aminghadersohi commented on code in PR #36933:
URL: https://github.com/apache/superset/pull/36933#discussion_r2790728242
##########
embed-demo.html:
##########
@@ -0,0 +1,110 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>Superset Embedded Chart Demo</title>
+ <style>
+ body {
+ font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto,
sans-serif;
+ max-width: 1200px;
+ margin: 0 auto;
+ padding: 40px;
+ background: #f5f5f5;
+ }
+ h1 { color: #333; }
+ .input-section {
+ background: white;
+ border-radius: 8px;
+ padding: 20px;
+ box-shadow: 0 2px 8px rgba(0,0,0,0.1);
+ margin-bottom: 20px;
+ }
+ textarea {
+ width: 100%;
+ height: 150px;
+ font-family: monospace;
+ font-size: 12px;
+ padding: 10px;
+ border: 1px solid #ddd;
+ border-radius: 4px;
+ resize: vertical;
+ box-sizing: border-box;
+ }
+ button {
+ background: #20a7c9;
+ color: white;
+ border: none;
+ padding: 12px 24px;
+ font-size: 16px;
+ border-radius: 4px;
+ cursor: pointer;
+ margin-top: 10px;
+ }
+ button:hover {
+ background: #1a8fa8;
+ }
+ .chart-container {
+ background: white;
+ border-radius: 8px;
+ padding: 20px;
+ box-shadow: 0 2px 8px rgba(0,0,0,0.1);
+ min-height: 450px;
+ }
+ label {
+ font-weight: 600;
+ display: block;
+ margin-bottom: 8px;
+ }
+ </style>
+</head>
+<body>
+ <h1>Superset Embedded Chart Demo</h1>
+
+ <div class="input-section">
+ <label for="iframe-input">Paste iframe_html response here:</label>
+ <textarea id="iframe-input" placeholder="Paste the iframe_html value from
get_embeddable_chart response..."></textarea>
+ <button onclick="embedChart()">Embed Chart</button>
+ </div>
+
+ <div class="chart-container" id="chart-container">
+ <p style="color: #999; text-align: center; margin-top: 200px;">Chart will
appear here</p>
+ </div>
+
+ <script>
+ function embedChart() {
+ const input = document.getElementById('iframe-input').value.trim();
+ const container = document.getElementById('chart-container');
+
+ if (!input) {
+ alert('Please paste the iframe_html first');
+ return;
+ }
+
+ // Insert the iframe HTML
+ container.innerHTML = input;
Review Comment:
This is a local testing/demo file not intended for production use. It's
already excluded from the license check via `.rat-excludes`. The XSS concern is
noted but not applicable since this file is only used for local development
testing.
##########
superset/security/manager.py:
##########
@@ -2834,6 +2838,17 @@ def validate_guest_token_resources(resources:
GuestTokenResources) -> None:
embedded =
EmbeddedDashboardDAO.find_by_id(str(resource["id"]))
if not embedded:
raise EmbeddedDashboardNotFoundError()
+ elif resource["type"] ==
GuestTokenResourceType.CHART_PERMALINK.value:
+ # Validate that the chart permalink exists
+ permalink_key = str(resource["id"])
+ try:
+ permalink_value =
GetExplorePermalinkCommand(permalink_key).run()
+ if not permalink_value:
+ raise EmbeddedChartPermalinkNotFoundError()
+ except EmbeddedChartPermalinkNotFoundError:
+ raise
+ except Exception:
+ raise EmbeddedChartPermalinkNotFoundError()
Review Comment:
Addressed in commit d3d0875 - replaced broad `except Exception` with
specific `ExplorePermalinkGetFailedError, ValueError` to match the exceptions
that `GetExplorePermalinkCommand.run()` can raise.
##########
superset/security/manager.py:
##########
@@ -2834,6 +2842,17 @@ def validate_guest_token_resources(resources:
GuestTokenResources) -> None:
embedded =
EmbeddedDashboardDAO.find_by_id(str(resource["id"]))
if not embedded:
raise EmbeddedDashboardNotFoundError()
+ elif resource["type"] ==
GuestTokenResourceType.CHART_PERMALINK.value:
+ # Validate that the chart permalink exists
+ permalink_key = str(resource["id"])
+ try:
+ permalink_value =
GetExplorePermalinkCommand(permalink_key).run()
+ if not permalink_value:
+ raise EmbeddedChartPermalinkNotFoundError()
+ except EmbeddedChartPermalinkNotFoundError:
+ raise
+ except Exception:
+ raise EmbeddedChartPermalinkNotFoundError() from None
Review Comment:
Addressed in commit d3d0875 - replaced broad `except Exception` with
specific `ExplorePermalinkGetFailedError, ValueError` to match the exceptions
that `GetExplorePermalinkCommand.run()` can raise.
