mirror of
https://github.com/apache/superset.git
synced 2026-04-23 18:14:56 +00:00
fix: Refactor ownership checks and ensure consistency (#20499)
Co-authored-by: John Bodley <john.bodley@airbnb.com>
This commit is contained in:
John Bodley
@@ -24,10 +24,10 @@ from superset.explore.form_data.commands.parameters import CommandParameters
|
||||
from superset.explore.form_data.commands.state import TemporaryExploreState
|
||||
from superset.explore.form_data.commands.utils import check_access
|
||||
from superset.extensions import cache_manager
|
||||
from superset.key_value.utils import get_owner, random_key
|
||||
from superset.key_value.utils import random_key
|
||||
from superset.temporary_cache.commands.exceptions import TemporaryCacheCreateFailedError
|
||||
from superset.temporary_cache.utils import cache_key
|
||||
from superset.utils.core import DatasourceType
|
||||
from superset.utils.core import DatasourceType, get_user_id
|
||||
from superset.utils.schema import validate_json
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
@@ -44,9 +44,8 @@ class CreateFormDataCommand(BaseCommand):
|
||||
datasource_type = self._cmd_params.datasource_type
|
||||
chart_id = self._cmd_params.chart_id
|
||||
tab_id = self._cmd_params.tab_id
|
||||
actor = self._cmd_params.actor
|
||||
form_data = self._cmd_params.form_data
|
||||
check_access(datasource_id, chart_id, actor, datasource_type)
|
||||
check_access(datasource_id, chart_id, datasource_type)
|
||||
contextual_key = cache_key(
|
||||
session.get("_id"), tab_id, datasource_id, chart_id, datasource_type
|
||||
)
|
||||
@@ -55,7 +54,7 @@ class CreateFormDataCommand(BaseCommand):
|
||||
key = random_key()
|
||||
if form_data:
|
||||
state: TemporaryExploreState = {
|
||||
"owner": get_owner(actor),
|
||||
"owner": get_user_id(),
|
||||
"datasource_id": datasource_id,
|
||||
"datasource_type": DatasourceType(datasource_type),
|
||||
"chart_id": chart_id,
|
||||
|
||||
@@ -26,13 +26,12 @@ from superset.explore.form_data.commands.parameters import CommandParameters
|
||||
from superset.explore.form_data.commands.state import TemporaryExploreState
|
||||
from superset.explore.form_data.commands.utils import check_access
|
||||
from superset.extensions import cache_manager
|
||||
from superset.key_value.utils import get_owner
|
||||
from superset.temporary_cache.commands.exceptions import (
|
||||
TemporaryCacheAccessDeniedError,
|
||||
TemporaryCacheDeleteFailedError,
|
||||
)
|
||||
from superset.temporary_cache.utils import cache_key
|
||||
from superset.utils.core import DatasourceType
|
||||
from superset.utils.core import DatasourceType, get_user_id
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
@@ -43,7 +42,6 @@ class DeleteFormDataCommand(BaseCommand, ABC):
|
||||
|
||||
def run(self) -> bool:
|
||||
try:
|
||||
actor = self._cmd_params.actor
|
||||
key = self._cmd_params.key
|
||||
state: TemporaryExploreState = cache_manager.explore_form_data_cache.get(
|
||||
key
|
||||
@@ -52,8 +50,8 @@ class DeleteFormDataCommand(BaseCommand, ABC):
|
||||
datasource_id: int = state["datasource_id"]
|
||||
chart_id: Optional[int] = state["chart_id"]
|
||||
datasource_type = DatasourceType(state["datasource_type"])
|
||||
check_access(datasource_id, chart_id, actor, datasource_type)
|
||||
if state["owner"] != get_owner(actor):
|
||||
check_access(datasource_id, chart_id, datasource_type)
|
||||
if state["owner"] != get_user_id():
|
||||
raise TemporaryCacheAccessDeniedError()
|
||||
tab_id = self._cmd_params.tab_id
|
||||
contextual_key = cache_key(
