Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: deprecate approve and request_access endpoint #22022

Merged
merged 6 commits into from
Nov 7, 2022
Merged

fix: deprecate approve and request_access endpoint #22022

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
884428d
fix: deprecate approve and request_access endpoint
dpgaspar Nov 3, 2022
64fa0c4
fix tests
dpgaspar Nov 4, 2022
96bab31
Merge branch 'master' into fix/approve-endpoint
dpgaspar Nov 4, 2022
3c96fb4
update updating
dpgaspar Nov 4, 2022
4114e53
Update UPDATING.md
dpgaspar Nov 4, 2022
193d90f
Merge branch 'master' into fix/approve-endpoint
dpgaspar Nov 4, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions UPDATING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ assists people when migrating to a new version.

## Next

- [22022](https://github.com/apache/superset/pull/22022): HTTP API endpoints `/superset/approve` and `/superset/request_access` have been deprecated and their HTTP methods were changed from GET to POST
- [21895](https://github.com/apache/superset/pull/21895): Markdown components had their security increased by adhering to the same sanitization process enforced by Github. This means that some HTML elements found in markdowns are not allowed anymore due to the security risks they impose. If you're deploying Superset in a trusted environment and wish to use some of the blocked elements, then you can use the HTML_SANITIZATION_SCHEMA_EXTENSIONS configuration to extend the default sanitization schema. There's also the option to disable HTML sanitization using the HTML_SANITIZATION configuration but we do not recommend this approach because of the security risks. Given the provided configurations, we don't view the improved sanitization as a breaking change but as a security patch.
- [20606](https://github.com/apache/superset/pull/20606): When user clicks on chart title or "Edit chart" button in Dashboard page, Explore opens in the same tab. Clicking while holding cmd/ctrl opens Explore in a new tab. To bring back the old behaviour (always opening Explore in a new tab), flip feature flag `DASHBOARD_EDIT_CHART_IN_NEW_TAB` to `True`.
- [20799](https://github.com/apache/superset/pull/20799): Presto and Trino engine will now display tracking URL for running queries in SQL Lab. If for some reason you don't want to show the tracking URL (for example, when your data warehouse hasn't enable access for to Presto or Trino UI), update `TRACKING_URL_TRANSFORMER` in `config.py` to return `None`.
Expand Down
16 changes: 14 additions & 2 deletions superset/views/core.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -277,8 +277,14 @@ def override_role_permissions(self) -> FlaskResponse:

@has_access
@event_logger.log_this
@expose("/request_access/")
@expose("/request_access/", methods=["POST"])
def request_access(self) -> FlaskResponse:
logger.warning(
"%s.approve "
"This API endpoint is deprecated and will be removed in version 3.0.0",
self.__class__.__name__,
)

datasources = set()
dashboard_id = request.args.get("dashboard_id")
if dashboard_id:
Expand Down Expand Up @@ -320,7 +326,7 @@ def request_access(self) -> FlaskResponse:

@has_access
@event_logger.log_this
@expose("/approve")
@expose("/approve", methods=["POST"])
def approve(self) -> FlaskResponse: # pylint: disable=too-many-locals,no-self-use
def clean_fulfilled_requests(session: Session) -> None:
for dar in session.query(DAR).all():
Expand All @@ -332,6 +338,12 @@ def clean_fulfilled_requests(session: Session) -> None:
session.delete(dar)
session.commit()

logger.warning(
"%s.approve "
"This API endpoint is deprecated and will be removed in version 3.0.0",
self.__class__.__name__,
)

datasource_type = request.args["datasource_type"]
datasource_id = request.args["datasource_id"]
created_by_username = request.args.get("created_by")
Expand Down
6 changes: 3 additions & 3 deletions tests/integration_tests/access_tests.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -270,7 +270,7 @@ def test_clean_requests_after_alpha_grant(self):
session.commit()
access_requests = self.get_access_requests("gamma", "table", ds_1_id)
self.assertTrue(access_requests)
self.client.get(
self.client.post(
EXTEND_ROLE_REQUEST.format("table", ds_1_id, "gamma2", TEST_ROLE_2)
)
access_requests = self.get_access_requests("gamma", "table", ds_1_id)
Expand Down Expand Up @@ -309,7 +309,7 @@ def test_clean_requests_after_db_grant(self):
access_requests = self.get_access_requests("gamma", "table", ds_1_id)
self.assertTrue(access_requests)
# gamma2 request gets fulfilled
self.client.get(
self.client.post(
EXTEND_ROLE_REQUEST.format("table", ds_1_id, "gamma2", TEST_ROLE_2)
)
access_requests = self.get_access_requests("gamma", "table", ds_1_id)
Expand Down Expand Up @@ -353,7 +353,7 @@ def test_clean_requests_after_schema_grant(self):
gamma_user.roles.append(security_manager.find_role(SCHEMA_ACCESS_ROLE))
session.commit()
# gamma2 request gets fulfilled
self.client.get(
self.client.post(
EXTEND_ROLE_REQUEST.format("table", ds_1_id, "gamma2", TEST_ROLE_2)
)
access_requests = self.get_access_requests("gamma", "table", ds_1_id)
Expand Down