump requests from 2.26.0 to 2.31.0 (#​2050) [dependabot[bot]]
  • docs: updated Flask-Babel link and fix typo (#​2166) [Gughanathan M]
  • chore: bump several non base dependencies (#​2197) [Daniel Vaz Gaspar]
  • fix: Increase upper bound on marshmallow-sqlalchemy (#​2191) [spike77453]
  • chore: remove email_validator constraint (#​2167) [Marcus Lim]
  • chore: Upgrade to Pillow 10.0.1 (#​2136) [Dosenpfand]
  • chore(docs): Update i18n.rst for Turkish (#​2187) [coteli]
  • chore: upgrade werkzeug and Flask, deprecate OpenID and MongoEngine (#​2196) [Daniel Vaz Gaspar]
  • feat: Turkish translations (#​2185) [coteli]
  • feat: AUTH_REMOTE_USER_ENV_VAR config key for auth REMOTE_USER type (#​2193) [Daniel Vaz Gaspar]
  • fix: don't load inactive users with sessions (#​2192) [Daniel Vaz Gaspar]

v4.3.11

Compare Source

  • fix: openID provider validation flow (#​2186) [Daniel Vaz Gaspar]
  • feat: support Auth0 OAuth2 (#​2171) [Daniel Vaz Gaspar]

v4.3.10

Compare Source

  • fix: azure keep using upn if exists (#​2163) [Daniel Vaz Gaspar]
  • docs: Update shield of supported Python versions (#​2156) [Dosenpfand]
  • docs: update security policy (#​2155) [Daniel Vaz Gaspar]
  • docs: improve LDAP auth auth_roles_mapping (#​2149) [Daniel Vaz Gaspar]
  • docs: Update security docs to reflect LDAP casing issues (#​2098) [Anders Bogsnes]
  • fix: old API api column edit (#​2134) [Daniel Vaz Gaspar]
  • chore: add bootstrap min map (#​2148) [Daniel Vaz Gaspar]
  • chore: Add support for Python 3.10, 3.11, 3.12 and drop 3.7 (#​2147) [Dosenpfand]
  • chore: use npm for all frontend dependencies (#​2144) [Daniel Vaz Gaspar]

v4.3.9

Compare Source

  • ci: create release script (#​2142) [Daniel Vaz Gaspar]
  • fix: wtforms compat on 3.1.0 (#​2138) [Daniel Vaz Gaspar]
  • docs: fix RTD config requirements (#​2140) [Daniel Vaz Gaspar]
  • docs: fix RTD config (#​2139) [Daniel Vaz Gaspar]
  • docs: add RTD required config (#​2135) [Daniel Vaz Gaspar]

v4.3.8

Compare Source

  • fix: filter list UI spacing between elements (#​2128) [Daniel Vaz Gaspar]
  • fix: add github sponsor (#​2130) [Daniel Vaz Gaspar]
  • docs: add github sponsor (#​2129) [Daniel Vaz Gaspar]
  • fix: swagger include js and css on static (#​2127) [Daniel Vaz Gaspar]
  • fix: Remove erroring endpoint "/login//" from AuthOAuthView (#​2120) [David Kalamarides]
  • fix: azure user info claims and JWT decode (#​2121) [Daniel Vaz Gaspar]
  • fix: Validate Azure JWTs using authlib (#​2112) [Daniel Wolf]
  • docs(typo): "preform" -> "perform" x4 (#​2123) [Sam Firke]

v4.3.7

Compare Source

  • fix: swagger missing nonce (#​2116) [Daniel Vaz Gaspar]

v4.3.6

Compare Source

  • fix: increase email field length (#​2102) [Daniel Vaz Gaspar]

v4.3.5

Compare Source

  • fix: release tests exclusion (#​2093) [Daniel Vaz Gaspar]
  • fix: make deletion in quicktemplates example work again (#​2088) [Fabian Halkivaha]
  • fix: MVC form action, broken reset my password (#​2091) [Daniel Vaz Gaspar]
  • chore: dont add 'tests' package to wheel (#​2087) [cwegener]
  • chore(deps): bump pygments from 2.13.0 to 2.15.0 (#​2089) [dependabot[bot]]