|
||||
|
||||
@@ -40,7 +40,6 @@ class GetFormDataCommand(BaseCommand, ABC):
|
||||
|
||||
def run(self) -> Optional[str]:
|
||||
try:
|
||||
actor = self._cmd_params.actor
|
||||
key = self._cmd_params.key
|
||||
state: TemporaryExploreState = cache_manager.explore_form_data_cache.get(
|
||||
key
|
||||
@@ -49,7 +48,6 @@ class GetFormDataCommand(BaseCommand, ABC):
|
||||
check_access(
|
||||
state["datasource_id"],
|
||||
state["chart_id"],
|
||||
actor,
|
||||
DatasourceType(state["datasource_type"]),
|
||||
)
|
||||
if self._refresh_timeout:
|
||||
|
||||
@@ -17,14 +17,11 @@
|
||||
from dataclasses import dataclass
|
||||
from typing import Optional
|
||||
|
||||
from flask_appbuilder.security.sqla.models import User
|
||||
|
||||
from superset.utils.core import DatasourceType
|
||||
|
||||
|
||||
@dataclass
|
||||
class CommandParameters:
|
||||
actor: User
|
||||
datasource_type: DatasourceType = DatasourceType.TABLE
|
||||
datasource_id: int = 0
|
||||
chart_id: int = 0
|
||||
|
||||
@@ -26,13 +26,13 @@ from superset.explore.form_data.commands.parameters import CommandParameters
|
||||
from superset.explore.form_data.commands.state import TemporaryExploreState
|
||||
from superset.explore.form_data.commands.utils import check_access
|
||||
from superset.extensions import cache_manager
|
||||
from superset.key_value.utils import get_owner, random_key
|
||||
from superset.key_value.utils import random_key
|
||||
from superset.temporary_cache.commands.exceptions import (
|
||||
TemporaryCacheAccessDeniedError,
|
||||
TemporaryCacheUpdateFailedError,
|
||||
)
|
||||
from superset.temporary_cache.utils import cache_key
|
||||
from superset.utils.core import DatasourceType
|
||||
from superset.utils.core import DatasourceType, get_user_id
|
||||
from superset.utils.schema import validate_json
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
@@ -51,14 +51,13 @@ class UpdateFormDataCommand(BaseCommand, ABC):
|
||||
datasource_id = self._cmd_params.datasource_id
|
||||
chart_id = self._cmd_params.chart_id
|
||||
datasource_type = self._cmd_params.datasource_type
|
||||
actor = self._cmd_params.actor
|
||||
key = self._cmd_params.key
|
||||
form_data = self._cmd_params.form_data
|
||||
check_access(datasource_id, chart_id, actor, datasource_type)
|
||||
check_access(datasource_id, chart_id, datasource_type)
|
||||
state: TemporaryExploreState = cache_manager.explore_form_data_cache.get(
|
||||
key
|
||||
)
|
||||
owner = get_owner(actor)
|
||||
owner = get_user_id()
|
||||
if state and form_data:
|
||||
if state["owner"] != owner:
|
||||
raise TemporaryCacheAccessDeniedError()
|
||||
|
||||
@@ -16,8 +16,6 @@
|
||||
# under the License.
|
||||
from typing import Optional
|
||||
|
||||
from flask_appbuilder.security.sqla.models import User
|
||||
|
||||
from superset.charts.commands.exceptions import (
|
||||
ChartAccessDeniedError,
|
||||
ChartNotFoundError,
|
||||
@@ -37,11 +35,10 @@ from superset.utils.core import DatasourceType
|
||||
def check_access(
|
||||
datasource_id: int,
|
||||
chart_id: Optional[int],
|
||||
actor: User,
|
||||
datasource_type: DatasourceType,
|
||||
) -> None:
|
||||
try:
|
||||
explore_check_access(datasource_id, chart_id, actor, datasource_type)
|
||||
explore_check_access(datasource_id, chart_id, datasource_type)
|
||||
except (ChartNotFoundError, DatasetNotFoundError) as ex:
|
||||
raise TemporaryCacheResourceNotFoundError from ex
|
||||
except (ChartAccessDeniedError, DatasetAccessDeniedError) as ex:
|
||||
|
||||
Reference in New Issue
Block a user