rusackas opened a new pull request, #40643: URL: https://github.com/apache/superset/pull/40643
### SUMMARY `UserRegistrationsRestAPI` (`superset/security/api.py`) listed `registration_hash` in `list_columns`, exposing it in admin API responses — and therefore in proxy logs, response caches, and browser history. That hash is a **bearer token** for the `/register/activation/<hash>` flow: anyone who obtains it can activate the pending account (with the registrant's chosen password and the configured registration role), bypassing the intended email delivery channel. Per project policy, secret material should be masked regardless of caller privilege. Changes: - Remove `registration_hash` from `list_columns`, and add an explicit `search_columns` that omits it (so it can't be enumerated via `sw`/`ct` filter probing either). - Remove the corresponding column, filter, and type field from the `UserRegistrations` admin page (`superset-frontend/src/pages/UserRegistrations/index.tsx`). - Update the page test to assert the "Registration hash" column is no longer rendered. (Self-registration is off by default — `AUTH_USER_REGISTRATION` defaults to `False` — and this API is admin-only, which bounds severity.) ### TESTING INSTRUCTIONS ``` cd superset-frontend npm run test -- src/pages/UserRegistrations/UserRegistrations.test.tsx ``` The list endpoint no longer returns `registration_hash`; the admin page no longer renders or filters on it. ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [x] Changes UI - [ ] Includes DB Migration - [ ] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
