-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: allow POST chart/data request without CSRF token #17429
Conversation
Codecov Report
@@ Coverage Diff @@
## master #17429 +/- ##
==========================================
- Coverage 77.04% 76.96% -0.08%
==========================================
Files 1041 1041
Lines 56073 56073
Branches 7738 7738
==========================================
- Hits 43201 43157 -44
- Misses 12614 12658 +44
Partials 258 258
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
OK, but where is the new test case to prevent bugs like these In the future? If I missed it how the next developer who try to improve our product will not missed it? |
If you'd rather we fix by reverting the breaking PR, i'm happy to do that too. Ideally, tests should be added prior to refactors so that the refactors don't cause issues. In this case, all I honestly have time to do is fix the bug (I'm on PTO today). We can either fix forward (this PR) or revert back to the functional state. Happy to do either, but regardless it needs to be fixed. |
/testenv up |
@etr2460 Ephemeral environment spinning up at http://35.86.99.89:8080. Credentials are |
So revert the code and keep the bad state of the code that no one can understand and no one has the courage to improve it... Please don't take it personally but when you fix a bug without adding a test is the same as adding a new feature without any tests. |
Unfortunately #17400 doesn't revert cleanly (probably because of other PRs stacked on top of it). As you say, reverting is probably the best way to resolve the issue, but as i'm both unfamiliar with the code and the changes stacked on top of it, it's not really feasible for me to dig in today. If we feel reverting is the right option going forward, feel free to stack this change as part of the revert. To unbreak master for now, I'll make this fix, and hopefully will be able to follow up with a test (although I can't guarantee anything, as this would essentially be testing that Flask-WTForms does what it's supposed to and i'm not really sure how best to test the functionality of a dependency).
Personally I disagree. This PR fixes a recent breakage on the master branch that would block any future releases of Superset. Obviously having tests for the code is better than not, but I'd say having a functional product without tests is better than a non-functional one (also without tests). |
Ephemeral environment shutdown and build artifacts deleted. |
Thanks for the fix @etr2460 . We've been seeing similar regressions in other PRs lately, many of which I've unfortunately been party to, either as an author or reviewer. I think it's important for everyone to accept that the state of test coverage is what it is, and we need to do our best to
I agree with @ofekisr that it's a tall order to expect every developer to have full understanding of what side-effects a code change can have. If this is an implicit requirement (=having full understanding of what breakage may occur despite CI being green), then it will become increasingly difficult for new community contributions to get through the review pipeline. Regarding this regression, optimally #10397 that originally introduced the functionality would have added an integration test that made sure the endpoint works without CSRF tokens (in hindsight, as a reviewer, I should have pushed for that). But in the meantime, whenever we do refactors to code that may be dangerous, it's probably a good idea to request reviews from additional people who may have more context, along with a very detailed PR description and targeted questions (e.g. "are there any known consequences of moving the x endpoint from palce A to B?") to make it easier for reviewers to jump in and not have to spend considerable time parsing the intent of the PR. Having said that, I'm happy to start coordinating an effort to add test coverage to code that has either 1) been subject to a regression 2) is known to have a high risk of regressions due to lacking test coverage. Ping @john-bodley @junlincc |
SUMMARY
#17400 broke requesting chart data without providing a CSRF token. This config change should fix it
TESTING INSTRUCTIONS
CI, I haven't tested yet, but will test with a testenv using
fetch
Testing in the test env:
The above request returns properly without the csrf token
ADDITIONAL INFORMATION
to: @ofekisr @amitmiran137 @serenajiang @john-bodley @villebro