C-monC commented on issue #21368:
URL: https://github.com/apache/superset/issues/21368#issuecomment-1242080609
Okay so I've spent nearly the whole day on this.
There's a bootsrap_data dict that is used by the frontend to configure
itself.
Returned by:
```
return self.render_template(
"superset/spa.html",
entry="spa",
bootstrap_data=json.dumps(
payload, default=utils.pessimistic_json_iso_dttm_ser
),
)
```
This is always correctly set in the response. Check response of
"/superset/welcome".
<div id="app" data-bootstrap="{"user": {"username":
"...................
Now even though the bootstrap value is correct in both python and javascript
I can still get the frontend for another random user.
Specifically:
const bootstrap = JSON.parse(container?.getAttribute('data-bootstrap') ??
'{}');
const common = { ...bootstrap.common };
const user = { ...bootstrap.user };
user is just ignored.
Considering you also get this issue @msebastiao-maxcapital I think this may
be a security vulnerability
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
