korbit-ai[bot] commented on code in PR #32834:
URL: https://github.com/apache/superset/pull/32834#discussion_r2011159161
##########
superset/annotation_layers/api.py:
##########
@@ -352,3 +352,67 @@ def bulk_delete(self, **kwargs: Any) -> Response:
return self.response_422(message=str(ex))
except AnnotationLayerDeleteFailedError as ex:
return self.response_422(message=str(ex))
+
+ @expose("/<int:layer_id>/annotations", methods=("GET",))
+ @protect()
+ @safe
+ @permission_name("get")
+ def get_annotations(self, layer_id: int) -> Response:
+ """Get all annotations for a given layer.
+ ---
+ get:
+ summary: Get all annotations for a given layer
+ parameters:
+ - in: path
+ schema:
+ type: integer
+ name: layer_id
+ description: The annotation layer id
+ responses:
+ 200:
+ description: Annotations fetched
+ content:
+ application/json:
+ schema:
+ type: array
+ items:
+ type: object
+ properties:
+ id:
+ type: integer
+ start_dttm:
+ type: string
+ format: date-time
+ end_dttm:
+ type: string
+ format: date-time
+ short_descr:
+ type: string
+ long_descr:
+ type: string
+ json_metadata:
+ type: string
+ 404:
+ $ref: '#/components/responses/404'
+ 500:
+ $ref: '#/components/responses/500'
+ """
+ annotations = (
+ self.appbuilder.get_session.query(Annotation)
+ .filter(Annotation.layer_id == layer_id)
+ .all()
+ )
Review Comment:
### Missing Layer Access Authorization Check <sub></sub>
<details>
<summary>Tell me more</summary>
###### What is the issue?
The get_annotations endpoint retrieves annotations without verifying if the
requesting user has permission to access the specific layer_id.
###### Why this matters
This could allow unauthorized users to access annotation data from any layer
by simply knowing or guessing layer IDs, potentially exposing sensitive
information.
###### Suggested change ∙ *Feature Preview*
Add authorization check before querying annotations:
```python
layer = self.appbuilder.get_session.query(AnnotationLayer).get(layer_id)
if not layer or not security_manager.can_access('can_read', layer):
return self.response_404()
```
###### Provide feedback to improve future suggestions
[](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/f740d6ff-5907-4546-864e-0af37bcbf125/upvote)
[](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/f740d6ff-5907-4546-864e-0af37bcbf125?what_not_true=true)
[](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/f740d6ff-5907-4546-864e-0af37bcbf125?what_out_of_scope=true)
[](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/f740d6ff-5907-4546-864e-0af37bcbf125?what_not_in_standard=true)
[](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/f740d6ff-5907-4546-864e-0af37bcbf125)
</details>
<sub>
💬 Looking for more details? Reply to this comment to chat with Korbit.
</sub>
<!--- korbi internal id:68d910db-6124-4326-bdd9-9be7dc0b0101 -->
[](68d910db-6124-4326-bdd9-9be7dc0b0101)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