v4.3.4

Compare Source

  • fix: select filters spacing, theme and operation select (#​2079) [Daniel Vaz Gaspar]
  • refactor: Refactored logging functions to consistently use lazy interpolation (#​2071) [Bruce]
  • feat: add optional flask-talisman and use csp nonce on scripts (#​2075) [Daniel Vaz Gaspar]
  • chore: improve tests and test data load (#​2072) [Daniel Vaz Gaspar]

v4.3.3

Compare Source

  • fix: marshmallow enum by value keep compatibility (#​2067) [Daniel Vaz Gaspar]
  • fix: marshmallow new min version to 3.18 (#​2066) [Daniel Vaz Gaspar]
  • fix: select2-ajax-widget (#​2052) [Nadir Can Kavkas]
  • chore: remove marshmallow-enum dependency (#​2064) [Daniel Vaz Gaspar]
  • fix: Double escaping for next param in login with oauth (#​2053) [Aleksandr Musorin]
  • chore: remove RemovedInMarshmallow4 warnings (#​2024) [Sebastian Liebscher]
  • docs: Update docs/security.rst with Windows LDAP working Example (#​2026) [verschlimmbesserer]
  • fix(translations): better translation of the pt_BR language (#​2061) [Lucas Gonzalez de Queiroz]
  • fix: broken link to config.py template (#​2056) [Alex Gordienko]
  • fix: user registration menu name (#​2051) [Daniel Vaz Gaspar]

v4.3.2

Compare Source

  • fix: CRUD MVC log message (#​2045) [Daniel Vaz Gaspar]
  • fix: deprecated method for getting value on select2 (#​2039) [Viacheslav]
  • chore: bump Flask and werkzeug (#​2034) [Daniel Vaz Gaspar]
  • ci: improve codeql configuration (#​2032) [Daniel Vaz Gaspar]
  • ci: add codeQL analysis (#​2031) [Daniel Vaz Gaspar]
  • fix: cli create app ask for initial secret key (#​2029) [Daniel Vaz Gaspar]
  • fix: using base_filters with FilterEqualFunction not working for relation fields (#​2011) [ThomasP0815]
  • ci: bump ubuntu version, remove mockldap (#​2013) [Daniel Vaz Gaspar]

v4.3.1

Compare Source

  • fix: openID provider validation flow (#​2186) [Daniel Vaz Gaspar]
  • feat: support Auth0 OAuth2 (#​2171) [Daniel Vaz Gaspar]

v4.3.0

Compare Source

  • fix: disable rate limit by default (#​1999) [Daniel Vaz Gaspar]
  • fix: auth rate limit docs and default rate (#​1997) [Daniel Vaz Gaspar]
  • feat: Add rate limiter (#​1976) [bolkedebruin]
  • docs: Updated LDAP Documentation (#​1988) [Alissa Gerhard]
  • fix: Save next URL on failed login attempt (#​1936) [Dosenpfand]
  • fix: select2 theme use bootstrap (#​1995) [Daniel Vaz Gaspar]
  • fix: CI broken by pyodbc vs unixodbc (#​1996) [Daniel Vaz Gaspar]

v4.2.1

Compare Source

  • ci: fix pyodbc install failure (#​1992) [Daniel Vaz Gaspar]
  • fix: Remove unused parameter from QuerySelectMultipleField instantiation (#​1991) [Dosenpfand]
  • fix: Make sure user input is not treated as safe in the oauth view (#​1978) [Glenn Schuurman]
  • fix: don't use root logger on safe decorator (#​1990) [Igor Khrol]
  • chore: upgrade Font Awesome to version 6 (#​1979) [Daniel Vaz Gaspar]

