bito-code-review[bot] commented on code in PR #40128: URL: https://github.com/apache/superset/pull/40128#discussion_r3509616916
########## superset/translations/lv/LC_MESSAGES/messages.po: ########## @@ -4429,6 +4429,9 @@ msgstr "Informācijas paneļa krāsu konfigurāciju nevarēja atjaunināt." msgid "Dashboard could not be deleted." msgstr "Infopaneli nevarēja dzēst." +msgid "Dashboard could not be restored." +msgstr "" Review Comment: <div> <div id="suggestion"> <div id="issue"><b>Missing Latvian translation</b></div> <div id="fix"> The new msgid 'Dashboard could not be restored.' has an empty `msgstr` (line 4433), causing Latvian locale users to see untranslated English text. The adjacent entries use 'Infopaneli' as the translation prefix (e.g., 'Infopaneli nevarēja dzēst' at line 4430). Consider providing a Latvian translation to maintain consistency with established patterns. </div> </div> <small><i>Code Review Run #6e7d54</i></small> </div> --- Should Bito avoid suggestions like this for future reviews? (<a href=https://alpha.bito.ai/home/ai-agents/review-rules>Manage Rules</a>) - [ ] Yes, avoid them ########## superset/migrations/versions/2026-05-08_12-05_9e1f3b8c4d2a_add_deleted_at_to_dashboards.py: ########## @@ -0,0 +1,203 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +"""Add deleted_at + partial unique slug index for soft-delete. + +Adds to the ``dashboards`` table: +- a nullable ``deleted_at`` column for soft-delete state +- an index ``ix_dashboards_deleted_at`` for the visibility-filter listener +- a partial unique index ``ix_dashboards_active_slug`` enforcing slug + uniqueness only among active (non-soft-deleted) rows + +Drops: +- the existing full unique constraint on ``slug`` (named + ``idx_unique_slug``, created in migration 1a48a5411020) + +The constraint change makes the ``slug`` field reusable after soft-delete: +soft-deleted rows no longer reserve their slug for the lifetime of the +row. ``RestoreDashboardCommand`` handles the reverse case (restoring a +dashboard whose slug has since been claimed by another active row) with +an explicit conflict error. See UPDATING.md for the user-facing change. + +Dialect support for the partial index: +- PostgreSQL: native ``WHERE deleted_at IS NULL`` partial index +- MySQL 8.0.13+ (excluding MariaDB): functional index over + ``(CASE WHEN deleted_at IS NULL THEN slug END)`` +- MySQL <8.0.13 and MariaDB: keeps the original full unique constraint + (documented limitation; functional key parts require MySQL 8.0.13+, and + MariaDB's functional-index semantics differ — see + ``_mysql_supports_functional_index``) +- SQLite: keeps the original full unique constraint (column-level + ``UNIQUE`` cannot be dropped without recreating the table, which is + not worth the migration complexity for a test-only dialect). Tests + that need to verify the partial-index behaviour run only on + PostgreSQL and MySQL 8+. + +Revision ID: 9e1f3b8c4d2a +Revises: 2bee73611e32 +Create Date: 2026-05-08 12:05:00.000000 +""" + +from alembic import op +from sqlalchemy import Column, DateTime +from sqlalchemy.engine import Connection + +from superset.migrations.shared.utils import ( + add_columns, + create_index, + drop_columns, + drop_index, + table_has_index, +) + +# revision identifiers, used by Alembic. +revision = "9e1f3b8c4d2a" +down_revision = "2bee73611e32" + +TABLE_NAME = "dashboards" +DELETED_AT_INDEX_NAME = f"ix_{TABLE_NAME}_deleted_at" +PARTIAL_SLUG_INDEX_NAME = f"ix_{TABLE_NAME}_active_slug" +# The original full unique constraint on ``slug`` was created with an +# explicit name in migration 1a48a5411020 (2015-12-04). Same name on +# PostgreSQL (constraint) and MySQL (index). +LEGACY_SLUG_INDEX_NAME = "idx_unique_slug" + + +def _mysql_supports_functional_index(bind: Connection) -> bool: + """Return True iff the connected MySQL is 8.0.13+ (supports functional indexes). + + MySQL added functional key parts in 8.0.13; 8.0.0–8.0.12 reject the + ``(CASE WHEN deleted_at IS NULL THEN slug END)`` expression at index + creation time, so deployments on those patch releases must keep the + original full slug constraint. See + https://dev.mysql.com/doc/mysql/8.0/en/create-index.html for the + 8.0.13 minimum. + + Excludes MariaDB even at server version ``>= (10, x)`` because MariaDB + reports through the same ``server_version_info`` attribute but uses + different