##########
superset/embedded_chart/api.py:
##########
@@ -0,0 +1,304 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+import logging
+from datetime import datetime, timedelta, timezone
+from typing import Any
+
+from flask import g, request, Response
+from flask_appbuilder.api import expose, protect, safe
+
+from superset.commands.explore.permalink.create import
CreateExplorePermalinkCommand
+from superset.daos.key_value import KeyValueDAO
+from superset.embedded_chart.exceptions import (
+ EmbeddedChartAccessDeniedError,
+ EmbeddedChartPermalinkNotFoundError,
+)
+from superset.explore.permalink.schemas import ExplorePermalinkSchema
+from superset.extensions import event_logger, security_manager
+from superset.key_value.shared_entries import get_permalink_salt
+from superset.key_value.types import (
+ KeyValueResource,
+ MarshmallowKeyValueCodec,
+ SharedKey,
+)
+from superset.key_value.utils import decode_permalink_id
+from superset.security.guest_token import (
+ GuestTokenResource,
+ GuestTokenResourceType,
+ GuestTokenRlsRule,
+ GuestTokenUser,
+ GuestUser,
+)
+from superset.views.base_api import BaseSupersetApi, statsd_metrics
+
+logger = logging.getLogger(__name__)
+
+
+class EmbeddedChartRestApi(BaseSupersetApi):
+ """REST API for embedded chart data retrieval."""
+
+ resource_name = "embedded_chart"
+ allow_browser_login = True
+ openapi_spec_tag = "Embedded Chart"
+
+ def _validate_guest_token_access(self, permalink_key: str) -> bool:
+ """
+ Validate that the guest token grants access to this permalink.
+
+ Guest tokens contain a list of resources the user can access.
+ For embedded charts, we check that the permalink_key is in that list.
+ """
+ user = g.user
+ if not isinstance(user, GuestUser):
+ return False
+
+ for resource in user.resources:
+ if (
+ resource.get("type") ==
GuestTokenResourceType.CHART_PERMALINK.value
+ and str(resource.get("id")) == permalink_key
+ ):
+ return True
+ return False
+
+ def _get_permalink_value(self, permalink_key: str) -> dict[str, Any] |
None:
+ """
+ Get permalink value without access checks.
+
+ For embedded charts, access is controlled via guest token validation,
+ so we skip the normal dataset/chart access checks.
+ """
+ # Use the same salt, resource, and codec as the explore permalink
command
+ salt = get_permalink_salt(SharedKey.EXPLORE_PERMALINK_SALT)
+ codec = MarshmallowKeyValueCodec(ExplorePermalinkSchema())
+ key = decode_permalink_id(permalink_key, salt=salt)
+ return KeyValueDAO.get_value(
+ KeyValueResource.EXPLORE_PERMALINK,
+ key,
+ codec,
+ )
+
+ @expose("/<permalink_key>", methods=("GET",))
+ @safe
+ @statsd_metrics
+ @event_logger.log_this_with_context(
+ action=lambda self, *args, **kwargs: f"{self.__class__.__name__}.get",
+ log_to_statsd=False,
+ )
+ def get(self, permalink_key: str) -> Response:
+ """Get chart form_data from permalink key.
+ ---
+ get:
+ summary: Get embedded chart configuration
+ description: >-
+ Retrieves the form_data for rendering an embedded chart.
+ This endpoint is used by the embedded chart iframe to load
+ the chart configuration.
+ parameters:
+ - in: path
+ schema:
+ type: string
+ name: permalink_key
+ description: The chart permalink key
+ required: true
+ responses:
+ 200:
+ description: Chart permalink state
+ content:
+ application/json:
+ schema:
+ type: object
+ properties:
+ state:
+ type: object
+ properties:
+ formData:
+ type: object
+ description: The chart configuration formData
+ allowedDomains:
+ type: array
+ items:
+ type: string
+ description: Domains allowed to embed this chart
+ 401:
+ $ref: '#/components/responses/401'
+ 404:
+ $ref: '#/components/responses/404'
+ 500:
+ $ref: '#/components/responses/500'
+ """
+ try:
+ # Validate guest token grants access to this permalink
+ if not self._validate_guest_token_access(permalink_key):
+ raise EmbeddedChartAccessDeniedError()
+
+ # Get permalink value without access checks (guest token already
validated)
+ permalink_value = self._get_permalink_value(permalink_key)
+ if not permalink_value:
+ raise EmbeddedChartPermalinkNotFoundError()
+
+ # Return state in the format expected by the frontend:
+ # { state: { formData: {...}, allowedDomains: [...] } }
+ state = permalink_value.get("state", {})
+
+ return self.response(
+ 200,
+ state=state,
+ )
+ except EmbeddedChartAccessDeniedError:
+ return self.response_401()
+ except EmbeddedChartPermalinkNotFoundError:
+ return self.response_404()
+ except Exception:
+ logger.exception("Error fetching embedded chart")
+ return self.response_500()
+
+ @expose("/", methods=("POST",))
+ @protect()
+ @safe
+ @statsd_metrics
+ @event_logger.log_this_with_context(
+ action=lambda self, *args, **kwargs: f"{self.__class__.__name__}.post",
+ log_to_statsd=False,
+ )
+ def post(self) -> Response:
+ """Create an embeddable chart with guest token.