v4.2.0

Compare Source

  • feat: add opt-in outer default load option to model REST API (#​1971) [Daniel Vaz Gaspar]
  • chore: Add more type annotation to REST API module (#​1969) [Daniel Vaz Gaspar]
  • fix: upgrade Select2 to 4.0.13 (#​1968) [Nicola Gramola]
  • fix: REST API one-to-one relationship (#​1965) [Daniel Vaz Gaspar]
  • fix(api): _info HTTP 500 when exists a defined invalid search field (#​1963) [Daniel Vaz Gaspar]
  • chore: Use implicit default loading rather than explicit joined eager loading (#​1961) [John Bodley]
  • chore: Increase upper-bound on apispec (#​1903) [Tomáš Drtina]
  • fix: replace deprecated attachment_filename (#​1956) [Steve Embling]

v4.1.6

Compare Source

  • feat: add utility method on SM for fetching all roles and perms for a user (#​1950) [Daniel Vaz Gaspar]

v4.1.5

Compare Source

  • fix: HTML label IDs for db and ldap login (#​1935) [Dosenpfand]
  • fix: OAuth state parameter (#​1932) [Daniel Vaz Gaspar]
  • docs: Fix a few typos (#​1929) [Tim Gates]
  • chore: Update compiled german translation, delete backup file (#​1928) [Dosenpfand]
  • fix: addon managers import (#​1920) [Daniel Vaz Gaspar]

v4.1.4

Compare Source

  • chore: Redirect to prev url on login for AuthRemoteUserView (#​1901) [Alexander Ryndin]
  • chore: Bump upper bounds on wtforms and flask-wtf (#​1904) [Tomáš Drtina]
  • fix(mvc): related model view setting default related field value (#​1898) [Daniel Vaz Gaspar]
  • fix: DateTimePicker rendering in forms (#​1698) [Federico Padua]
  • test(fab_cli): tag tests that need internet so they can be skipped (#​1880) [jnahmias]
  • fix: fix a wrong 'next' URL in javascript (#​1897) [Sansarun Sukawongviwat]
  • chore: allow authlib > 1 updated docs (#​1891) [Daniel Vaz Gaspar]
  • docs: fix oauth example config (#​1890) [Daniel Vaz Gaspar]
  • docs: fix oauth example config (#​1889) [Daniel Vaz Gaspar]

v4.1.3

Compare Source

  • fix: user stats view search (#​1887) [Daniel Vaz Gaspar]
  • fix: Do not render hidden form fields twice (#​1848) [Dosenpfand]
  • chore: Bump requirements pillow version, remove PIL from doc (#​1873) [Dosenpfand]
  • fix: custom menu option (#​1884) [Daniel Vaz Gaspar]
  • fix: FAB_INDEX_VIEW type check (#​1883) [Daniel Vaz Gaspar]
  • fix(api): register responses with apispec using components.response() (#​1881) [jnahmias]
  • docs: add responsible disclosure text to security (#​1882) [Daniel Vaz Gaspar]
  • chore: Improve german translation (#​1872) [Dosenpfand]
  • fix: populating permission and vm instead of just setting the id (#​1874) [Zef Lin]

v4.1.2

Compare Source

  • fix: remove sqlite dbs from examples (#​1853) [Daniel Vaz Gaspar]
  • fix(MVC): discard excluded filters from query (#​1862) [Daniel Vaz Gaspar]

v4.1.1

Compare Source

  • fix: custom security class import, bad cast (#​1851) [Daniel Vaz Gaspar]
  • fix: Set certificates before reconnecting to LDAP (#​1846) [Sebastian Bernauer]

v4.1.0

Compare Source

  • docs: add FAB_ADD_SECURITY_API config option (#​1840) [Daniel Vaz Gaspar]
  • feat: add keycloak auth provider options (#​1832) [nilivingston]
  • docs: add Azure OAUTH example (#​1837) [Mathew Wicks]
  • fix: security api (#​1831) [Daniel Vaz Gaspar]
  • fix: dependency constraints, bump flask-login, flask-wtf (#​1838) [Daniel Vaz Gaspar]
  • fix: noop user update on Auth db, use set user model (#​1834) [Daniel Vaz Gaspar]
  • chore: bump postgres to 14 (#​1833) [Daniel Vaz Gaspar]
  • chore: Update and fix german translation (#​1827) [Dosenpfand]
  • chore: Enhance is_safe_redirect_url (#​1826) [Geido]
  • feat: Add CRUD apis for role, permission, user (#​1801) [Mayur]
  • docs: updated brackets in OAuth Authentication (#​1798) [David Berg]
  • chore: add Slovenian language (#​1828) [dkrat7]
  • fix: doc requirements (#​1820) [Daniel Vaz Gaspar]

