Evan
be0d9bc9e3
fix(embedded): include all_columns from stored query context in guest sort targets
...
Address review feedback: the stored query context loop in
_collect_sortable_identifiers omitted all_columns, silently rejecting
legitimate guest sorts on table charts configured with 'show all
columns'. Add it, plus a regression test and clarifying comments on the
order-by union and the intentional stored_values asymmetry.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com >
2026-06-23 05:51:00 -07:00
Evan
7c1fa4ae72
fix(embedded): include legacy singular metric and reject malformed orderby in guest sort guard
...
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com >
2026-06-18 23:00:13 -07:00
Claude Code
27c481d75d
fix(embedded): allow guest users to sort table columns
...
query_context_modified() compared a guest request's orderby against the
stored chart's orderby with a strict subset check, alongside columns,
metrics and groupby. Saved charts usually store an empty orderby, so when
a guest clicked a column header to sort a table in an embedded dashboard
the new orderby value failed the subset check and the request was
rejected with "Guest user cannot modify chart payload", even though
sorting only changes result ordering and not which data is read.
Handle orderby separately: a guest may sort by any column or metric the
stored chart already references, but order-by terms that are not present
in the stored chart (e.g. a free-form random() expression) are still
rejected, preserving the existing SQL-injection guard. The columns/
metrics/groupby comparison is extracted into a helper to keep
query_context_modified within the complexity budget, and the inner loop's
variable shadowing of `key` is fixed along the way.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com >
2026-06-18 21:46:53 -07:00
Elizabeth Thompson
0c9ece65bb
fix(reports): require user in get_screenshot, simplify Selenium lifecycle, and fail on tiled screenshot error ( #41080 )
...
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-06-18 15:46:17 -07:00
Elizabeth Thompson
7040388ad1
fix(query_object_factory): normalize deprecated query fields before constructing QueryObject ( #41204 )
2026-06-18 15:02:07 -07:00
Abdul Rehman
76e2418f1e
fix(mcp): add safeguards to ensure all MCP tools are wrapped with mcp_auth_hook ( #40412 )
...
Co-authored-by: Evan Rusackas <evan@preset.io >
2026-06-18 10:27:53 -07:00
Vitor Avila
b4e3452bfd
fix(chart API): Do not duplicate Jinja-applied filters with filters_dashboard_id ( #41131 )
2026-06-18 14:25:54 -03:00
Durgaprasad M L
7e98410743
fix(theme): embedded method overrides dashboard level config ( #40777 )
...
Co-authored-by: Mehmet Salih Yavuz <salih.yavuz@proton.me >
2026-06-17 18:33:04 -07:00
Hans Yu
883b7a286d
refactor: update SQLAlchemy select() syntax to 2.0 ( #40276 )
2026-06-17 17:50:32 -07:00
jesperct
ef82da8458
fix(charts): apply datetime format to unaggregated temporal columns ( #41060 )
2026-06-17 14:56:09 -07:00
Shaitan
6a1091d576
fix(sql): broaden mutating-statement detection in SQL Lab parser ( #40421 )
...
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com >
Co-authored-by: sha174n <pedro.sousa@preset.io >
2026-06-16 15:07:34 -07:00
Elizabeth Thompson
f1ae683923
fix(deps): replace deprecated np.NaN with np.nan ( #41118 )
...
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-06-16 14:19:08 -07:00
Bob Jo
257dafeec5
fix(query): don't mutate ad-hoc ORDER BY expressions when building queries ( #40993 )
...
Co-authored-by: Claude Fable 5 <noreply@anthropic.com >
2026-06-16 13:03:39 -04:00
Alexandru Soare
6d08e79259
feat(security): Add extension hooks for custom access control, ownership, and asset lifecycle ( #40707 )
2026-06-16 15:25:03 +03:00
Amin Ghadersohi
7cb4990403
feat(mcp): add create_dataset tool to register physical tables as datasets ( #40340 )
...
