suddjian commented on a change in pull request #19242:
URL: https://github.com/apache/superset/pull/19242#discussion_r829390025
##########
File path: superset/config.py
##########
@@ -443,6 +443,7 @@ def _try_json_readsha(filepath: str, length: int) ->
Optional[str]:
"ALLOW_FULL_CSV_EXPORT": False,
"UX_BETA": False,
"GENERIC_CHART_AXES": False,
+ "ALLOW_ADHOC_SUBQUERY": True,
Review comment:
This should probably default to False since subqueries currently can
violate access rules. We can change the default to True once we have more
protections in place.
##########
File path: superset/connectors/sqla/utils.py
##########
@@ -119,3 +120,22 @@ def get_virtual_table_metadata(dataset: "SqlaTable") ->
List[Dict[str, str]]:
except Exception as ex:
raise SupersetGenericDBErrorException(message=str(ex)) from ex
return cols
+
+
+def allow_adhoc_subquery(raw_sql: str) -> bool:
+ # pylint: disable=import-outside-toplevel
+ from superset import is_feature_enabled
+
+ if is_feature_enabled("ALLOW_ADHOC_SUBQUERY"):
+ return True
+
+ statement = sqlparse.parse(raw_sql)[0]
+ if has_table_query(statement):
+ raise SupersetSecurityException(
+ SupersetError(
+ error_type=SupersetErrorType.ADHOC_SUBQUERY_NOT_ALLOWED_ERROR,
+ message=_("Custom SQL does not allow subquery."),
Review comment:
```suggestion
message=_("Custom SQL fields cannot contain subqueries."),
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