v4.0.0

Compare Source

  • chore: major bumps Flask, Click, PyJWT and flask-jwt-extended (#​1817) [Daniel Vaz Gaspar]
    [Breaking changes]

v3.4.5

Compare Source

  • test: Add test for export-roles --indent's argument “duck casting” to int (#​1811) [Étienne Boisseau-Sierra]
  • fix: next url on login (OAuth, OID, DB) (#​1804) [Daniel Vaz Gaspar]
  • docs: Update doc i18 to flask_babel (#​1792) [Federico Padua]
  • feat(cli): allow export-roles to be beautified (#​1724) [Étienne Boisseau-Sierra]

v3.4.4

Compare Source

  • fix: Support SQLAlchemy 1.4.X (#​1786) [Daniel Vaz Gaspar]
  • feat: allow multiple values for the same filter (#​1737) [Will Rogers]
  • fix: Only update user.last_login on successful authentication (#​1775) [blag]
  • chore: update jsonschema pip package (#​1782) [Hugh A. Miles II]

v3.4.3

Compare Source

  • fix: openapi on and off config flag (#​1770) [Daniel Vaz Gaspar]
  • fix: data not defined in azure oauth (#​1769) [Dalton Pearson]
  • fix: Handle authorize_access_token exception (#​1766) [Michał Konarski]
  • fix: Set role and confirm password while adding user mandatory (#​1758) [Mayur]
  • fix: required roles on user form not showing error msg (#​1772) [Daniel Vaz Gaspar]
  • fix: make servers be actual servers on swagger, full endpoint paths (#​1773) [Daniel Vaz Gaspar]
  • docs: adds missing config key FAB_OPENAPI_SERVERS (#​1776)

v3.4.2

Compare Source

  • chore: Use assertEqual instead of assertEquals for Python 3.11 compatibility (#​1763) [Karthikeyan Singaravelan]
  • chore: improve code quality and balance (#​1761) [Daniel Vaz Gaspar]

v3.4.1

Compare Source

  • feat: Adding role_keys into Azure OAuth (#​1744) [Michael Yee]
  • docs: Fix small documentation issues (#​1755) [Dosenpfand]
  • fix: 1154 Add LOGOUT_REDIRECT_URL setting (#​1749) [blag]
  • fix: optional unauthorized status codes (#​1753) [Daniel Vaz Gaspar]
  • docs: Fix indentation of function content (#​1752) [akettmann-e24]
  • fix: optionally return HTTP 403 instead of 401 when unauthorized (#​1748) [Daniel Vaz Gaspar]
  • chore: Redirect to prev url on login (#​1747) [Geido]
  • docs: add aws cognito setup code examples (#​1746) [Pin Jin]
  • fix: Added sr-only class to icon only links (#​1727) [Thomas Stivers]
  • chore: [Deprecation] Use Markup instead of HTMLString (#​1729) [Andrey Polegoshko]

v3.4.0

Compare Source

  • chore: pin down WTForms (#​1735) [Daniel Vaz Gaspar]
  • fix: ModuleNotFoundError from wtforms 3.0.0 (#​1733) [Ke Zhu]
  • fix: add .env for docker-compose (#​1728) [Daniel Vaz Gaspar]
  • fix: OAuth login flow (#​1707) [Daniel Vaz Gaspar]