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-06-15 23:25:29 -04:00
Amin Ghadersohi
c1b5d05f83
fix(bigquery): set default dataset from schema in adjust_engine_params ( #40776 )
2026-06-15 18:37:06 -04:00
Evan Rusackas
e16bb29faf
fix(embedded): allow guests to apply a Time Grain native filter ( #32768 ) ( #41017 )
...
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Claude Fable 5 <noreply@anthropic.com >
2026-06-15 15:22:21 -07:00
Elizabeth Thompson
09b4bc51a3
fix(charts): rename deprecated query object fields in schema before QueryObject construction ( #41056 )
2026-06-15 14:45:41 -07:00
Evan Rusackas
379435b7eb
feat(ssh_tunnel): add opt-in server host key verification ( #40673 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-15 12:17:14 -07:00
Amin Ghadersohi
4b96b91b53
feat(mcp): add aggregation field to BigNumberChartConfig for Big Number with Trendline ( #40775 )
...
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com >
2026-06-15 14:40:37 -04:00
Minh Vu
bf5daf0a1e
fix(mcp): redirect stdio click echo without recursion ( #40814 )
2026-06-15 10:10:40 -07:00
Joe Li
b656b1d477
fix(reports): escape LIKE wildcards in text filter and preserve typed screenshot width ( #40980 )
...
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com >
2026-06-15 09:59:40 -07:00
Amin Ghadersohi
820e3d18d3
fix(mcp): make search_tools query optional to fix null content on tool discovery ( #40906 )
2026-06-15 11:32:40 -04:00
Evan Rusackas
9d2f625e55
feat(encrypt): selectable encryption engine + AES-GCM re-encryption migrator ( #40654 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-15 08:10:08 -07:00
Kim Jeong Ju
9ec9c8658b
fix(query_context_processor): apply CSV encoding to follow the encoding settings of 'CSV_EXPORT' ( #34806 )
...
Co-authored-by: Jeong Ju, Kim <haje01@webzen.com >
Co-authored-by: Evan <evan@preset.io >
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com >
2026-06-14 08:55:25 -07:00
Evan Rusackas
9f81565625
feat(uploads): add optional max file size for data uploads ( #40860 )
2026-06-14 19:46:48 +07:00
Nitish Agarwal
c934498696
fix(dashboard): do not add importer as owner when overwriting existing dashboard ( #38615 )
...
Co-authored-by: Evan <evan@preset.io >
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com >
2026-06-14 05:10:03 -07:00
Evan Rusackas
d120b1c250
feat(security): enforce password complexity policy (min length + common-password blocklist) ( #40670 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-13 16:31:23 -07:00
Yuvraj Singh Chauhan
3c6239363b
fix(db): preserve percent encoding in database passwords ( #36783 )
...
Co-authored-by: Evan <evan@preset.io >
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com >
2026-06-13 13:52:00 -07:00
Shaitan
5fb13f102a
fix(network): validate target hostname in outbound requests ( #39301 )
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com >
Co-authored-by: Evan Rusackas <evan@preset.io >
Co-authored-by: Arpit Jain <3242828+arpitjain099@users.noreply.github.com >
Co-authored-by: Mafi <matt.fitzgerald@gmail.com >
Co-authored-by: Matt Fitzgerald <matt.fitzgerald@preset.io >
Co-authored-by: Richard Fogaca Nienkotter <63572350+richardfogaca@users.noreply.github.com >
Co-authored-by: Superset Dev <dev@superset.apache.org >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: sadpandajoe <jcli38@gmail.com >
Co-authored-by: JUST.in DO IT <justin.park@airbnb.com >
Co-authored-by: Michael S. Molina <70410625+michael-s-molina@users.noreply.github.com >
Co-authored-by: sha174n <pedro.sousa@preset.io >
2026-06-13 20:26:58 +01:00
Shaitan
aa3d2b9e81
fix(dashboard): validate native-filter data requests against filter targets ( #40979 )
...
