Commit Graph

52 Commits

Author SHA1 Message Date
Evan
be0d9bc9e3 fix(embedded): include all_columns from stored query context in guest sort targets
Address review feedback: the stored query context loop in
_collect_sortable_identifiers omitted all_columns, silently rejecting
legitimate guest sorts on table charts configured with 'show all
columns'. Add it, plus a regression test and clarifying comments on the
order-by union and the intentional stored_values asymmetry.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-23 05:51:00 -07:00
Evan
7c1fa4ae72 fix(embedded): include legacy singular metric and reject malformed orderby in guest sort guard
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-18 23:00:13 -07:00
Claude Code
27c481d75d fix(embedded): allow guest users to sort table columns
query_context_modified() compared a guest request's orderby against the
stored chart's orderby with a strict subset check, alongside columns,
metrics and groupby. Saved charts usually store an empty orderby, so when
a guest clicked a column header to sort a table in an embedded dashboard
the new orderby value failed the subset check and the request was
rejected with "Guest user cannot modify chart payload", even though
sorting only changes result ordering and not which data is read.

Handle orderby separately: a guest may sort by any column or metric the
stored chart already references, but order-by terms that are not present
in the stored chart (e.g. a free-form random() expression) are still
rejected, preserving the existing SQL-injection guard. The columns/
metrics/groupby comparison is extracted into a helper to keep
query_context_modified within the complexity budget, and the inner loop's
variable shadowing of `key` is fixed along the way.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-18 21:46:53 -07:00
Alexandru Soare
6d08e79259 feat(security): Add extension hooks for custom access control, ownership, and asset lifecycle (#40707) 2026-06-16 15:25:03 +03:00
Evan Rusackas
e16bb29faf fix(embedded): allow guests to apply a Time Grain native filter (#32768) (#41017)
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
2026-06-15 15:22:21 -07:00
Evan Rusackas
d120b1c250 feat(security): enforce password complexity policy (min length + common-password blocklist) (#40670)
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-13 16:31:23 -07:00
Shaitan
aa3d2b9e81 fix(dashboard): validate native-filter data requests against filter targets (#40979)
Co-authored-by: sha174n <pedro.sousa@preset.io>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-13 19:02:28 +01:00
Evan Rusackas
814b72c6f9 feat(security): force password change on first use (opt-in) (#40669)
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-11 22:23:10 -07:00
Evan Rusackas
663b47aa75 feat: support guest-token revocation per embedded dashboard (#40676)
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-11 19:37:22 -07:00
Evan Rusackas
9938ee273f feat: terminate active sessions when an account is disabled (#40695)
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-11 19:37:13 -07:00
Evan Rusackas
5a0e3f15ca feat(embedded): add guest token revocation support (#40671)
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-10 09:17:30 -07:00
Amin Ghadersohi
7d69f76127 fix(mcp): API key authentication for MCP — transport, validation, and RBAC (#39604) 2026-06-04 15:04:43 -04:00
Shaitan
faa76f6741 fix(embedding): add optional dataset allowlist to guest tokens (#39302)
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-03 12:55:09 +01:00
Michael Gerber
041ecbc248 fix(embedded): resolve guest user permissions in user_view_menu_names (#39197)
Co-authored-by: Evan Rusackas <evan@preset.io>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-01 10:30:05 -07:00
Beto Dealmeida
cb53745d43 feat: semantic layer extension (#37815) 2026-05-05 12:07:46 -04:00
Daniel Vaz Gaspar
5815665cc6 feat: role/user CRUD events and login/logout tracking in the action log (#39121)