v3.3.4

Compare Source

  • chore: improve tests more coverage (#​1713) [Daniel Vaz Gaspar]
  • docs: fix requirements funcparserlib (#​1703) [Daniel Vaz Gaspar]
  • chore: improve schema validation (#​1712) [Daniel Vaz Gaspar]
  • chore: bump dependencies (#​1697) [Daniel Vaz Gaspar]
  • docs: fix requirements (#​1702) [Daniel Vaz Gaspar]
  • docs: fix issue 1700 (#​1701) [Federico Padua]

v3.3.3

Compare Source

  • fix: related filters with bogus data (#​1695) [Daniel Vaz Gaspar]
  • chore: Bump flask-openid to 1.3.0 (#​1693) [Daniel Vaz Gaspar]
  • chore: bump JQuery to 3.6.0 (#​1688) [Daniel Vaz Gaspar]
  • chore: bump prison version (#​1689) [Beto Dealmeida]
  • feat: password complexity option on DB Auth (#​1687) [Daniel Vaz Gaspar]
  • fix: check if there is an email field in userinfo (#​1663) [Yoshitaka Sakurai]

v3.3.2

Compare Source

  • fix: improve next URL on OAuth (#​1668) [Daniel Vaz Gaspar]
  • chore: Bump click to 8.0.1 (#​1665) [Hugh A. Miles II]
  • feat(cli): Add import/export of roles with permissions (#​1662) [krsnik93]

v3.3.1

Compare Source

  • fix: Handle integrity fails if groups map to same roles (#​1605) [Fred Thomsen]
  • refactor: OAuth - redirect direct to provider if just one provider exists (#​1618) [hyunjong.lee]
  • feat: Allow using custom Swagger template for SwaggerView. (#​1639) [Cristòfol Torrens]
  • chore: Remove polyfill shims for browsers no longer supported (#​1606) [Ryan Hamilton]
  • docs: Missing self reference for my_custom (#​1651) [Marek Šuppa]
  • fix: add warning text to roles when AUTH_ROLES_SYNC_AT_LOGIN (#​1642) [Daniel Vaz Gaspar]

v3.3.0

Compare Source

  • fix: auth balance (#​1634) [Daniel Gaspar]
  • feat: Support for conditional menu item rendering (#​1631) [Ben Reinhart]
  • docs: fix number of languages in i18n.rst (#​1630) [Aleksandr Gordienko]
  • feat: Add support for before_request hooks (#​1629) [Ben Reinhart]
  • docs: Typos and small changes in docs/templates.rst (#​1625) [Federico Padua]

v3.2.3

Compare Source

  • fix: improve performance for get role permissions (#​1624) [Daniel Gaspar]
  • feat: get user permissions API (#​1620) [Daniel Gaspar]
  • fix: Ignore LDAP search referrals (#​1602) [Fred Thomsen]
  • fix: relax AzureAD mandatory fields (#​1608) [hyunjong.lee]

v3.2.2

Compare Source

  • docs: fix, errors in BaseModelView docstring (#​1591) [Xiaodong DENG]
  • fix: load user info for okta (#​1589) [QP Hou]

v3.2.1

Compare Source

  • docs: improve contributing run single test (#​1579) [Daniel Vaz Gaspar]
  • fix: sqlalchemy 1.4.0 breaking changes (#​1586) [Daniel Vaz Gaspar]

v3.2.0

Compare Source

  • fix: issue 1469 error in filters (#​1541) [Duy Nguyen Hoang]
  • fix: showing excluded routes in server log (#​1565) [runoutnow]
  • refactor: AUTH_LDAP/AUTH_OAUTH + implement role mapping (#​1374) [Mathew Wicks]
  • fix(api): OpenAPI spec of nested components without auto generated names (#​1547) [Daniel Vaz Gaspar]
  • fix(mvc): action confirmation on single show view (#​1539) [Daniel Vaz Gaspar]
  • docs: improve docs around LDAP auth (#​1526) [Daniel Vaz Gaspar]
  • ci: tests for python 3.8 and 3.9 (#​1525) [Daniel Vaz Gaspar]
  • docs: fix, swagger path in readme (#​1518) [Felix Rilling]
  • fix: oauth #​1511 (#​1522) [Daniel Vaz Gaspar]
  • fix: github actions (#​1523) [Daniel Vaz Gaspar]
  • fix: changelog (#​1507) [Daniel Vaz Gaspar]

