This is an automated email from the ASF dual-hosted git repository. michaelsmolina pushed a commit to branch 3.0 in repository https://gitbox.apache.org/repos/asf/superset.git
commit ff5de2547853733254694bb9abc9796375ff684a Author: Jack Fragassi <[email protected]> AuthorDate: Tue Nov 21 15:39:42 2023 -0800 fix: Prevent cached bootstrap data from leaking between users w/ same first/last name (#26023) --- superset/embedded/view.py | 4 ++-- superset/views/base.py | 18 +++++++++++------- superset/views/core.py | 6 +++--- superset/views/dashboard/views.py | 2 +- 4 files changed, 17 insertions(+), 13 deletions(-) diff --git a/superset/embedded/view.py b/superset/embedded/view.py index e59a6ced90..462c6046fa 100644 --- a/superset/embedded/view.py +++ b/superset/embedded/view.py @@ -17,7 +17,7 @@ import json from typing import Callable -from flask import abort, g, request +from flask import abort, request from flask_appbuilder import expose from flask_login import AnonymousUserMixin, login_user from flask_wtf.csrf import same_origin @@ -78,7 +78,7 @@ class EmbeddedView(BaseSupersetView): ) bootstrap_data = { - "common": common_bootstrap_payload(g.user), + "common": common_bootstrap_payload(), "embedded": { "dashboard_id": embedded.dashboard_id, }, diff --git a/superset/views/base.py b/superset/views/base.py index a0102bf3bb..c77a3e5c87 100644 --- a/superset/views/base.py +++ b/superset/views/base.py @@ -14,6 +14,8 @@ # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. +from __future__ import annotations + import dataclasses import functools import logging @@ -295,7 +297,7 @@ class BaseSupersetView(BaseView): def render_app_template(self) -> FlaskResponse: payload = { "user": bootstrap_user_data(g.user, include_perms=True), - "common": common_bootstrap_payload(g.user), + "common": common_bootstrap_payload(), } return self.render_template( "superset/spa.html", @@ -383,7 +385,9 @@ def menu_data(user: User) -> dict[str, Any]: @cache_manager.cache.memoize(timeout=60) -def cached_common_bootstrap_data(user: User, locale: str) -> dict[str, Any]: +def cached_common_bootstrap_data( # pylint: disable=unused-argument + user_id: int | None, locale: str +) -> dict[str, Any]: """Common data always sent to the client The function is memoized as the return value only changes when user permissions @@ -420,15 +424,15 @@ def cached_common_bootstrap_data(user: User, locale: str) -> dict[str, Any]: "extra_sequential_color_schemes": conf["EXTRA_SEQUENTIAL_COLOR_SCHEMES"], "extra_categorical_color_schemes": conf["EXTRA_CATEGORICAL_COLOR_SCHEMES"], "theme_overrides": conf["THEME_OVERRIDES"], - "menu_data": menu_data(user), + "menu_data": menu_data(g.user), } bootstrap_data.update(conf["COMMON_BOOTSTRAP_OVERRIDES_FUNC"](bootstrap_data)) return bootstrap_data -def common_bootstrap_payload(user: User) -> dict[str, Any]: +def common_bootstrap_payload() -> dict[str, Any]: return { - **cached_common_bootstrap_data(user, get_locale()), + **cached_common_bootstrap_data(utils.get_user_id(), get_locale()), "flash_messages": get_flashed_messages(with_categories=True), } @@ -538,7 +542,7 @@ def show_unexpected_exception(ex: Exception) -> FlaskResponse: def get_common_bootstrap_data() -> dict[str, Any]: def serialize_bootstrap_data() -> str: return json.dumps( - {"common": common_bootstrap_payload(g.user)}, + {"common": common_bootstrap_payload()}, default=utils.pessimistic_json_iso_dttm_ser, ) @@ -556,7 +560,7 @@ class SupersetModelView(ModelView): def render_app_template(self) -> FlaskResponse: payload = { "user": bootstrap_user_data(g.user, include_perms=True), - "common": common_bootstrap_payload(g.user), + "common": common_bootstrap_payload(), } return self.render_template( "superset/spa.html", diff --git a/superset/views/core.py b/superset/views/core.py index e39edb99af..22e09f9ff4 100755 --- a/superset/views/core.py +++ b/superset/views/core.py @@ -636,7 +636,7 @@ class Superset(BaseSupersetView): # pylint: disable=too-many-public-methods "force": force, "user": bootstrap_user_data(g.user, include_perms=True), "forced_height": request.args.get("height"), - "common": common_bootstrap_payload(g.user), + "common": common_bootstrap_payload(), } if slc: title = slc.slice_name @@ -896,7 +896,7 @@ class Superset(BaseSupersetView): # pylint: disable=too-many-public-methods bootstrap_data=json.dumps( { "user": bootstrap_user_data(g.user, include_perms=True), - "common": common_bootstrap_payload(g.user), + "common": common_bootstrap_payload(), }, default=utils.pessimistic_json_iso_dttm_ser, ), @@ -990,7 +990,7 @@ class Superset(BaseSupersetView): # pylint: disable=too-many-public-methods payload = { "user": bootstrap_user_data(g.user, include_perms=True), - "common": common_bootstrap_payload(g.user), + "common": common_bootstrap_payload(), } return self.render_template( diff --git a/superset/views/dashboard/views.py b/superset/views/dashboard/views.py index ba8b8b2fb3..e3a931105a 100644 --- a/superset/views/dashboard/views.py +++ b/superset/views/dashboard/views.py @@ -151,7 +151,7 @@ class Dashboard(BaseSupersetView): ) bootstrap_data = { - "common": common_bootstrap_payload(g.user), + "common": common_bootstrap_payload(), "embedded": {"dashboard_id": dashboard_id_or_slug}, }
