Evan
4415b8a400
feat(security): terminate active sessions when an account is disabled
...
Disabling a user account (active=False) terminates that user's
outstanding sessions on their next request via a per-user invalidation
epoch (user_attribute.sessions_invalidated_at). Works for both
client-side cookie sessions and server-side session stores. Inert for
users that were never disabled (NULL epoch). The migration backfills the
epoch for accounts already disabled at upgrade time.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com >
2026-06-10 11:24:30 -07:00
Evan Rusackas
5a0e3f15ca
feat(embedded): add guest token revocation support ( #40671 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-10 09:17:30 -07:00
Evan Rusackas
08b8bdecbd
fix(charts): tighten chart schema input validation (query_context JSON, prophet/rolling bounds) ( #40634 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-10 08:17:12 -07:00
Evan Rusackas
0a1e51f542
fix(schemas): tighten guest dataset fields, external_url protocols, ssh creds, prophet bounds ( #40640 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-09 18:30:30 -07:00
Elizabeth Thompson
c0e78f39d7
fix: replace deprecated appbuilder.app with current_app ( #40876 )
...
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-06-09 15:01:43 -07:00
dependabot[bot]
543ad04ca0
chore(deps): bump pyarrow from 20.0.0 to 24.0.0 ( #39756 )
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Evan <evan@preset.io >
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-06-09 12:51:33 -07:00
Evan Rusackas
004101a752
fix(rls): apply standard datasource access checks in RLS rule commands ( #40650 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-09 11:24:12 -07:00
Evan Rusackas
568f34d6d8
fix(mcp): enforce audience, algorithm, issuer binding, and token scopes (strict mode) ( #40653 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-09 11:08:20 -07:00
Evan Rusackas
065578e48a
fix(commands,api): enforce command validation, sanitize export filename/token, set cache TTLs ( #40655 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-09 10:29:46 -07:00
EMMANUELA OPURUM
6311e2c315
fix: use pd.to_numeric in df_metrics_to_num to handle string-encoded numerics from ClickHouse ( #40190 )
...
Co-authored-by: Emmanuela Opurum <youremail@example.com >
Co-authored-by: Đỗ Trọng Hải <41283691+hainenber@users.noreply.github.com >
2026-06-09 10:28:34 -07:00
Evan Rusackas
0133ebc9f2
feat(mcp): log successful JWT authentication events ( #40864 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-09 09:34:52 -07:00
Evan Rusackas
b64dd4af4a
fix(mcp): handle JWKS fetch network errors during token verification ( #40869 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-09 09:34:33 -07:00
Evan Rusackas
7b1e1e5668
fix(charts): route CSV result format through the escaping CSV writer ( #40859 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-09 09:33:46 -07:00
Evan Rusackas
9105adc67b
fix(mcp): return a generic message when a request is unauthenticated ( #40861 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-09 09:19:15 -07:00
Sebastian Mohr
443fd7bcee
fix(assets): Support uploading tags using the assets import endpoint ( #38343 )
...
Co-authored-by: Sam Firke <sfirke@users.noreply.github.com >
2026-06-09 10:13:28 -04:00
Daniel Vaz Gaspar
2f71771b56
fix(sqllab): prevent corrupted query state from blocking SQL Lab access ( #40580 )
...
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
Co-authored-by: Joe Li <joe@preset.io >
2026-06-09 10:51:45 +01:00
Evan Rusackas
3afbb48188
fix(uploads,dao): add zip-safety check to columnar reader and cap DAO page size ( #40637 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-08 17:07:57 -07:00
Evan Rusackas
837f41986d
fix: reject default guest/async JWT secrets at startup ( #40649 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-08 16:53:37 -07:00
Evan Rusackas
8eda626466
fix: raise random_key entropy and add expiry to async query tokens ( #40638 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-08 16:24:06 -07:00
Evan Rusackas
fe9818226d
fix(viz): gate stacktrace behind SHOW_STACKTRACE and allowlist resample method ( #40636 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-08 16:09:59 -07:00
Evan Rusackas
911bb9dcda
fix: harden ZIP safety checks (total-size cap, zero-division guard) and extension path matching ( #40664 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-08 14:14:53 -07:00
Amin Ghadersohi
ef7379c47e
chore(mcp): remove low-value list/info tools that fail agent-native policy ( #40690 )
2026-06-06 14:57:41 -04:00
Amin Ghadersohi
84aaaaa6b0
fix(mcp): filter sensitive database columns from list_databases loaded-metadata ( #40771 )
2026-06-06 14:57:21 -04:00
Evan Rusackas
b85a2cdab1
fix: ODPS (MaxCompute) data source table preview failed ( #38174 )
...
Co-authored-by: zhutong6688 <zhutong66@163.com >
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com >
2026-06-05 17:57:44 -07:00
Evan Rusackas
381b99ae84
fix(csv): respect CSV_EXPORT config for decimal separator and delimiter ( #38170 )
...
