QT/superset2
1
0
Fork 0
mirror of https://github.com/apache/superset.git synced 2026-04-22 17:45:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fixing CSRF issues (#2569)

Browse Source 
* 0.17.4

* Fixing CSRF issues

Since turning CSRF across the site with Flask-WTF, a few POST request
have been failing. This PR addresses these issues.
This commit is contained in:
Maxime Beauchemin
2017-04-07 10:57:31 -07:00
committed by GitHub
parent 3ed45ab98c
commit ddeabdd048
9 changed files with 29 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
superset/assets/javascripts/SqlLab/components/App.jsx
View File

@@ -5,7 +5,7 @@ import React from 'react';
import TabbedSqlEditors from './TabbedSqlEditors'; import TabbedSqlEditors from './TabbedSqlEditors';
import QueryAutoRefresh from './QueryAutoRefresh'; import QueryAutoRefresh from './QueryAutoRefresh';
import QuerySearch from './QuerySearch'; import QuerySearch from './QuerySearch';
import AlertsWrapper from './AlertsWrapper'; import AlertsWrapper from '../../components/AlertsWrapper';
import { bindActionCreators } from 'redux'; import { bindActionCreators } from 'redux';
import { connect } from 'react-redux'; import { connect } from 'react-redux';

0
superset/assets/javascripts/SqlLab/components/AlertsWrapper.jsx → superset/assets/javascripts/components/AlertsWrapper.jsx
View File

8
superset/assets/javascripts/explorev2/index.jsx
View File

@@ -7,7 +7,9 @@ import { Provider } from 'react-redux';
import thunk from 'redux-thunk'; import thunk from 'redux-thunk';
import { now } from '../modules/dates'; import { now } from '../modules/dates';
import { initEnhancer } from '../reduxUtils'; import { initEnhancer } from '../reduxUtils';
import AlertsWrapper from '../components/AlertsWrapper';
import { getControlsState, getFormDataFromControls } from './stores/store'; import { getControlsState, getFormDataFromControls } from './stores/store';
import { initJQueryAjaxCSRF } from '../modules/utils';
// jquery and bootstrap required to make bootstrap dropdown menu's work // jquery and bootstrap required to make bootstrap dropdown menu's work
@@ -15,6 +17,7 @@ const $ = window.$ = require('jquery'); // eslint-disable-line
const jQuery = window.jQuery = require('jquery'); // eslint-disable-line const jQuery = window.jQuery = require('jquery'); // eslint-disable-line
require('bootstrap'); require('bootstrap');
require('./main.css'); require('./main.css');
initJQueryAjaxCSRF();
const exploreViewContainer = document.getElementById('js-explore-view-container'); const exploreViewContainer = document.getElementById('js-explore-view-container');
const bootstrapData = JSON.parse(exploreViewContainer.getAttribute('data-bootstrap')); const bootstrapData = JSON.parse(exploreViewContainer.getAttribute('data-bootstrap'));
@@ -47,7 +50,10 @@ const store = createStore(exploreReducer, bootstrappedState,
ReactDOM.render( ReactDOM.render(
<Provider store={store}> <Provider store={store}>
<ExploreViewContainer /> <div>
<ExploreViewContainer />
<AlertsWrapper />
</div>
</Provider>, </Provider>,
exploreViewContainer exploreViewContainer
); );

2
superset/assets/package.json
View File

@@ -1,6 +1,6 @@
{ {
"name": "superset", "name": "superset",
"version": "0.17.4rc5", "version": "0.17.4",
"description": "Superset is a data exploration platform designed to be visual, intuitive, and interactive.", "description": "Superset is a data exploration platform designed to be visual, intuitive, and interactive.",
"license": "Apache-2.0", "license": "Apache-2.0",
"directories": { "directories": {

2
superset/assets/spec/javascripts/sqllab/AlertsWrapper_spec.jsx
View File

@@ -1,5 +1,5 @@
import React from 'react'; import React from 'react';
import AlertsWrapper from '../../../javascripts/SqlLab/components/AlertsWrapper'; import AlertsWrapper from '../../../javascripts/components/AlertsWrapper';
import { describe, it } from 'mocha'; import { describe, it } from 'mocha';
import { expect } from 'chai'; import { expect } from 'chai';

9
superset/assets/utils/common.js
View File

@@ -1,3 +1,4 @@
/* global notify */
/* eslint global-require: 0 */ /* eslint global-require: 0 */
import $ from 'jquery'; import $ from 'jquery';
const d3 = window.d3 || require('d3'); const d3 = window.d3 || require('d3');
@@ -78,12 +79,8 @@ export function getShortUrl(longUrl, callback) {
success: (data) => { success: (data) => {
callback(data); callback(data);
}, },
error: (error) => { error: () => {
/* eslint no-console: 0 */ notify.error('Error getting the short URL');
if (console && console.warn) {
console.warn('Something went wrong...');
console.warn(error);
}
callback(longUrl); callback(longUrl);
}, },
}); });

12
superset/templates/superset/basic.html
View File

@@ -22,6 +22,12 @@
{% include "superset/partials/_script_tag.html" %} {% include "superset/partials/_script_tag.html" %}
{% endwith %} {% endwith %}
{% endblock %} {% endblock %}
<input
type="hidden"
name="csrf_token"
id="csrf_token"
value="{{ csrf_token() if csrf_token else '' }}"
>
</head> </head>
<body> <body>
@@ -38,12 +44,6 @@
<div id="app" data-bootstrap="{{ bootstrap_data }}" > <div id="app" data-bootstrap="{{ bootstrap_data }}" >
<img src="/static/assets/images/loading.gif" style="width: 50px; margin: 10px;"> <img src="/static/assets/images/loading.gif" style="width: 50px; margin: 10px;">
</div> </div>
<input
type="hidden"
name="csrf_token"
id="csrf_token"
value="{{ csrf_token() if csrf_token else '' }}"
>
{% endblock %} {% endblock %}
<!-- Modal for misc messages / alerts --> <!-- Modal for misc messages / alerts -->

6
superset/templates/superset/dashboard.html
View File

@@ -22,10 +22,4 @@
<div id="grid-container" class="slice-grid gridster"></div> <div id="grid-container" class="slice-grid gridster"></div>
</div> </div>
<input
type="hidden"
name="csrf_token"
id="csrf_token"
value="{{ csrf_token() if csrf_token else '' }}"
>
{% endblock %} {% endblock %}

11
superset/templates/superset/models/database/macros.html
View File

@@ -5,13 +5,22 @@
$("#testconn").click(function(e) { $("#testconn").click(function(e) {
e.preventDefault(); e.preventDefault();
var url = "/superset/testconn"; var url = "/superset/testconn";
var csrf_token = "{{ csrf_token() }}";
$.ajaxSetup({
beforeSend: function(xhr, settings) {
if (!/^(GET|HEAD|OPTIONS|TRACE)$/i.test(settings.type) && !this.crossDomain) {
xhr.setRequestHeader("X-CSRFToken", csrf_token);
}
}
});
var data = {}; var data = {};
try{ try{
data = JSON.stringify({ data = JSON.stringify({
uri: $("#sqlalchemy_uri").val(), uri: $("#sqlalchemy_uri").val(),
name: $('#database_name').val(), name: $('#database_name').val(),
extras: JSON.parse($("#extra").val()) extras: JSON.parse($("#extra").val()),
}) })
} catch(parse_error){ } catch(parse_error){
alert("Malformed JSON in the extras field: " + parse_error); alert("Malformed JSON in the extras field: " + parse_error);