sha174n opened a new pull request, #40396:
URL: https://github.com/apache/superset/pull/40396
### SUMMARY
Tighten the `GET /api/v1/dashboard/<id_or_slug>/datasets` response so
dataset-definition fields are only returned to callers with datasource-level
read access. Other callers continue to receive the rest of the payload
unchanged, so dashboards render exactly as before.
### CHANGES
- `superset/dashboards/schemas.py` — extend
`DashboardDatasetSchema.post_dump` with a `datasource_access` check. When the
caller lacks read access to the underlying datasource (`perm`), drop `sql`,
`select_star`, `fetch_values_predicate`, `template_params`, and the per-column
/ per-metric `expression` fields. The existing guest-token narrowing (strip
`owners`, `database`) is preserved.
- `tests/integration_tests/dashboards/api_tests.py`:
- new
`test_get_dashboard_datasets_strips_definition_without_datasource_access`
confirms the trimmed payload for callers without read access.
- existing `test_get_dashboard_datasets` gains a positive `"sql" in
result[0]` assertion to lock in the access path.
### WHY
The dashboard `datasets` endpoint shared more dataset-definition detail with
viewers than the canonical `GET /api/v1/dataset/<id>` endpoint does, even
though both expose the same underlying object. This change aligns the two
endpoints on the same `can_access("datasource_access", perm)` check so they no
longer diverge.
### BEFORE/AFTER SCREENSHOTS
N/A — server-side payload shape only; the dashboard UI is unaffected (charts
render from query results, not from these fields).
### TESTING INSTRUCTIONS
1. Run the dashboards API integration tests:
```bash
pytest tests/integration_tests/dashboards/api_tests.py -k
"test_get_dashboard_datasets"
```
2. Manual: as an admin, load any dashboard and hit
`/api/v1/dashboard/<slug>/datasets` — the response should still include `sql`,
`select_star`, etc. As a Gamma user without datasource access, the same fields
should be absent from the response while the rest of the payload (including
columns/metrics metadata used for rendering) remains intact.
### ADDITIONAL INFORMATION
- [ ] Has associated issue:
- [ ] Required feature flags:
- [ ] Changes UI
- [ ] Includes DB Migration (follow approval process in
[SIP-59](https://github.com/apache/superset/issues/13351))
- [ ] Migration is atomic, supports rollback & is backwards-compatible
- [ ] Confirm DB migration upgrade and downgrade tested
- [ ] Runtime estimates and downtime expectations provided
- [ ] Introduces new feature or API
- [ ] Removes existing feature or API
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
