Evan
be0d9bc9e3
fix(embedded): include all_columns from stored query context in guest sort targets
...
Address review feedback: the stored query context loop in
_collect_sortable_identifiers omitted all_columns, silently rejecting
legitimate guest sorts on table charts configured with 'show all
columns'. Add it, plus a regression test and clarifying comments on the
order-by union and the intentional stored_values asymmetry.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com >
2026-06-23 05:51:00 -07:00
Evan
7c1fa4ae72
fix(embedded): include legacy singular metric and reject malformed orderby in guest sort guard
...
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com >
2026-06-18 23:00:13 -07:00
Claude Code
27c481d75d
fix(embedded): allow guest users to sort table columns
...
query_context_modified() compared a guest request's orderby against the
stored chart's orderby with a strict subset check, alongside columns,
metrics and groupby. Saved charts usually store an empty orderby, so when
a guest clicked a column header to sort a table in an embedded dashboard
the new orderby value failed the subset check and the request was
rejected with "Guest user cannot modify chart payload", even though
sorting only changes result ordering and not which data is read.
Handle orderby separately: a guest may sort by any column or metric the
stored chart already references, but order-by terms that are not present
in the stored chart (e.g. a free-form random() expression) are still
rejected, preserving the existing SQL-injection guard. The columns/
metrics/groupby comparison is extracted into a helper to keep
query_context_modified within the complexity budget, and the inner loop's
variable shadowing of `key` is fixed along the way.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com >
2026-06-18 21:46:53 -07:00
Alexandru Soare
6d08e79259
feat(security): Add extension hooks for custom access control, ownership, and asset lifecycle ( #40707 )
2026-06-16 15:25:03 +03:00
Evan Rusackas
e16bb29faf
fix(embedded): allow guests to apply a Time Grain native filter ( #32768 ) ( #41017 )
...
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Claude Fable 5 <noreply@anthropic.com >
2026-06-15 15:22:21 -07:00
Evan Rusackas
d120b1c250
feat(security): enforce password complexity policy (min length + common-password blocklist) ( #40670 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-13 16:31:23 -07:00
Shaitan
aa3d2b9e81
fix(dashboard): validate native-filter data requests against filter targets ( #40979 )
...
Co-authored-by: sha174n <pedro.sousa@preset.io >
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com >
2026-06-13 19:02:28 +01:00
Evan Rusackas
814b72c6f9
feat(security): force password change on first use (opt-in) ( #40669 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-11 22:23:10 -07:00
Evan Rusackas
663b47aa75
feat: support guest-token revocation per embedded dashboard ( #40676 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-11 19:37:22 -07:00
Evan Rusackas
9938ee273f
feat: terminate active sessions when an account is disabled ( #40695 )
...
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com >
2026-06-11 19:37:13 -07:00
Evan Rusackas
5a0e3f15ca
feat(embedded): add guest token revocation support ( #40671 )
...
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-10 09:17:30 -07:00
Amin Ghadersohi
7d69f76127
fix(mcp): API key authentication for MCP — transport, validation, and RBAC ( #39604 )
2026-06-04 15:04:43 -04:00
Shaitan
faa76f6741
fix(embedding): add optional dataset allowlist to guest tokens ( #39302 )
...
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-06-03 12:55:09 +01:00
Michael Gerber
041ecbc248
fix(embedded): resolve guest user permissions in user_view_menu_names ( #39197 )
...
Co-authored-by: Evan Rusackas <evan@preset.io >
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com >
Co-authored-by: Claude Code <noreply@anthropic.com >
2026-06-01 10:30:05 -07:00
Beto Dealmeida
cb53745d43
feat: semantic layer extension ( #37815 )
2026-05-05 12:07:46 -04:00
Daniel Vaz Gaspar
5815665cc6
feat: role/user CRUD events and login/logout tracking in the action log ( #39121 )
...
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com >
2026-04-09 15:55:25 +01:00
Amin Ghadersohi
811dcb3715
feat(api-keys): add API key authentication via FAB SecurityManager ( #37973 )
...
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com >
Co-authored-by: Kamil Gabryjelski <kamil.gabryjelski@gmail.com >
2026-03-24 13:37:26 -04:00
Mehmet Salih Yavuz
95f61bd223
fix: add parent_slice_id for multilayer charts to embed ( #38243 )
2026-03-12 21:21:43 +03:00
Yuriy Krasilnikov
09e9c6a522
fix(embedded): prevent double RLS application in virtual datasets ( #37395 )
2026-03-12 14:12:59 +01:00
Hugh A. Miles II
61fbfda501
feat(security): add granular export controls (Phase 1) ( #38361 )
2026-03-09 16:44:56 -04:00
Kamil Gabryjelski
3e3c9686de
perf(dashboard): Batch RLS filter lookups for dashboard digest computation ( #37941 )
2026-02-16 21:35:55 +01:00
Alexandru Soare
9ea5ded988
fix(dashboard): Prevent fatal error when database connection is unavailable ( #37576 )
2026-02-06 20:52:17 -08:00
Beto Dealmeida
ecb4e483df
fix: apply EXCLUDE_USERS_FROM_LISTS to /api/v1/security/users/ ( #36742 )
...
