diff --git a/UPDATING.md b/UPDATING.md index de9588656cb..cbba76216bc 100644 --- a/UPDATING.md +++ b/UPDATING.md @@ -24,6 +24,7 @@ assists people when migrating to a new version. ## Next +- [22022](https://github.com/apache/superset/pull/22022): HTTP API endpoints `/superset/approve` and `/superset/request_access` have been deprecated and their HTTP methods were changed from GET to POST - [21895](https://github.com/apache/superset/pull/21895): Markdown components had their security increased by adhering to the same sanitization process enforced by Github. This means that some HTML elements found in markdowns are not allowed anymore due to the security risks they impose. If you're deploying Superset in a trusted environment and wish to use some of the blocked elements, then you can use the HTML_SANITIZATION_SCHEMA_EXTENSIONS configuration to extend the default sanitization schema. There's also the option to disable HTML sanitization using the HTML_SANITIZATION configuration but we do not recommend this approach because of the security risks. Given the provided configurations, we don't view the improved sanitization as a breaking change but as a security patch. ## 1.5.2 diff --git a/superset/views/core.py b/superset/views/core.py index 7a244fd2782..863f75f004a 100755 --- a/superset/views/core.py +++ b/superset/views/core.py @@ -272,8 +272,14 @@ class Superset(BaseSupersetView): # pylint: disable=too-many-public-methods @has_access @event_logger.log_this - @expose("/request_access/") + @expose("/request_access/", methods=["POST"]) def request_access(self) -> FlaskResponse: + logger.warning( + "%s.approve " + "This API endpoint is deprecated and will be removed in version 3.0.0", + self.__class__.__name__, + ) + datasources = set() dashboard_id = request.args.get("dashboard_id") if dashboard_id: @@ -315,7 +321,7 @@ class Superset(BaseSupersetView): # pylint: disable=too-many-public-methods @has_access @event_logger.log_this - @expose("/approve") + @expose("/approve", methods=["POST"]) def approve(self) -> FlaskResponse: # pylint: disable=too-many-locals,no-self-use def clean_fulfilled_requests(session: Session) -> None: for dar in session.query(DAR).all(): @@ -329,6 +335,12 @@ class Superset(BaseSupersetView): # pylint: disable=too-many-public-methods session.delete(dar) session.commit() + logger.warning( + "%s.approve " + "This API endpoint is deprecated and will be removed in version 3.0.0", + self.__class__.__name__, + ) + datasource_type = request.args["datasource_type"] datasource_id = request.args["datasource_id"] created_by_username = request.args.get("created_by") diff --git a/tests/integration_tests/access_tests.py b/tests/integration_tests/access_tests.py index 13febbd413c..b92b83c582a 100644 --- a/tests/integration_tests/access_tests.py +++ b/tests/integration_tests/access_tests.py @@ -304,7 +304,7 @@ class TestRequestAccess(SupersetTestCase): session.commit() access_requests = self.get_access_requests("gamma", "table", ds_1_id) self.assertTrue(access_requests) - self.client.get( + self.client.post( EXTEND_ROLE_REQUEST.format("table", ds_1_id, "gamma2", TEST_ROLE_2) ) access_requests = self.get_access_requests("gamma", "table", ds_1_id) @@ -343,7 +343,7 @@ class TestRequestAccess(SupersetTestCase): access_requests = self.get_access_requests("gamma", "table", ds_1_id) self.assertTrue(access_requests) # gamma2 request gets fulfilled - self.client.get( + self.client.post( EXTEND_ROLE_REQUEST.format("table", ds_1_id, "gamma2", TEST_ROLE_2) ) access_requests = self.get_access_requests("gamma", "table", ds_1_id) @@ -386,7 +386,7 @@ class TestRequestAccess(SupersetTestCase): gamma_user.roles.append(security_manager.find_role(SCHEMA_ACCESS_ROLE)) session.commit() # gamma2 request gets fulfilled - self.client.get( + self.client.post( EXTEND_ROLE_REQUEST.format("table", ds_1_id, "gamma2", TEST_ROLE_2) ) access_requests = self.get_access_requests("gamma", "table", ds_1_id)