rusackas commented on PR #41017: URL: https://github.com/apache/superset/pull/41017#issuecomment-4700718162
@aminghadersohi thanks for the careful read. On M1 — yeah, the strip is symmetric on purpose: a guest adding a grain to an otherwise-unbucketed `BASE_AXIS` column is the same entitled interaction as changing one. Same rows, same columns, same metrics — only the bucket width moves, and the SQL gen already gates that to `BASE_AXIS`. No boundary in `SECURITY.md` lets a guest do less than that, so I think it's in scope for the guest token, not a widening. Added the adversarial test from L1 — grain change + a swapped `sqlExpression` still trips the guard. N1 (the ioredis bump) already landed on `master` separately, so it's a no-op against current `master` here. :) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