functional-index semantics around ``CASE`` expressions. + Uses SQLAlchemy's parsed ``server_version_info`` rather than ``SELECT + VERSION()`` to avoid an extra round-trip and brittle string parsing. + """ + if getattr(bind.dialect, "is_mariadb", False): + return False + return (bind.dialect.server_version_info or ()) >= (8, 0, 13) + + +def upgrade() -> None: + bind = op.get_bind() + _add_deleted_at_column() + _replace_slug_constraint_with_partial_index(bind) + + +def downgrade() -> None: + bind = op.get_bind() + _restore_slug_constraint(bind) + _drop_deleted_at_column() + + +def _add_deleted_at_column() -> None: + add_columns(TABLE_NAME, Column("deleted_at", DateTime(), nullable=True)) + create_index(TABLE_NAME, DELETED_AT_INDEX_NAME, ["deleted_at"]) + + +def _drop_deleted_at_column() -> None: + drop_index(TABLE_NAME, DELETED_AT_INDEX_NAME) + drop_columns(TABLE_NAME, "deleted_at") + + +def _replace_slug_constraint_with_partial_index(bind: Connection) -> None: + """Swap the full UNIQUE on ``slug`` for a partial index where supported. + + The original constraint is named ``idx_unique_slug`` from migration + 1a48a5411020 — same name on PostgreSQL (constraint) and MySQL (index). + + SQLite and MySQL <8.0 are no-ops here: they keep the original full + unique constraint. See the module docstring for the rationale. + """ + dialect = bind.dialect.name + if dialect == "postgresql": + op.execute( + f"ALTER TABLE {TABLE_NAME} " + f"DROP CONSTRAINT IF EXISTS {LEGACY_SLUG_INDEX_NAME}" + ) + # Some installations may have the unique enforced as a plain + # index rather than a constraint. Both DROPs are IF EXISTS, so + # whichever path applies cleans up. + op.execute(f"DROP INDEX IF EXISTS {LEGACY_SLUG_INDEX_NAME}") + op.execute( + f"CREATE UNIQUE INDEX {PARTIAL_SLUG_INDEX_NAME} " + f"ON {TABLE_NAME} (slug) WHERE deleted_at IS NULL" + ) + elif dialect == "mysql" and _mysql_supports_functional_index(bind): + # Create the functional replacement BEFORE dropping the legacy unique + # index. MySQL autocommits each DDL statement (unlike PostgreSQL's + # transactional DDL above, where a failed CREATE rolls back the DROP), + # so a drop-then-create ordering would leave the table with no slug + # uniqueness if the CREATE failed. Creating first keeps the stricter + # existing uniqueness in place until the replacement is confirmed. + # Both statements are guarded by ``table_has_index`` because MySQL has + # no ``IF [NOT] EXISTS`` for indexes and DDL autocommits: an unguarded + # run on a table missing the legacy index (it was created inside + # ``try/except: pass`` in 2015's ``1a48a5411020``) would fail AFTER + # the partial index was committed, wedging the migration — the re-run + # would then die on the duplicate partial index. The guards make the + # migration re-runnable from any partial state. + if not table_has_index(TABLE_NAME, PARTIAL_SLUG_INDEX_NAME): + op.execute( + f"CREATE UNIQUE INDEX {PARTIAL_SLUG_INDEX_NAME} " + f"ON {TABLE_NAME} ((CASE WHEN deleted_at IS NULL THEN slug END))" + ) + if table_has_index(TABLE_NAME, LEGACY_SLUG_INDEX_NAME): + op.execute(f"ALTER TABLE {TABLE_NAME} DROP INDEX {LEGACY_SLUG_INDEX_NAME}") + + +def _restore_slug_constraint(bind: Connection) -> None: + """Restore the full UNIQUE on ``slug`` from the partial index. + + Symmetric counterpart to ``_replace_slug_constraint_with_partial_index``. + No-op on dialects that never received the partial index. + + Pre-condition: each value of ``slug`` (other than NULL) must appear at + most once across the entire ``dashboards`` table. The partial-index + window allowed an active row and a soft-deleted row to share a slug; + rebuilding the full unique constraint will abort with a + ``UniqueViolation`` if any such pair still exists. Before downgrading, + hard-delete the soft-deleted duplicates (or rename one side of each + pair) so the constraint can be added cleanly. + """ + dialect = bind.dialect.name + if dialect == "postgresql": + op.execute(f"DROP INDEX IF EXISTS {PARTIAL_SLUG_INDEX_NAME}") + op.execute( + f"ALTER TABLE {TABLE_NAME} " + f"ADD CONSTRAINT {LEGACY_SLUG_INDEX_NAME} UNIQUE (slug)" Review Comment: <div> <div id="suggestion"> <div id="issue"><b>PostgreSQL downgrade not idempotent</b></div> <div id="fix"> PostgreSQL `_restore_slug_constraint` (lines 185–187) uses bare `ALTER TABLE ... ADD CONSTRAINT` without an `IF NOT EXISTS` guard. PostgreSQL has no native `IF NOT EXISTS` for `ADD CONSTRAINT`, so re-running the downgrade will raise `duplicate_object`. Compare to the upgrade path at lines 133–140, which correctly uses `DROP ... IF EXISTS` for idempotency. </div> </div> <small><i>Code Review Run #6e7d54</i></small> </div> --- Should Bito avoid suggestions like this for future reviews? (<a href=https://alpha.bito.ai/home/ai-agents/review-rules>Manage Rules</a>) - [ ] Yes, avoid them ########## tests/integration_tests/dashboards/soft_delete_tests.py: ########## @@ -0,0 +1,732 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +"""Integration tests for dashboard soft-delete and restore.""" + +from datetime import datetime +from typing import Any + +from superset import security_manager +from superset.constants import SKIP_VISIBILITY_FILTER_CLASSES +from superset.extensions import db +from superset.models.dashboard import Dashboard +from superset.utils import json +from tests.integration_tests.base_tests import SupersetTestCase +from tests.integration_tests.conftest import with_feature_flags +from tests.integration_tests.constants import ( + ADMIN_USERNAME, + ALPHA_USERNAME, + GAMMA_USERNAME, +) + + +def _hard_delete_dashboard(dashboard_id: int) -> None: + """Hard-delete a dashboard row regardless of soft-delete state.""" + row = ( + db.session.query(Dashboard) + .execution_options(**{SKIP_VISIBILITY_FILTER_CLASSES: {Dashboard}}) + .filter(Dashboard.id == dashboard_id) + .one_or_none() + ) + if row: + db.session.delete(row) + db.session.commit() + + +class TestDashboardSoftDelete(SupersetTestCase): + """Tests for dashboard soft-delete behaviour (T014, T017).""" + + def _create_dashboard(self, title: str = "soft_delete_test") -> Dashboard: + admin = self.get_user("admin") + dashboard = Dashboard( + dashboard_title=title, + slug=f"slug_{title}", + owners=[admin], + published=True, + ) + db.session.add(dashboard) + db.session.commit() + return dashboard + + @with_feature_flags(SOFT_DELETE=True) + def test_delete_dashboard_soft_deletes(self) -> None: + """DELETE should set deleted_at instead of removing the row.""" + dashboard = self._create_dashboard("sd_test_1") + dashboard_id = dashboard.id + self.login(ADMIN_USERNAME) + + rv = self.client.delete(f"/api/v1/dashboard/{dashboard_id}") + assert rv.status_code == 200 + + row = ( + db.session.query(Dashboard) + .execution_options(**{SKIP_VISIBILITY_FILTER_CLASSES: {Dashboard}}) + .filter(Dashboard.id == dashboard_id) + .one_or_none() + ) + assert row is not None + assert row.deleted_at is not None + + # Cleanup + _hard_delete_dashboard(dashboard_id) + + @with_feature_flags(SOFT_DELETE=True) + def test_soft_deleted_dashboard_excluded_from_list(self) -> None: + """GET /api/v1/dashboard/ should not include soft-deleted.""" + dashboard = self._create_dashboard("sd_list_test") + dashboard_id = dashboard.id + self.login(ADMIN_USERNAME) + + self.client.delete(f"/api/v1/dashboard/{dashboard_id}") + + rv = self.client.get("/api/v1/dashboard/") + data = json.loads(rv.data) + ids = [d["id"] for d in data["result"]] + assert dashboard_id not in ids + + # Cleanup + _hard_delete_dashboard(dashboard_id) + + @with_feature_flags(SOFT_DELETE=True) + def test_soft_deleted_dashboard_included_in_list_when_requested(self) -> None: + """GET /api/v1/dashboard/ with dashboard_deleted_state=include returns deleted dashboards.""" # noqa: E501 + dashboard = self._create_dashboard("sd_list_with_deleted") + dashboard_id = dashboard.id + self.login(ADMIN_USERNAME) + + self.client.delete(f"/api/v1/dashboard/{dashboard_id}") + + rison_query = "(filters:!((col:id,opr:dashboard_deleted_state,value:include)))" + rv = self.client.get(f"/api/v1/dashboard/?q={rison_query}") + assert rv.status_code == 200 + + data = json.loads(rv.data) + deleted_row = next( + (row for row in data["result"] if row["id"] == dashboard_id), + None, + ) + assert deleted_row is not None + assert deleted_row["deleted_at"] is not None + + # Cleanup + _hard_delete_dashboard(dashboard_id) + + @with_feature_flags(SOFT_DELETE=True) + def test_only_filter_returns_only_soft_deleted_dashboards(self) -> None: + """dashboard_deleted_state=only excludes live rows and returns only deleted ones.""" # noqa: E501 + live_dashboard = self._create_dashboard("only_live_dash") + deleted_dashboard = self._create_dashboard("only_deleted_dash") + live_id = live_dashboard.id + deleted_id = deleted_dashboard.id + self.login(ADMIN_USERNAME) + + self.client.delete(f"/api/v1/dashboard/{deleted_id}") + + rison_query = "(filters:!