v3.1.1

Compare Source

  • fix: MVC order by related column use alias (#​1504) [Daniel Vaz Gaspar]
  • fix: remove unnecessary CSS class/styling from dropdowns (#​1503) [Ryan Hamilton]
  • deps: constraint pre 1 packages following semver (#​1502) [Daniel Vaz Gaspar]
  • fix: MVC order by on relation (#​1500) [Daniel Vaz Gaspar]
  • docs: add github actions badge (#​1501) [Daniel Vaz Gaspar]
  • fix: remove unnecessary classes from dropdowns (#​1491) [Ryan Hamilton]
  • ci: migrate from travis to github actions (#​1497) [Daniel Vaz Gaspar]
  • fix: lint (#​1498) [Daniel Vaz Gaspar]
  • fix: Improve UX by moving drop-down caret within clickable target (#​1492) [Ryan Hamilton]
  • style: use a clearer visual representation for "delete" actions (#​1495) [Ryan Hamilton]
  • fix: "actions" on ModelViews with composite primary keys (#​1493) [Ash Berlin-Taylor]
  • docs: migrate examples/quickhowto3 to version 3.x.x (#​1488) [luizduma]
  • fix: REST API inner joins eager loading (#​1486) [Daniel Vaz Gaspar]

v3.1.0

Compare Source

  • Fix, sanitize the uploaded filename (#​1482)
  • Fix, add missing font file format for glyphicons (#​1483)
  • Docs, Remove incorrect possessive. list's => lists. (#​1476)
  • Fix, select2 readonly not working (#​1467)
  • Fix, improve type annotations on SQLAlchemy (#​1458)
  • New, Support for OpenShift OAuth (#​1454)
  • Fix, remove unnecessary strict option from schemas (#​1466)
  • Fix, check if locale exists before loading it (#​1460)
  • Fix, Update SQLAlchemy query for count_users (#​1445)
  • Docs, Contributing (#​1440)
  • Docs, improve, help contributions (#​1438)

v3.0.1

Compare Source

  • Fix, google charts (#​1431)
  • Fix, del permission assertion on roles (#​1434)

v3.0.0

Compare Source

  • Fix, swagger test (#​1423)
  • Fix, change openapi tags and swagger access URL (breaking) (#​1422)
  • Fix, replace deprecated flask-oauthlib with authlib (#​1411)
  • Refactor, interface query on m-m joins and select specific columns (#​1398)
  • Fix, docs on has_view_access (#​1419)
  • New, Examples/react api (#​1071)
  • Fix, action confirmation disabling (#​1408)
  • New, add API descriptions and examples to OpenAPI spec (#​1396)
  • New, Dynamic user registration role (#​1410)
  • Fix, typos and improved bit of the German translation (#​1406)
  • New, Added Dutch language to docs (#​1393)
  • New, Added Dutch translation (#​1387)
  • Fix, load options and limits for many to many truncating results (#​1389)
  • Fix, SQLAlchemyAutoSchema needs marshmallow-sqlalchemy>=0.22.0 (#​1392)
  • New, [api] support marshmallow 3 (#​1334)
  • Fix, hardcoded url on oauth (#​1331)
  • Fix, [examples] Update models.py (#​1380)
  • Fix: add a panel body to panel_begin/panel_end macros (#​1377)
  • Fix, name column resizing in ab_view_menu table #​1367 (#​1368)
  • Fix, typos in the documentation (#​1375)

v2.3.4

Compare Source

  • Fix, [api] SQL selects and many to many joins (#​1361)
  • Fix, [frontend] Revert "Bump jQuery to 3.5 (#​1351)" (#​1363)

v2.3.3

Compare Source


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the renovate label Apr 21, 2024
@renovate renovate bot force-pushed the renovate/master-pypi-flask-appbuilder-vulnerability branch from 4f7452b to 5d20490 Compare September 4, 2024 19:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants