data payload when accessing as guest user (#30858)

fisjac Thu, 07 Nov 2024 09:26:25 -0800

This is an automated email from the ASF dual-hosted git repository.

fisjac pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/superset.git



The following commit(s) were added to refs/heads/master by this push:
     new dd39138e6e fix(chart data): removing query from /chart/data payload 
when accessing as guest user (#30858)
dd39138e6e is described below

commit dd39138e6e9215c1548ff564b82487e83d2e8a94
Author: Jack <[email protected]>
AuthorDate: Thu Nov 7 11:24:15 2024 -0600

    fix(chart data): removing query from /chart/data payload when accessing as 
guest user (#30858)
---
 superset/charts/data/api.py                 |  7 +++-
 tests/integration_tests/charts/api_tests.py | 56 +++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+), 1 deletion(-)

diff --git a/superset/charts/data/api.py b/superset/charts/data/api.py
index ae88fdef5a..653b09896e 100644
--- a/superset/charts/data/api.py
+++ b/superset/charts/data/api.py
@@ -394,8 +394,13 @@ class ChartDataRestApi(ChartRestApi):
             )
 
         if result_format == ChartDataResultFormat.JSON:
+            queries = result["queries"]
+            if security_manager.is_guest_user():
+                for query in queries:
+                    with contextlib.suppress(KeyError):
+                        del query["query"]
             response_data = json.dumps(
-                {"result": result["queries"]},
+                {"result": queries},
                 default=json.json_int_dttm_ser,
                 ignore_nan=True,
             )
diff --git a/tests/integration_tests/charts/api_tests.py 
b/tests/integration_tests/charts/api_tests.py
index a99ba04f78..784c4651ad 100644
--- a/tests/integration_tests/charts/api_tests.py
+++ b/tests/integration_tests/charts/api_tests.py
@@ -24,6 +24,7 @@ from zipfile import is_zipfile, ZipFile
 import prison
 import pytest
 import yaml
+from flask import g
 from flask_babel import lazy_gettext as _
 from parameterized import parameterized
 from sqlalchemy import and_
@@ -62,6 +63,7 @@ from tests.integration_tests.fixtures.importexport import (
     dataset_config,
     dataset_metadata_config,
 )
+from tests.integration_tests.fixtures.query_context import get_query_context
 from tests.integration_tests.fixtures.tags import (
     create_custom_tags,  # noqa: F401
     get_filter_params,
@@ -2327,3 +2329,57 @@ class TestChartApi(ApiOwnersTestCaseMixin, 
InsertChartMixin, SupersetTestCase):
 
         security_manager.add_permission_role(alpha_role, write_tags_perm)
         security_manager.add_permission_role(alpha_role, tag_charts_perm)
+
+    
@patch("superset.security.manager.SupersetSecurityManager.has_guest_access")
+    @patch("superset.security.manager.SupersetSecurityManager.is_guest_user")
+    @pytest.mark.usefixtures("load_birth_names_dashboard_with_slices")
+    def test_get_chart_data_as_guest_user(
+        self, is_guest_user, has_guest_access
+    ):  # get_guest_rls_filters
+        """
+        Chart API: Test create simple chart
+        """
+        self.login(ADMIN_USERNAME)
+        g.user.rls = []
+        is_guest_user.return_value = True
+        has_guest_access.return_value = True
+
+        with mock.patch.object(Slice, "get_query_context") as 
mock_get_query_context:
+            mock_get_query_context.return_value = 
get_query_context("birth_names")
+            rv = self.client.post(
+                "api/v1/chart/data",  # noqa: F541
+                json={
+                    "datasource": {"id": 2, "type": "table"},
+                    "queries": [
+                        {
+                            "extras": {"where": "", "time_grain_sqla": "P1D"},
+                            "columns": ["name"],
+                            "metrics": [{"label": "sum__num"}],
+                            "orderby": [("sum__num", False)],
+                            "row_limit": 100,
+                            "granularity": "ds",
+                            "time_range": "100 years ago : now",
+                            "timeseries_limit": 0,
+                            "timeseries_limit_metric": None,
+                            "order_desc": True,
+                            "filters": [
+                                {"col": "gender", "op": "==", "val": "boy"},
+                                {"col": "num", "op": "IS NOT NULL"},
+                                {
+                                    "col": "name",
+                                    "op": "NOT IN",
+                                    "val": ["<NULL>", '"abc"'],
+                                },
+                            ],
+                            "having": "",
+                            "where": "",
+                        }
+                    ],
+                    "result_format": "json",
+                    "result_type": "full",
+                },
+            )
+            data = json.loads(rv.data.decode("utf-8"))
+            result = data["result"]
+            excluded_key = "query"
+            assert all([excluded_key not in query for query in result])

(superset) branch master updated: fix(chart data): removing query from /chart/data payload when accessing as guest user (#30858)

Reply via email to