((col:id,opr:dashboard_deleted_state,value:only)))" + rv = self.client.get(f"/api/v1/dashboard/?q={rison_query}") + assert rv.status_code == 200 + + data = json.loads(rv.data) + returned_ids = {row["id"] for row in data["result"]} + assert deleted_id in returned_ids + assert live_id not in returned_ids + + # Cleanup + _hard_delete_dashboard(live_id) + _hard_delete_dashboard(deleted_id) + + @with_feature_flags(SOFT_DELETE=True) + def test_deleted_state_list_shows_owner_their_own_deleted(self) -> None: + """A non-admin owner can still enumerate their own soft-deleted + dashboards. Deleted-state scoping mirrors the restore audience, so it + must not lock owners out of their own trash.""" + alpha = self.get_user("alpha") + dashboard = Dashboard( + dashboard_title="sd_owner_dash", + slug="sd_owner_dash", + owners=[alpha], + published=True, + ) + db.session.add(dashboard) + db.session.commit() + dashboard_id = dashboard.id + + self.login(ALPHA_USERNAME) + self.client.delete(f"/api/v1/dashboard/{dashboard_id}") + + rison_query = ( + "(filters:!((col:dashboard_title,opr:title_or_slug,value:sd_owner_dash)," + "(col:id,opr:dashboard_deleted_state,value:only)))" + ) + rv = self.client.get(f"/api/v1/dashboard/?q={rison_query}") + assert rv.status_code == 200 + ids = [row["id"] for row in json.loads(rv.data)["result"]] + assert dashboard_id in ids + + # Cleanup + _hard_delete_dashboard(dashboard_id) + + @with_feature_flags(SOFT_DELETE=True) + def test_deleted_state_list_hides_non_owned_from_read_access_user(self) -> None: + """A read-access non-owner must not be able to enumerate a dashboard + once it is soft-deleted. + + Gamma is granted ``datasource_access`` to a published dashboard's + dataset, so ``DashboardAccessFilter`` makes the dashboard visible to + gamma while it is live. After soft-delete, the deleted-state list is + scoped to the restore audience (owners/admins), so gamma — who could + never restore it — must not see it via ``include`` or ``only``. + """ + from superset.connectors.sqla.models import SqlaTable + from superset.models.core import Database + from superset.models.slice import Slice + + admin = self.get_user("admin") + database = Database(database_name="sd_acl_db", sqlalchemy_uri="sqlite://") + db.session.add(database) + db.session.flush() + table = SqlaTable(table_name="sd_acl_tbl", database=database) + db.session.add(table) + db.session.flush() + chart = Slice( + slice_name="sd_acl_slice", + datasource_id=table.id, + datasource_type="table", + viz_type="table", + ) + db.session.add(chart) + dashboard = Dashboard( + dashboard_title="sd_acl_dash", + slug="sd_acl_dash", + owners=[admin], + slices=[chart], + published=True, + ) + db.session.add(dashboard) + db.session.commit() + dashboard_id = dashboard.id + + gamma_role = security_manager.find_role("Gamma") + pvm = security_manager.add_permission_view_menu("datasource_access", table.perm) + gamma_role.permissions.append(pvm) + db.session.commit() + + title_filter = "(col:dashboard_title,opr:title_or_slug,value:sd_acl_dash)" + try: + # Precondition: gamma can see the dashboard while it is live. + self.login(GAMMA_USERNAME) + rv = self.client.get(f"/api/v1/dashboard/?q=(filters:!({title_filter}))") + live_ids = [row["id"] for row in json.loads(rv.data)["result"]] + assert dashboard_id in live_ids, ( + "precondition failed: gamma should see the live dashboard via " + "datasource access" + ) + + # Soft-delete directly (no admin re-login needed; the DELETE + # endpoint's auth is exercised elsewhere). This isolates the + # deleted-state visibility behaviour under test. + dashboard.deleted_at = datetime(2026, 1, 1, 12, 0, 0) Review Comment: <div> <div id="suggestion"> <div id="issue"><b>Timezone-naive datetime call</b></div> <div id="fix"> Use `datetime.datetime()` with a `tzinfo` argument (e.g., `datetime(2026, 1, 1, 12, 0, 0, tzinfo=timezone.utc)`) to avoid ambiguous timezone interpretation. </div> </div> <small><i>Code Review Run #6e7d54</i></small> </div> --- Should Bito avoid suggestions like this for future reviews? (<a href=https://alpha.bito.ai/home/ai-agents/review-rules>Manage Rules</a>) - [ ] Yes, avoid them -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