+ ---
+ post:
+ summary: Create embeddable chart
+ description: >-
+ Creates an embeddable chart configuration with a guest token.
+ The returned iframe_url and guest_token can be used to embed
+ the chart in external applications.
+ requestBody:
+ required: true
+ content:
+ application/json:
+ schema:
+ type: object
+ required:
+ - form_data
+ properties:
+ form_data:
+ type: object
+ description: Chart form_data configuration
+ allowed_domains:
+ type: array
+ items:
+ type: string
+ description: Domains allowed to embed this chart
+ ttl_minutes:
+ type: integer
+ default: 60
+ description: Time-to-live for the embed in minutes
+ responses:
+ 200:
+ description: Embeddable chart created
+ content:
+ application/json:
+ schema:
+ type: object
+ properties:
+ iframe_url:
+ type: string
+ description: URL to use in iframe src
+ guest_token:
+ type: string
+ description: Guest token for authentication
+ permalink_key:
+ type: string
+ description: Permalink key for the chart
+ expires_at:
+ type: string
+ format: date-time
+ description: When the embed expires
+ 400:
+ $ref: '#/components/responses/400'
+ 401:
+ $ref: '#/components/responses/401'
+ 500:
+ $ref: '#/components/responses/500'
+ """
+ try:
+ body = request.json or {}
+ form_data = body.get("form_data", {})
+ allowed_domains: list[str] = body.get("allowed_domains", [])
+ ttl_minutes: int = body.get("ttl_minutes", 60)
+
+ if not form_data:
+ return self.response_400(message="form_data is required")
+
+ # Validate required form_data structure
+ if not form_data.get("datasource"):
+ return self.response_400(
+ message="form_data must include 'datasource' field"
+ )
+
+ # Create permalink with the form_data
+ state = {
+ "formData": form_data,
+ "allowedDomains": allowed_domains,
+ }
+ permalink_key = CreateExplorePermalinkCommand(state).run()
+
+ # Calculate expiration
+ expires_at = datetime.now(timezone.utc) +
timedelta(minutes=ttl_minutes)
+
+ # Generate guest token
+ username = g.user.username if hasattr(g, "user") and g.user else
"anonymous"
+ guest_user: GuestTokenUser = {
+ "username": f"embed_{username}",
+ "first_name": "Embed",
+ "last_name": "User",
+ }
+
+ resources: list[GuestTokenResource] = [
+ {
Review Comment:
Addressed in commit d3d0875 - changed to use
`GuestTokenResourceType.CHART_PERMALINK.value` (string) for consistency with
how `security/manager.py` compares resource types.
##########
superset-frontend/webpack.config.js:
##########
@@ -300,6 +300,7 @@ const config = {
menu: addPreamble('src/views/menu.tsx'),
spa: addPreamble('/src/views/index.tsx'),
embedded: addPreamble('/src/embedded/index.tsx'),
+ embeddedChart: addPreamble('/src/embeddedChart/index.tsx'),
},
Review Comment:
This was already fixed in a previous commit - the entry path is now
`'src/embeddedChart/index.tsx'` without a leading slash.
##########
superset/embedded_chart/view.py:
##########
@@ -0,0 +1,72 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from typing import Callable
+
+from flask import abort, current_app
+from flask_appbuilder import expose
+from flask_login import AnonymousUserMixin, login_user
+
+from superset import event_logger, is_feature_enabled
+from superset.superset_typing import FlaskResponse
+from superset.utils import json
+from superset.views.base import BaseSupersetView, common_bootstrap_payload
+
+
+class EmbeddedChartView(BaseSupersetView):
+ """Server-side rendering for embedded chart pages."""
+
+ route_base = "/embedded/chart"
+
+ @expose("/")
+ @event_logger.log_this_with_extra_payload
+ def embedded_chart(
+ self,
+ add_extra_log_payload: Callable[..., None] = lambda **kwargs: None,
+ ) -> FlaskResponse:
+ """
+ Server side rendering for the embedded chart page.
+ Expects ?permalink_key=xxx query parameter.
+ """
+ if not is_feature_enabled("EMBEDDABLE_CHARTS_MCP"):
+ abort(404)
+
+ # Log in as anonymous user for page rendering
+ # This view needs to be visible to all users,
+ # and building the page fails if g.user and/or ctx.user aren't present.
+ login_user(AnonymousUserMixin(), force=True)
+
+ add_extra_log_payload(
+ embedded_type="chart",
+ )
+
+ bootstrap_data = {
+ "config": {
+ "GUEST_TOKEN_HEADER_NAME": current_app.config[
+ "GUEST_TOKEN_HEADER_NAME"
+ ],
Review Comment:
Already fixed - using `.get()` with default value `"X-GuestToken"` instead
of bracket notation.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
