rusackas commented on code in PR #35237:
URL: https://github.com/apache/superset/pull/35237#discussion_r2377065570
##########
superset/views/core.py:
##########
@@ -796,19 +767,9 @@ def dashboard(
try:
dashboard.raise_for_access()
- except SupersetSecurityException as ex:
- # anonymous users should get the login screen, others should go to
dashboard list # noqa: E501
- if g.user is None or g.user.is_anonymous:
- redirect_url =
f"{appbuilder.get_url_for_login}?next={request.url}"
- warn_msg = "Users must be logged in to view this dashboard."
- else:
- redirect_url = url_for("DashboardModelView.list")
- warn_msg = utils.error_msg_from_exception(ex)
- return redirect_with_flash(
- url=redirect_url,
- message=warn_msg,
- category="danger",
- )
+ except SupersetSecurityException:
+ # Return 404 to avoid revealing dashboard existence
+ abort(404)
Review Comment:
Yep... it's even in the official
[spec](https://www.rfc-editor.org/rfc/rfc9110.html) for 403 (I got curious):
> An origin server that wishes to "hide" the current existence of a
forbidden [target
resource](https://www.rfc-editor.org/rfc/rfc9110.html#target.resource) MAY
instead respond with a status code of [404 (Not
Found)](https://www.rfc-editor.org/rfc/rfc9110.html#status.404).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
