Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: revert back to use security manager authz for dashboard when get by uuid #23330

Merged
merged 15 commits into from
Mar 16, 2023

Conversation

zephyring
Copy link

@zephyring zephyring commented Mar 11, 2023

SUMMARY

The patch breaks some folks functionality around report schedule for draft dashboard, permalink. This PR should:

  1. bring back access check from security manager when getting dashboard by id_or_slug.
  2. don't apply Dashboard base filter if it's getting by uuid.
  3. dashboard create permalink should use the uuid. This allows whoever has permalink to be able to access dashboard after access check from security manager.
  4. update report execution to use the dashboard uuid link rather than the int link.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@zephyring zephyring changed the title Zef/dashboard UUID authz fix: revert back to use security manager authz for dashboard when get by uuid Mar 11, 2023
@zephyring zephyring marked this pull request as ready for review March 13, 2023 16:58
@codecov
Copy link

codecov bot commented Mar 13, 2023

Codecov Report

Merging #23330 (3a1e788) into master (b99d38d) will increase coverage by 1.76%.
The diff coverage is 84.75%.

❗ Current head 3a1e788 differs from pull request most recent head c117aaa. Consider uploading reports for the commit c117aaa to get more accurate results

@@            Coverage Diff             @@
##           master   #23330      +/-   ##
==========================================
+ Coverage   65.81%   67.58%   +1.76%     
==========================================
  Files        1910     1907       -3     
  Lines       73471    73507      +36     
  Branches     7975     7977       +2     
==========================================
+ Hits        48357    49677    +1320     
+ Misses      23065    21782    -1283     
+ Partials     2049     2048       -1     
Flag Coverage Δ
hive 52.76% <40.17%> (-0.01%) ⬇️
mysql 78.45% <83.92%> (?)
postgres 78.52% <84.82%> (+0.03%) ⬆️
presto 52.68% <40.17%> (?)
python 82.30% <92.85%> (+3.56%) ⬆️
sqlite 77.00% <83.92%> (+0.03%) ⬆️
unit 52.48% <54.46%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
...rt-controls/src/shared-controls/customControls.tsx 17.39% <0.00%> (ø)
...-core/src/hooks/useChangeEffect/useChangeEffect.ts 100.00% <ø> (ø)
...hooks/useComponentDidMount/useComponentDidMount.ts 100.00% <ø> (ø)
...oks/useComponentDidUpdate/useComponentDidUpdate.ts 100.00% <ø> (ø)
...src/hooks/useElementOnScreen/useElementOnScreen.ts 100.00% <ø> (ø)
...erset-ui-core/src/hooks/usePrevious/usePrevious.ts 100.00% <ø> (ø)
...re/src/hooks/useTruncation/useCSSTextTruncation.ts 100.00% <ø> (ø)
...c/hooks/useTruncation/useChildElementTruncation.ts 100.00% <ø> (ø)
...d/src/SqlLab/components/AceEditorWrapper/index.tsx 59.25% <ø> (ø)
...frontend/src/SqlLab/components/ResultSet/index.tsx 62.65% <ø> (ø)
... and 117 more

... and 62 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

dashboard = query.one_or_none()
except ValueError:
# if it's slug or uuid, which is more specific, just get it
dashboard = Dashboard.get(id_or_slug)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this will not apply any security settings in here

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the check from security manager will still apply at below, as the base defense line, even though we have the cls.base_filter applied on int id.

Copy link
Member

@dpgaspar dpgaspar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good, can you add an integration test for the API where the request by uuid?

@@ -41,21 +42,28 @@ class DashboardDAO(BaseDAO):

@classmethod
def get_by_id_or_slug(cls, id_or_slug: Union[int, str]) -> Dashboard:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we change this method name to get_by_id_slug_or_uuid?

Copy link
Author

@zephyring zephyring Mar 16, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe a better naming could just be get_by_identifier but it could touches too many files if we want to change every id_or_slug to identifier. Note that uuid is also id in general though. So I think this naming should be fine.

except ValueError:
return False


def id_or_slug_filter(id_or_slug: Union[int, str]) -> BinaryExpression:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we change this method name also?

@pull-request-size pull-request-size bot added size/L and removed size/M labels Mar 16, 2023
@dpgaspar dpgaspar merged commit 870bf6d into apache:master Mar 16, 2023
@dpgaspar dpgaspar deleted the zef/dashboard_uuid_authz branch March 16, 2023 15:27
@mistercrunch mistercrunch added the 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels label Mar 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels size/L 🚢 3.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants