-
Notifications
You must be signed in to change notification settings - Fork 654
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
403 in viz.json for private/password-protected visualizations #2306
Comments
@Kartones let's discuss this here cc'ing @javierarce and @xavijam as this affects new dashboard previews |
As @javierarce mentioned in #2297 this also happens in password protected visualizations. |
Ok, it was done on purpose but can be easily changed:
I can easily change it to allow to pass always if authenticated |
I will go with that approach... but remember we may cache the viz.json |
in Varnish? no prob, I'll check that as IIRC on privacy change of a visualization we invalidate Varnish, else implement it. |
It's not only about privacy change. I mean: Let's say the visualization is "private" and I'm the owner. I authenticate and request the viz.json and it gets cached in varnish. Now I open an incognito window and request the viz.json, varnish will attend the request because it's cached and won't check privacy in rails/backend. |
uh, ok, then private/password protected need to be NOT cached, right? (and invalidated upon privacy change). Is the only safe & easy way I see... either what options do we have? |
The easier way is not caching private/password-protected viz.json |
Have in mind that it will troublesome in performance terms |
Yep, but against that we can only cover with lower level caching... in the backend as you suggested. /cc @rafatower |
We can run the privacy checks in the controller and return the full viz.json cached. Invalidation should be orthogonal with respect to privacy checks (and other Anyways the big performance penalty is on hitting the rails stack. BTW, I have some stats I'll share with you guys. (sampled over a 24h period on the 16th) Performance-wise, we need profiling. |
Related to #2194 Invalidations shall be different for redis and varnish:
|
Issue of not detecting cookie based sessions moved to #2394 |
STR
Current result
Even being authenticated it returns a 403 error
Expected result
Being authenticated it should return the viz.json
Non-authenticated and non-authorized (if the visualization is shared in an organization) requests should keep raising a 403 error
Although I tagged this as a bug I'm not sure if this was intentional from the very beginning.
The text was updated successfully, but these errors were encountered: