mirror of
https://github.com/apache/superset.git
synced 2026-04-07 10:31:50 +00:00
315a11dfe2
* fix: shut off all uneeded endpoints We recently added a new feature to FAB allowing to whitelist the needed endpoints in ModelView and ModelRestApi. First, we set our base wrapper class to an empty set, forcing each class inheriting from it to explicitely turn on the endpoints that Superset intends to use. Second, we go ModelView by ModelView to whitelist the actual endpoints used in the app. Notes: * as a result a large set of [unneeded] permissions should be cleaned up * outside of the "private" use of endpoints in the app, people that have been using endpoints in their environment for other purposes may experience loss of functionality * Tweaking * Reduce the amount of endpoints using white lists * Fix, included needed endpoints for dashboard and druid * Drying things up * fixes * limiting more endpoints * Read only on some FAB model views * fixing some tests * fixes * Fixing more tests * Addressing comments * Drying up route_methods * further drying Co-authored-by: Daniel Vaz Gaspar <danielvazgaspar@gmail.com>
311 lines
10 KiB
Python
311 lines
10 KiB
Python
# Licensed to the Apache Software Foundation (ASF) under one
|
|
# or more contributor license agreements. See the NOTICE file
|
|
# distributed with this work for additional information
|
|
# regarding copyright ownership. The ASF licenses this file
|
|
# to you under the Apache License, Version 2.0 (the
|
|
# "License"); you may not use this file except in compliance
|
|
# with the License. You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing,
|
|
# software distributed under the License is distributed on an
|
|
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
# KIND, either express or implied. See the License for the
|
|
# specific language governing permissions and limitations
|
|
# under the License.
|
|
import json
|
|
import logging
|
|
import re
|
|
from typing import Dict, List
|
|
|
|
from flask import current_app, g, make_response
|
|
from flask_appbuilder.api import expose, protect, rison, safe
|
|
from flask_appbuilder.models.sqla.interface import SQLAInterface
|
|
from flask_babel import lazy_gettext as _, ngettext
|
|
from marshmallow import fields, post_load, pre_load, Schema, ValidationError
|
|
from marshmallow.validate import Length
|
|
from sqlalchemy.exc import SQLAlchemyError
|
|
|
|
from superset.constants import RouteMethod
|
|
from superset.exceptions import SupersetException, SupersetSecurityException
|
|
from superset.models.dashboard import Dashboard
|
|
from superset.utils import core as utils
|
|
from superset.views.base import check_ownership, generate_download_headers
|
|
from superset.views.base_api import BaseOwnedModelRestApi
|
|
from superset.views.base_schemas import BaseOwnedSchema, validate_owner
|
|
|
|
from .mixin import DashboardMixin
|
|
|
|
logger = logging.getLogger(__name__)
|
|
get_delete_ids_schema = {"type": "array", "items": {"type": "integer"}}
|
|
|
|
|
|
class DashboardJSONMetadataSchema(Schema):
|
|
timed_refresh_immune_slices = fields.List(fields.Integer())
|
|
filter_scopes = fields.Dict()
|
|
expanded_slices = fields.Dict()
|
|
refresh_frequency = fields.Integer()
|
|
default_filters = fields.Str()
|
|
filter_immune_slice_fields = fields.Dict()
|
|
stagger_refresh = fields.Boolean()
|
|
stagger_time = fields.Integer()
|
|
|
|
|
|
def validate_json(value):
|
|
try:
|
|
utils.validate_json(value)
|
|
except SupersetException:
|
|
