From d0019d2c9f5341209910e642f1ea49685d4f2202 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 May 2026 08:53:08 +0200 Subject: [PATCH 1/2] chore(deps): bump urllib3 from 2.6.3 to 2.7.0 in /backend (#5350) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.6.3...2.7.0) --- updated-dependencies: - dependency-name: urllib3 dependency-version: 2.7.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- backend/uv.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/backend/uv.lock b/backend/uv.lock index 83ae1c5e81..82471327ac 100644 --- a/backend/uv.lock +++ b/backend/uv.lock @@ -3869,11 +3869,11 @@ wheels = [ [[package]] name = "urllib3" -version = "2.6.3" +version = "2.7.0" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/c7/24/5f1b3bdffd70275f6661c76461e25f024d5a38a46f04aaca912426a2b1d3/urllib3-2.6.3.tar.gz", hash = "sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed", size = 435556, upload-time = "2026-01-07T16:24:43.925Z" } +sdist = { url = "https://files.pythonhosted.org/packages/53/0c/06f8b233b8fd13b9e5ee11424ef85419ba0d8ba0b3138bf360be2ff56953/urllib3-2.7.0.tar.gz", hash = "sha256:231e0ec3b63ceb14667c67be60f2f2c40a518cb38b03af60abc813da26505f4c", size = 433602, upload-time = "2026-05-07T16:13:18.596Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/39/08/aaaad47bc4e9dc8c725e68f9d04865dbcb2052843ff09c97b08904852d84/urllib3-2.6.3-py3-none-any.whl", hash = "sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4", size = 131584, upload-time = "2026-01-07T16:24:42.685Z" }, + { url = "https://files.pythonhosted.org/packages/7f/3e/5db95bcf282c52709639744ca2a8b149baccf648e39c8cc87553df9eae0c/urllib3-2.7.0-py3-none-any.whl", hash = "sha256:9fb4c81ebbb1ce9531cce37674bbc6f1360472bc18ca9a553ede278ef7276897", size = 131087, upload-time = "2026-05-07T16:13:17.151Z" }, ] [[package]] From 77715639028c2ff9daa4fb59ad49e2e45ecfafb4 Mon Sep 17 00:00:00 2001 From: Davide Silvestri <75379892+silvestrid@users.noreply.github.com> Date: Tue, 12 May 2026 09:11:33 +0200 Subject: [PATCH 2/2] fix: allow inserting rows in restricted views (#5345) --- .../contrib/database/api/rows/views.py | 16 +++++----- ...ws_above_or_below_in_restricted_views.json | 9 ++++++ .../api/views/test_enterprise_view_views.py | 29 +++++++++++++++---- 3 files changed, 41 insertions(+), 13 deletions(-) create mode 100644 changelog/entries/unreleased/bug/5344_fixes_inserting_rows_above_or_below_in_restricted_views.json diff --git a/backend/src/baserow/contrib/database/api/rows/views.py b/backend/src/baserow/contrib/database/api/rows/views.py index 529193547f..7a1821a173 100644 --- a/backend/src/baserow/contrib/database/api/rows/views.py +++ b/backend/src/baserow/contrib/database/api/rows/views.py @@ -599,16 +599,16 @@ def post(self, request: Request, table_id: int, query_params) -> Response: validation_serializer, request_data, partial=True, return_validated=True ) + view_id = query_params.get("view") + view = ViewHandler().get_view(view_id) if view_id else None + before_id = query_params.get("before") before_row = ( - RowHandler().get_row(request.user, table, before_id, model) + RowHandler().get_row(request.user, table, before_id, model, view=view) if before_id else None ) - view_id = query_params.get("view") - view = ViewHandler().get_view(view_id) if view_id else None - try: row = action_type_registry.get_by_type(CreateRowActionType).do( request.user, @@ -1366,18 +1366,18 @@ def post(self, request: Request, table_id: int, query_params) -> Response: model = table.get_model() request_data = deepcopy(request.data) + view_id = query_params.get("view") + view = ViewHandler().get_view(view_id) if view_id else None + user_field_names = extract_user_field_names_from_params(request.GET) send_webhook_events = extract_send_webhook_events_from_params(request.GET) before_id = query_params.get("before") before_row = ( - RowHandler().get_row(request.user, table, before_id, model) + RowHandler().get_row(request.user, table, before_id, model, view=view) if before_id else None ) - view_id = query_params.get("view") - view = ViewHandler().get_view(view_id) if view_id else None - row_validation_serializer = get_row_serializer_class( model, user_field_names=user_field_names ) diff --git a/changelog/entries/unreleased/bug/5344_fixes_inserting_rows_above_or_below_in_restricted_views.json b/changelog/entries/unreleased/bug/5344_fixes_inserting_rows_above_or_below_in_restricted_views.json new file mode 100644 index 0000000000..c8b6e450a1 --- /dev/null +++ b/changelog/entries/unreleased/bug/5344_fixes_inserting_rows_above_or_below_in_restricted_views.json @@ -0,0 +1,9 @@ +{ + "type": "bug", + "message": "Fixes inserting rows above or below in restricted views", + "issue_origin": "github", + "issue_number": 5344, + "domain": "database", + "bullet_points": [], + "created_at": "2026-05-11" +} \ No newline at end of file diff --git a/enterprise/backend/tests/baserow_enterprise_tests/api/views/test_enterprise_view_views.py b/enterprise/backend/tests/baserow_enterprise_tests/api/views/test_enterprise_view_views.py index b1d34d7ebd..21045f4c38 100644 --- a/enterprise/backend/tests/baserow_enterprise_tests/api/views/test_enterprise_view_views.py +++ b/enterprise/backend/tests/baserow_enterprise_tests/api/views/test_enterprise_view_views.py @@ -282,7 +282,16 @@ def test_cannot_get_row_outside_of_restricted_view(api_client, enterprise_data_f @pytest.mark.django_db @override_settings(DEBUG=True) -def test_create_row_with_only_view_permissions(api_client, enterprise_data_fixture): +@pytest.mark.parametrize( + "url_name, prepare_payload", + [ + ("api:database:rows:list", lambda row: row), + ("api:database:rows:batch", lambda row: {"items": [row]}), + ], +) +def test_create_row_with_only_view_permissions( + api_client, enterprise_data_fixture, url_name, prepare_payload +): enterprise_data_fixture.enable_enterprise() user, token = enterprise_data_fixture.create_user_and_token() @@ -318,13 +327,13 @@ def test_create_row_with_only_view_permissions(api_client, enterprise_data_fixtu scope=View.objects.get(id=normal_view.id), ) - url = reverse("api:database:rows:list", kwargs={"table_id": table.id}) + url = reverse(url_name, kwargs={"table_id": table.id}) # Expect permission denied when trying to create a row in the table because the # user does not have access to the table. response = api_client.post( url, - {f"field_{text_field.id}": "Test 1"}, + prepare_payload({f"field_{text_field.id}": "Test 1"}), format="json", HTTP_AUTHORIZATION=f"JWT {token2}", ) @@ -335,7 +344,7 @@ def test_create_row_with_only_view_permissions(api_client, enterprise_data_fixtu # view ownership type does not allow a user to create a row. response = api_client.post( url + f"?view={normal_view.id}", - {f"field_{text_field.id}": "Test 1"}, + prepare_payload({f"field_{text_field.id}": "Test 1"}), format="json", HTTP_AUTHORIZATION=f"JWT {token2}", ) @@ -345,7 +354,17 @@ def test_create_row_with_only_view_permissions(api_client, enterprise_data_fixtu # Should come through because the user has access to the view. response = api_client.post( url + f"?view={restricted_view.id}", - {f"field_{text_field.id}": "Test 1"}, + prepare_payload({f"field_{text_field.id}": "Test 1"}), + format="json", + HTTP_AUTHORIZATION=f"JWT {token2}", + ) + assert response.status_code == HTTP_200_OK + created_row_id = table.get_model().objects.first().id + + # Should also be possible to reference another row as before_row + response = api_client.post( + url + f"?view={restricted_view.id}&before={created_row_id}", + prepare_payload({f"field_{text_field.id}": "Test 1"}), format="json", HTTP_AUTHORIZATION=f"JWT {token2}", )