Co-authored-by: Claude <noreply@anthropic.com >
2026-06-05 17:57:21 -07:00
Evan Rusackas
6b0d747939
fix: cache warmup using WebDriver for reliable authentication ( #38449 )
...
Co-authored-by: Superset Dev <dev@superset.apache.org >
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-06-05 16:36:30 -07:00
Evan Rusackas
19d01521bf
fix(dashboard): replace chartsInScope references at import time ( #38171 )
...
Co-authored-by: Rémy Dubois <remy.dubois@komodohealth.com >
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-05 11:42:24 -07:00
Evan Rusackas
1623ceda73
fix(result_set): preserve JSON/JSONB data as objects instead of strings ( #38172 )
...
Co-authored-by: Claude <noreply@anthropic.com >
2026-06-05 11:41:40 -07:00
madhushreeag
fa42b13eb8
fix(dataset): preserve numeric column types when pydruid infers STRING from first-row value ( #40677 )
...
Co-authored-by: madhushree agarwal <madhushree_agarwal@apple.com >
2026-06-05 09:25:57 -07:00
Amin Ghadersohi
aa4092ba68
fix(mcp): add select_columns lean defaults to get_dashboard_info, get_chart_info, get_dataset_info ( #40473 )
...
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com >
Co-authored-by: Richard Fogaça <richardfogaca@gmail.com >
2026-06-05 11:10:13 -03:00
Elizabeth Thompson
42367afb25
fix(reports): add per-tile animation wait to prevent partial ECharts renders in tiled screenshots ( #40694 )
...
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-06-04 16:43:34 -07:00
Vitor Avila
7406098708
fix(dashboard-filter): Consider dashboard filters to charts not declared in the dashboard position ( #40774 )
2026-06-04 16:43:38 -03:00
Evan Rusackas
0d1b702ce8
feat(extensions): static supply-chain controls — denylist + version policy ( #40668 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-04 12:29:03 -07:00
Amin Ghadersohi
7d69f76127
fix(mcp): API key authentication for MCP — transport, validation, and RBAC ( #39604 )
2026-06-04 15:04:43 -04:00
Evan Rusackas
9a31362fa5
fix(reports): stamp email subject date at send time, not import time ( #40693 )
...
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com >
2026-06-04 12:03:28 -07:00
Evan Rusackas
23d18743bd
fix(deck.gl): strip all JS-executed form_data keys when JavaScript controls are disabled ( #40602 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-04 10:14:33 -07:00
Evan Rusackas
9d1bc6b2cc
fix(i18n): don't flag intentional string deletions as translation regressions ( #40716 )
...
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com >
2026-06-03 14:47:31 -07:00
Shaitan
6a125bf774
fix(jinja): expose dialect-escaped companion value on get_filters() ( #40531 )
2026-06-03 21:53:12 +01:00
Shaitan
43fde2fb07
fix(charts): enforce DISALLOWED_SQL_FUNCTIONS and DISALLOWED_SQL_TABLES at chart-data execution ( #40567 )
...
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com >
2026-06-03 21:52:48 +01:00
dependabot[bot]
2be2246a00
chore(deps-dev): bump gevent from 24.2.1 to 26.4.0 ( #40378 )
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Claude Code <noreply@anthropic.com >
Co-authored-by: Evan <evan@preset.io >
2026-06-03 12:58:17 -07:00
Evan Rusackas
80ea36c852
fix(db_engine_specs): escape schema name in regex; document safe filter pattern ( #40642 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-03 11:56:51 -07:00
Amin Ghadersohi
f4dfb7f026
fix(mcp): fall back to form_data spatial query for Deck.gl charts ( #40339 )
2026-06-03 13:30:52 -04:00
Burhanuddin Mundrawala
e5ff6de790
chore: correct typos in config.py and models_test.py comments ( #40706 )
2026-06-03 21:58:29 +07:00
Shaitan
e3ba85b1a5
fix(redirect): normalize browser-stripped whitespace before protocol-relative check ( #40566 )
...
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com >
2026-06-03 12:56:10 +01:00
Shaitan
56fd991efd
fix(dataset): unify validation for stored and adhoc SQL expressions ( #40392 )
...
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com >
2026-06-03 12:55:50 +01:00
Shaitan
f7f50a7977
fix(sqllab): quote CTAS target identifiers and validate tmp_table_name format ( #40245 )
...
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-06-03 12:55:25 +01:00
Shaitan
725f5ed2a9
fix(api): enforce per-object ownership validation in chart, dataset, and report commands ( #39303 )
...
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-06-03 12:55:15 +01:00
Shaitan
faa76f6741
fix(embedding): add optional dataset allowlist to guest tokens ( #39302 )
...
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-06-03 12:55:09 +01:00
Shaitan
8e4a460cc7
fix(charts): apply DISALLOWED_SQL_FUNCTIONS gate to adhoc expressions ( #40568 )
...
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com >
2026-06-03 12:52:22 +01:00
Evan Rusackas
b9dc9d722e
fix(export): sanitize user-supplied CSV export filename (charts + SQL Lab) ( #40632 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-03 00:14:48 -07:00