raise ValidationError("JSON not valid")
|
|
|
|
|
|
def validate_json_metadata(value):
|
|
if not value:
|
|
return
|
|
try:
|
|
value_obj = json.loads(value)
|
|
except json.decoder.JSONDecodeError:
|
|
raise ValidationError("JSON not valid")
|
|
errors = DashboardJSONMetadataSchema(strict=True).validate(value_obj, partial=False)
|
|
if errors:
|
|
raise ValidationError(errors)
|
|
|
|
|
|
def validate_slug_uniqueness(value):
|
|
# slug is not required but must be unique
|
|
if value:
|
|
item = (
|
|
current_app.appbuilder.get_session.query(Dashboard.id)
|
|
.filter_by(slug=value)
|
|
.one_or_none()
|
|
)
|
|
if item:
|
|
raise ValidationError("Must be unique")
|
|
|
|
|
|
class BaseDashboardSchema(BaseOwnedSchema):
|
|
@pre_load
|
|
def pre_load(self, data): # pylint: disable=no-self-use
|
|
super().pre_load(data)
|
|
data["slug"] = data.get("slug")
|
|
data["owners"] = data.get("owners", [])
|
|
if data["slug"]:
|
|
data["slug"] = data["slug"].strip()
|
|
data["slug"] = data["slug"].replace(" ", "-")
|
|
data["slug"] = re.sub(r"[^\w\-]+", "", data["slug"])
|
|
|
|
|
|
class DashboardPostSchema(BaseDashboardSchema):
|
|
__class_model__ = Dashboard
|
|
|
|
dashboard_title = fields.String(allow_none=True, validate=Length(0, 500))
|
|
slug = fields.String(
|
|
allow_none=True, validate=[Length(1, 255), validate_slug_uniqueness]
|
|
)
|
|
owners = fields.List(fields.Integer(validate=validate_owner))
|
|
position_json = fields.String(validate=validate_json)
|
|
css = fields.String()
|
|
json_metadata = fields.String(validate=validate_json_metadata)
|
|
published = fields.Boolean()
|
|
|
|
|
|
class DashboardPutSchema(BaseDashboardSchema):
|
|
dashboard_title = fields.String(allow_none=True, validate=Length(0, 500))
|
|
slug = fields.String(allow_none=True, validate=Length(0, 255))
|
|
owners = fields.List(fields.Integer(validate=validate_owner))
|
|
position_json = fields.String(validate=validate_json)
|
|
css = fields.String()
|
|
json_metadata = fields.String(validate=validate_json_metadata)
|
|
published = fields.Boolean()
|
|
|
|
@post_load
|
|
def make_object(self, data: Dict, discard: List[str] = None) -> Dashboard:
|
|
self.instance = super().make_object(data, [])
|
|
for slc in self.instance.slices:
|
|
slc.owners = list(set(self.instance.owners) | set(slc.owners))
|
|
return self.instance
|
|
|
|
|
|
get_export_ids_schema = {"type": "array", "items": {"type": "integer"}}
|
|
|
|
|
|
class DashboardRestApi(DashboardMixin, BaseOwnedModelRestApi):
|
|
datamodel = SQLAInterface(Dashboard)
|
|
include_route_methods = RouteMethod.REST_MODEL_VIEW_CRUD_SET | {
|
|
RouteMethod.EXPORT,
|
|
RouteMethod.RELATED,
|
|
"bulk_delete", # not using RouteMethod since locally defined
|
|
}
|
|
resource_name = "dashboard"
|
|
allow_browser_login = True
|
|
|
|
class_permission_name = "DashboardModelView"
|
|
show_columns = [
|
|
"dashboard_title",
|
|
"slug",
|
|
"owners.id",
|
|
"owners.username",
|
|
"position_json",
|
|
"css",
|
|
"json_metadata",
|
|
"published",
|
|
"table_names",
|
|
"charts",
|
|
]
|
|
order_columns = ["dashboard_title", "changed_on", "published", "changed_by_fk"]
|
|
list_columns = [
|
|
"id",
|
|
"dashboard_title",
|
|
"url",
|
|
"published",
|
|
"changed_by.username",
|
|
"changed_by_name",
|
|
"changed_by_url",
|
|
"changed_on",
|
|
]
|
|
|
|
add_model_schema = DashboardPostSchema()
|
|
edit_model_schema = DashboardPutSchema()
|
|
|
|
order_rel_fields = {
|
|
"slices": ("slice_name", "asc"),
|
|
"owners": ("first_name", "asc"),
|
|
}
|
|
