rusackas commented on code in PR #41017:
URL: https://github.com/apache/superset/pull/41017#discussion_r3409110777
##########
superset/security/manager.py:
##########
@@ -342,10 +342,29 @@ def _init_properties(self) -> None:
ViewMenuModelView.include_route_methods = {RouteMethod.LIST}
+# Keys on an adhoc column/metric that a guest may legitimately change through a
+# supported native filter, and which therefore must not count as payload
+# tampering. The time grain of a temporal x-axis is baked into its `BASE_AXIS`
+# column by `normalizeTimeColumn` on the frontend (it copies
+# `extras.time_grain_sqla` onto the column), so a Time Grain filter alters the
+# column payload without changing which data is queried.
+GUEST_OVERRIDABLE_VALUE_KEYS = frozenset({"timeGrain"})
+
+
def freeze_value(value: Any) -> str:
"""
Used to compare column and metric sets.
+
+ Guest-overridable keys (e.g. the time grain baked into a temporal x-axis
+ column) are dropped so that legitimate native-filter changes don't read as
+ payload tampering.
"""
+ if isinstance(value, dict):
+ value = {
+ key: val
+ for key, val in value.items()
+ if key not in GUEST_OVERRIDABLE_VALUE_KEYS
+ }
Review Comment:
Good catch — `orderby` entries are tuples, so the nested column dict never
got its `timeGrain` stripped. Made `freeze_value` recurse into lists/tuples and
added a test for sorting by the temporal axis.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