Co-authored-by: sha174n <pedro.sousa@preset.io >
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com >
2026-06-13 19:02:28 +01:00
Shaitan
e5986b32ff
fix(charts): evaluate access before rendering query filters; isolate macro env ( #40982 )
...
Co-authored-by: sha174n <pedro.sousa@preset.io >
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com >
2026-06-13 19:01:54 +01:00
Shaitan
a41869ec7d
fix(dashboard): build example-export sample data through the dataset query path ( #40976 )
...
Co-authored-by: sha174n <pedro.sousa@preset.io >
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com >
2026-06-13 19:01:35 +01:00
Cole Murray
6487cf03c5
fix(security): Add input validation to cancel_query_id to prevent injection ( #36722 )
...
Signed-off-by: ColeMurray <cole@waclaude.com >
Co-authored-by: Evan Rusackas <evan@preset.io >
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-13 10:56:14 -07:00
Evan Rusackas
b05fe4857e
fix(chart): require chart access for query_context-only updates ( #40648 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-13 04:16:29 -07:00
Amin Ghadersohi
2f008afca9
fix(mcp): add dataset_id to update_chart to support rebinding chart datasource ( #40853 )
...
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-06-12 10:42:53 -04:00
Evan Rusackas
814b72c6f9
feat(security): force password change on first use (opt-in) ( #40669 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-11 22:23:10 -07:00
Evan Rusackas
663b47aa75
feat: support guest-token revocation per embedded dashboard ( #40676 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-11 19:37:22 -07:00
Evan Rusackas
9938ee273f
feat: terminate active sessions when an account is disabled ( #40695 )
...
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com >
2026-06-11 19:37:13 -07:00
Abdul Rehman
42d0c4436e
fix(permalink): accept null entries in activeTabs for v5-imported dashboards ( #40969 )
2026-06-11 22:03:27 +07:00
Evan Rusackas
6c5ad1e912
fix(sqllab): apply SQL controls (RLS/DML/disallowed) to cost estimation ( #40662 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-11 05:33:42 -07:00
Richard Fogaca Nienkotter
046b1b61b3
fix(maps): preserve OSM styles and configurable renderer defaults ( #40804 )
2026-06-10 22:26:00 -03:00
Dylan Cavalcante
f79a88c685
test(core): add unit tests for split function ( #40819 )
...
Co-authored-by: Đỗ Trọng Hải <41283691+hainenber@users.noreply.github.com >
Co-authored-by: Evan <evan@preset.io >
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com >
2026-06-10 16:12:35 -07:00
Evan Rusackas
5a0e3f15ca
feat(embedded): add guest token revocation support ( #40671 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-10 09:17:30 -07:00
Evan Rusackas
08b8bdecbd
fix(charts): tighten chart schema input validation (query_context JSON, prophet/rolling bounds) ( #40634 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-10 08:17:12 -07:00
Evan Rusackas
0a1e51f542
fix(schemas): tighten guest dataset fields, external_url protocols, ssh creds, prophet bounds ( #40640 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-09 18:30:30 -07:00
Elizabeth Thompson
c0e78f39d7
fix: replace deprecated appbuilder.app with current_app ( #40876 )
...
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-06-09 15:01:43 -07:00
dependabot[bot]
543ad04ca0
chore(deps): bump pyarrow from 20.0.0 to 24.0.0 ( #39756 )
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Evan <evan@preset.io >
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-06-09 12:51:33 -07:00
Evan Rusackas
004101a752
fix(rls): apply standard datasource access checks in RLS rule commands ( #40650 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-09 11:24:12 -07:00
Evan Rusackas
568f34d6d8
fix(mcp): enforce audience, algorithm, issuer binding, and token scopes (strict mode) ( #40653 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-09 11:08:20 -07:00