filter_rel_fields_field = {"owners": "first_name", "slices": "slice_name"}
|
|
|
|
@expose("/", methods=["DELETE"])
|
|
@protect()
|
|
@safe
|
|
@rison(get_delete_ids_schema)
|
|
def bulk_delete(self, **kwargs): # pylint: disable=arguments-differ
|
|
"""Delete bulk Dashboards
|
|
---
|
|
delete:
|
|
parameters:
|
|
- in: query
|
|
name: q
|
|
content:
|
|
application/json:
|
|
schema:
|
|
type: array
|
|
items:
|
|
type: integer
|
|
responses:
|
|
200:
|
|
description: Dashboard bulk delete
|
|
content:
|
|
application/json:
|
|
schema:
|
|
type: object
|
|
properties:
|
|
message:
|
|
type: string
|
|
401:
|
|
$ref: '#/components/responses/401'
|
|
403:
|
|
$ref: '#/components/responses/401'
|
|
404:
|
|
$ref: '#/components/responses/404'
|
|
422:
|
|
$ref: '#/components/responses/422'
|
|
500:
|
|
$ref: '#/components/responses/500'
|
|
"""
|
|
item_ids = kwargs["rison"]
|
|
query = self.datamodel.session.query(Dashboard).filter(
|
|
Dashboard.id.in_(item_ids)
|
|
)
|
|
items = self._base_filters.apply_all(query).all()
|
|
if not items:
|
|
return self.response_404()
|
|
# Check user ownership over the items
|
|
for item in items:
|
|
try:
|
|
check_ownership(item)
|
|
except SupersetSecurityException as e:
|
|
logger.warning(
|
|
f"Dashboard {item} was not deleted, "
|
|
f"because the user ({g.user}) does not own it"
|
|
)
|
|
return self.response(403, message=_("No dashboards deleted"))
|
|
except SQLAlchemyError as e:
|
|
logger.error(f"Error checking dashboard ownership {e}")
|
|
return self.response_422(message=str(e))
|
|
# bulk delete, first delete related data
|
|
for item in items:
|
|
try:
|
|
item.slices = []
|
|
item.owners = []
|
|
self.datamodel.session.merge(item)
|
|
except SQLAlchemyError as e:
|
|
logger.error(f"Error bulk deleting related data on dashboards {e}")
|
|
self.datamodel.session.rollback()
|
|
return self.response_422(message=str(e))
|
|
# bulk delete itself
|
|
try:
|
|
self.datamodel.session.query(Dashboard).filter(
|
|
Dashboard.id.in_(item_ids)
|
|
).delete(synchronize_session="fetch")
|
|
except SQLAlchemyError as e:
|
|
logger.error(f"Error bulk deleting dashboards {e}")
|
|
self.datamodel.session.rollback()
|
|
return self.response_422(message=str(e))
|
|
self.datamodel.session.commit()
|
|
return self.response(
|
|
200,
|
|
message=ngettext(
|
|
f"Deleted %(num)d dashboard",
|
|
f"Deleted %(num)d dashboards",
|
|
num=len(items),
|
|
),
|
|
)
|
|
|
|
@expose("/export/", methods=["GET"])
|
|
@protect()
|
|
@safe
|
|
@rison(get_export_ids_schema)
|
|
def export(self, **kwargs):
|
|
"""Export dashboards
|
|
---
|
|
get:
|
|
parameters:
|
|
- in: query
|
|
name: q
|
|
content:
|
|
application/json:
|
|
schema:
|
|
type: array
|
|
items:
|
|
type: integer
|
|
responses:
|
|
200:
|
|
description: Dashboard export
|
|
content:
|
|
text/plain:
|
|
schema:
|
|
type: string
|
|
400:
|
|
$ref: '#/components/responses/400'
|
|
401:
|
|
$ref: '#/components/responses/401'
|
|
404:
|
|
$ref: '#/components/responses/404'
|
|
422:
|
|
$ref: '#/components/responses/422'
|
|
500:
|
|
$ref: '#/components/responses/500'
|
|
"""
|
|
query = self.datamodel.session.query(Dashboard).filter(
|
|
Dashboard.id.in_(kwargs["rison"])
|
|
)
|
|
query = self._base_filters.apply_all(query)
|
|
ids = [item.id for item in query.all()]
|
|
if not ids:
|
|
return self.response_404()
|
|
export = Dashboard.export_dashboards(ids)
|
|
resp = make_response(export, 200)
|
|
resp.headers["Content-Disposition"] = generate_download_headers("json")[
|
|
"Content-Disposition"
|
|
]
|
|
return resp
|