codeant-ai-for-open-source[bot] commented on code in PR #41897:
URL: https://github.com/apache/superset/pull/41897#discussion_r3554822296


##########
superset/subjects/filters.py:
##########
@@ -176,6 +176,28 @@ def apply(self, query: Query, value: Optional[Any]) -> 
Query:
         return _apply_subject_list_filters(query)
 
 
+class SubjectAllTextFilter(BaseFilter):  # pylint: 
disable=too-few-public-methods
+    """ILIKE search across a subject's textual columns.
+
+    Used by the Subject REST API ``search_filters`` for free-text search.
+    """
+
+    name = _("All Text")
+    arg_name = "subject_all_text"
+
+    def apply(self, query: Query, value: Any) -> Query:
+        if not value:
+            return query
+        ilike_value = f"%{value}%"
+        return query.filter(
+            or_(
+                Subject.label.ilike(ilike_value),
+                Subject.secondary_label.ilike(ilike_value),
+                Subject.extra_search.ilike(ilike_value),
+            )
+        )

Review Comment:
   **Suggestion:** `SubjectAllTextFilter` skips `_apply_subject_list_filters`, 
so requests using this search path bypass `EXCLUDE_USERS_FROM_LISTS` and 
`EXTRA_RELATED_QUERY_FILTERS`. That creates inconsistent behavior with other 
subject-list filters and can expose subjects that should be filtered out. Apply 
`_apply_subject_list_filters(...)` to both the empty-value and filtered query 
paths. [logic error]
   
   <details>
   <summary><b>Severity Level:</b> Critical 🚨</summary>
   
   ```mdx
   - ❌ Subject REST API can bypass EXTRA_RELATED_QUERY_FILTERS tenant 
restrictions.
   - ❌ EXCLUDE_USERS_FROM_LISTS subjects visible despite global exclusion 
config.
   - ⚠️ Inconsistent subject filtering between pickers and Subject API.
   ```
   </details>
   <details>
   <summary><b>Steps of Reproduction ✅ </b></summary>
   
   ```mdx
   1. Configure EXCLUDE_USERS_FROM_LISTS or EXTRA_RELATED_QUERY_FILTERS so 
certain subjects
   should be hidden; these configs are read in _apply_excluded_users() and
   _apply_extra_related_query_filters() at superset/subjects/filters.py:37–97.
   
   2. Start Superset with this PR so SubjectRestApi is registered, as wired in
   superset/initialization/__init__.py:196 importing 
superset.subjects.api.SubjectRestApi.
   
   3. Log in as an admin and call GET /api/v1/security/subject/ with a q 
payload containing
   filters like {"filters": [{"col": "label", "opr": "subject_all_text", 
"value":
   "subject_label1"}]}, matching test_get_list_subject_filter in
   superset/tests/integration_tests/subjects/api_tests.py:11–29.
   
   4. The request is handled by SubjectRestApi.get_list(), which applies 
SubjectAllTextFilter
   via search_filters = {"label": [SubjectAllTextFilter]} in
   superset/subjects/api.py:113–123; inside SubjectAllTextFilter.apply() at
   superset/subjects/filters.py:188–198 the code returns query.filter(...) 
directly without
   wrapping in _apply_subject_list_filters(...), so the 
EXCLUDE_USERS_FROM_LISTS /
   EXTRA_RELATED_QUERY_FILTERS predicates are never applied, unlike
   FilterRelatedSubjects.apply() at superset/subjects/filters.py:165–176, and 
subjects that
   global filters are meant to hide remain visible in this search path.
   ```
   </details>
   
   [![Fix in 
Cursor](https://new-codeant-butcket.s3.us-west-1.amazonaws.com/badges/fix-in-cursor-flat.svg)](https://app.codeant.ai/fix-in-ide?tool=cursor&prompt_id=85a13f341ddd433b9a7fb67b1e90ad48&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
 [![Fix in VSCode 
Claude](https://new-codeant-butcket.s3.us-west-1.amazonaws.com/badges/fix-in-vscode-claude-flat.svg)](https://app.codeant.ai/fix-in-ide?tool=vscode-claude&prompt_id=85a13f341ddd433b9a7fb67b1e90ad48&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
   
   *(Use Cmd/Ctrl + Click for best experience)*
   <details>
   <summary><b>Prompt for AI Agent 🤖 </b></summary>
   
   ```mdx
   This is a comment left during a code review.
   
   **Path:** superset/subjects/filters.py
   **Line:** 189:198
   **Comment:**
        *Logic Error: `SubjectAllTextFilter` skips 
`_apply_subject_list_filters`, so requests using this search path bypass 
`EXCLUDE_USERS_FROM_LISTS` and `EXTRA_RELATED_QUERY_FILTERS`. That creates 
inconsistent behavior with other subject-list filters and can expose subjects 
that should be filtered out. Apply `_apply_subject_list_filters(...)` to both 
the empty-value and filtered query paths.
   
   Validate the correctness of the flagged issue. If correct, How can I resolve 
this? If you propose a fix, implement it and please make it concise.
   Once fix is implemented, also check other comments on the same PR, and ask 
user if the user wants to fix the rest of the comments as well. if said yes, 
then fetch all the comments validate the correctness and implement a minimal fix
   ```
   </details>
   <a 
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F41897&comment_hash=4c7b30af1ffc2eaac666d752a50b60d04a6de377fbb90b448d603458e97a21e5&reaction=like'>👍</a>
 | <a 
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F41897&comment_hash=4c7b30af1ffc2eaac666d752a50b60d04a6de377fbb90b448d603458e97a21e5&reaction=dislike'>👎</a>



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to