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com >
2025-12-23 15:18:34 -08:00
Daniel Vaz Gaspar
a9fb853e3e
fix: Bump FAB to 5.X ( #33055 )
...
Co-authored-by: Joe Li <joe@preset.io >
2025-09-12 09:21:37 +01:00
Maxime Beauchemin
246181a546
feat(docker): Add pytest support to docker-compose-light.yml ( #34373 )
...
Co-authored-by: Claude <noreply@anthropic.com >
2025-08-06 00:17:50 -04:00
Maxime Beauchemin
3f8472ca7b
chore: move some rules from ruff -> pylint ( #34292 )
2025-07-24 09:40:49 -07:00
Beto Dealmeida
a26e1d822a
chore: remove sqlparse ( #33564 )
2025-06-04 19:31:41 -04:00
Daniel Vaz Gaspar
a4bb11c755
chore: bump FAB to 4.7.0 ( #33607 )
2025-05-29 08:34:00 +01:00
Enzo Martellucci
013379eb86
feat(List Users): Migrate List Users FAB to React ( #32882 )
2025-04-15 17:04:28 +03:00
Enzo Martellucci
4f0020d0df
feat(List Roles): Migrate FAB view to React ( #32432 )
...
Co-authored-by: Diego Pucci <diegopucci.me@gmail.com >
2025-04-02 14:06:17 +03:00
Maxime Beauchemin
e51b95ffa8
chore: enforce more ruff rules ( #31447 )
...
Co-authored-by: Elizabeth Thompson <eschutho@gmail.com >
2024-12-18 17:41:34 -08:00
Beto Dealmeida
7f2e752796
fix: check orderby ( #31156 )
2024-11-26 10:15:06 -05:00
Geido
90572be95a
fix(Dashboard): Retain colors when color scheme not set ( #30646 )
2024-11-21 19:58:32 +02:00
Beto Dealmeida
e0172a24b8
fix(embedded): sankey charts ( #30491 )
2024-10-02 13:45:35 -04:00
Beto Dealmeida
39209c2b40
fix: handle empty catalog when DB supports them ( #29840 )
2024-08-13 10:08:43 -04:00
Beto Dealmeida
fb15278f97
fix: catalog permission check ( #29581 )
2024-07-12 21:00:13 -04:00
Beto Dealmeida
a56f656a83
fix: small fixes to the catalog migration ( #29579 )
2024-07-12 20:49:30 -04:00
Beto Dealmeida
67df4e3ce3
fix: prevent guest users from changing columns ( #29530 )
2024-07-10 12:26:51 -04:00
John Bodley
8fb8199a55
chore(dao/command): Add transaction decorator to try to enforce "unit of work" ( #24969 )
2024-06-28 12:33:56 -07:00
Beto Dealmeida
8e15d4807f
chore: s/MockFixture/MockerFixture/g ( #29160 )
2024-06-10 12:35:07 -04:00
Beto Dealmeida
ba2cf5dbbc
chore: unit tests for catalog_access ( #28406 )
2024-05-09 14:41:33 -04:00
Beto Dealmeida
e90246fd1f
feat(SIP-95): permissions for catalogs ( #28317 )
2024-05-06 11:41:58 -04:00
Beto Dealmeida
36290ce72f
fix: guest queries ( #27566 )
2024-03-19 11:20:52 -04:00
Beto Dealmeida
376bfd05bd
fix: pass valid SQL to SM ( #27464 )
2024-03-18 15:38:58 -04:00
Beto Dealmeida
36fd3c0bf8
feat: improve _extract_tables_from_sql ( #26748 )
2024-03-18 13:02:58 -04:00
Beto Dealmeida
735b895dd5
fix: check if guest user modified query ( #27484 )
2024-03-12 21:28:06 -04:00
Daniel Vaz Gaspar
ceda51617b
fix: CSRF exempt unit_tests ( #27168 )
2024-02-20 16:18:30 +00:00
Daniel Vaz Gaspar
5b34395689
fix: chart import validation ( #26993 )
2024-02-06 12:14:02 +00:00
Beto Dealmeida
fade4806ce
fix: prevent guest user from modifying metrics ( #26749 )
2024-01-29 12:59:33 -05:00
Daniel Vaz Gaspar
549abb542b
fix: REST API CSRF exempt list ( #25590 )
2023-10-10 12:53:37 +01:00