etr2460 opened a new pull request #13859: URL: https://github.com/apache/superset/pull/13859
### SUMMARY If a filter box uses data that the user shouldn't have access to, they don't currently get restricted from using the filter box. This is because filterboxes are kinda hacky to begin with, and it looks like we don't check permissions for the extra queries it runs. This PR builds a QueryContext for each query the filterbox runs and calls `raise_for_access` on it. Then we catch that exception and set the error on the response if it fails. The big thing I'm unhappy with here is the import within the `run_extra_queries` function o_O I tried to get around this, but circular imports were pretty impossible here... Would love it if others have better thoughts about how to resolve this. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF <!--- Skip this if not applicable --> ### TEST PLAN Manually test with a FilterBox that accesses data I don't have access to, see the failure. See it pass when I do have access to the data. No unit tests currently exist for the `FilterBox` viz. I've got the sense that this will be deprecated soon so 🤷 ### ADDITIONAL INFORMATION <!--- Check any relevant boxes with "x" --> <!--- HINT: Include "Fixes #nnn" if you are fixing an existing issue --> - [ ] Has associated issue: - [ ] Changes UI - [ ] Requires DB Migration. - [ ] Confirm DB Migration upgrade and downgrade tested. - [ ] Introduces new feature or API - [ ] Removes existing feature or API to: @villebro @serenajiang @michellethomas @ktmud cc: @junlincc -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