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-09 15:55:25 +01:00
Amin Ghadersohi
811dcb3715 feat(api-keys): add API key authentication via FAB SecurityManager (#37973)
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Kamil Gabryjelski <kamil.gabryjelski@gmail.com>
2026-03-24 13:37:26 -04:00
Mehmet Salih Yavuz
95f61bd223 fix: add parent_slice_id for multilayer charts to embed (#38243) 2026-03-12 21:21:43 +03:00
Yuriy Krasilnikov
09e9c6a522 fix(embedded): prevent double RLS application in virtual datasets (#37395) 2026-03-12 14:12:59 +01:00
Hugh A. Miles II
61fbfda501 feat(security): add granular export controls (Phase 1) (#38361) 2026-03-09 16:44:56 -04:00
Kamil Gabryjelski
3e3c9686de perf(dashboard): Batch RLS filter lookups for dashboard digest computation (#37941) 2026-02-16 21:35:55 +01:00
Alexandru Soare
9ea5ded988 fix(dashboard): Prevent fatal error when database connection is unavailable (#37576) 2026-02-06 20:52:17 -08:00
Beto Dealmeida
ecb4e483df fix: apply EXCLUDE_USERS_FROM_LISTS to /api/v1/security/users/ (#36742)
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-23 15:18:34 -08:00
Daniel Vaz Gaspar
a9fb853e3e fix: Bump FAB to 5.X (#33055)
Co-authored-by: Joe Li <joe@preset.io>
2025-09-12 09:21:37 +01:00
Maxime Beauchemin
246181a546 feat(docker): Add pytest support to docker-compose-light.yml (#34373)
Co-authored-by: Claude <noreply@anthropic.com>
2025-08-06 00:17:50 -04:00
Maxime Beauchemin
3f8472ca7b chore: move some rules from ruff -> pylint (#34292) 2025-07-24 09:40:49 -07:00
Beto Dealmeida
a26e1d822a chore: remove sqlparse (#33564) 2025-06-04 19:31:41 -04:00
Daniel Vaz Gaspar
a4bb11c755 chore: bump FAB to 4.7.0 (#33607) 2025-05-29 08:34:00 +01:00
Enzo Martellucci
013379eb86 feat(List Users): Migrate List Users FAB to React (#32882) 2025-04-15 17:04:28 +03:00
Enzo Martellucci
4f0020d0df feat(List Roles): Migrate FAB view to React (#32432)
Co-authored-by: Diego Pucci <diegopucci.me@gmail.com>
2025-04-02 14:06:17 +03:00
Maxime Beauchemin
e51b95ffa8 chore: enforce more ruff rules (#31447)
Co-authored-by: Elizabeth Thompson <eschutho@gmail.com>
2024-12-18 17:41:34 -08:00
Beto Dealmeida
7f2e752796 fix: check orderby (#31156) 2024-11-26 10:15:06 -05:00
Geido
90572be95a fix(Dashboard): Retain colors when color scheme not set (#30646) 2024-11-21 19:58:32 +02:00
Beto Dealmeida
e0172a24b8 fix(embedded): sankey charts (#30491) 2024-10-02 13:45:35 -04:00
Beto Dealmeida
39209c2b40 fix: handle empty catalog when DB supports them (#29840) 2024-08-13 10:08:43 -04:00
Beto Dealmeida
fb15278f97 fix: catalog permission check (#29581) 2024-07-12 21:00:13 -04:00
Beto Dealmeida
a56f656a83 fix: small fixes to the catalog migration (#29579) 2024-07-12 20:49:30 -04:00
Beto Dealmeida
67df4e3ce3 fix: prevent guest users from changing columns (#29530) 2024-07-10 12:26:51 -04:00
John Bodley
8fb8199a55 chore(dao/command): Add transaction decorator to try to enforce "unit of work" (#24969) 2024-06-28 12:33:56 -07:00
Beto Dealmeida
8e15d4807f chore: s/MockFixture/MockerFixture/g (#29160) 2024-06-10 12:35:07 -04:00
Beto Dealmeida
ba2cf5dbbc chore: unit tests for catalog_access (#28406) 2024-05-09 14:41:33 -04:00
Beto Dealmeida
e90246fd1f feat(SIP-95): permissions for catalogs (#28317) 2024-05-06 11:41:58 -04:00
Beto Dealmeida
36290ce72f fix: guest queries (#27566) 2024-03-19 11:20:52 -04:00
Beto Dealmeida
376bfd05bd fix: pass valid SQL to SM (#27464) 2024-03-18 15:38:58 -04:00
Beto Dealmeida
36fd3c0bf8 feat: improve _extract_tables_from_sql (#26748) 2024-03-18 13:02:58 -04:00
Beto Dealmeida
735b895dd5 fix: check if guest user modified query (#27484) 2024-03-12 21:28:06 -04:00
Daniel Vaz Gaspar
ceda51617b fix: CSRF exempt unit_tests (#27168) 2024-02-20 16:18:30 +00:00
Daniel Vaz Gaspar
5b34395689 fix: chart import validation (#26993) 2024-02-06 12:14:02 +00:00
Beto Dealmeida
fade4806ce fix: prevent guest user from modifying metrics (#26749) 2024-01-29 12:59:33 -05:00
Daniel Vaz Gaspar
549abb542b fix: REST API CSRF exempt list (#25590) 2023-10-10 12:53:37 +01:00