fix: Security manager incorrect calls #29884
Conversation
superset/databases/api.py
Outdated
| @@ -2274,6 +2274,6 @@ def schemas_access_for_file_upload(self, pk: int) -> Response: | |||
| # otherwise the database should have been filtered out | |||
| # in CsvToDatabaseForm | |||
| schemas_allowed_processed = security_manager.get_schemas_accessible_by_user( | |||
| database, schemas_allowed, True | |||
| database, None, schemas_allowed, True | |||
There was a problem hiding this comment.
This was a problem introduced with the catalog feature. @betodealmeida let me know if None is correct in this context or how we should get the catalog.
There was a problem hiding this comment.
Ah, yeah, we need to implement support for catalogs in the CSV upload feature.
Every time you need a catalog in a function and one is not explicitly passed you should use database.get_default_catalog() — it will return None for databases that don't support catalogs, and the default catalog for those that do.
In this case, we need to pass database.get_default_catalog() to get_schemas_accessible_by_user, otherwise the permissions check won't match if the database supports catalogs.
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #29884 +/- ##
===========================================
+ Coverage 60.48% 83.64% +23.15%
===========================================
Files 1931 528 -1403
Lines 76236 38155 -38081
Branches 8568 0 -8568
===========================================
- Hits 46114 31914 -14200
+ Misses 28017 6241 -21776
+ Partials 2105 0 -2105
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
|
@betodealmeida @villebro @hughhhh Could you help me fix the following errors? This the signature of the methods: The calls to the security manager methods were introduced by #22853 and it seems that we already needed to pass |
|
Changes look good to me, but @betodealmeida and @hughhhh are probably best positioned to comment on the open questions here. |
|
For the type error, I think the current @hughhhh does this seem right to you? |
sadpandajoe
added
the
v4.1
superset/security/manager.py
Outdated
| @@ -2645,7 +2645,7 @@ def has_guest_access(self, dashboard: "Dashboard") -> bool: | |||
| dashboards = [ | |||
| r | |||
| for r in user.resources | |||
| if r["type"] == GuestTokenResourceType.DASHBOARD.value | |||
| if r["type"] == GuestTokenResourceType.DASHBOARD | |||
There was a problem hiding this comment.
@betodealmeida @sadpandajoe This have the potential to break current security checks but it's the correct comparison for the defined type. Let me know if it's ok or if we should change the type to str instead.
|
@betodealmeida I think I addressed all your comments. |
| @@ -132,7 +133,7 @@ def init_app(self, app: Flask) -> None: | |||
| migrate = Migrate() | |||
| profiling = ProfilingExtension() | |||
| results_backend_manager = ResultsBackendManager() | |||
| security_manager = LocalProxy(lambda: appbuilder.sm) | |||
| security_manager: SupersetSecurityManager = LocalProxy(lambda: appbuilder.sm) | |||
There was a problem hiding this comment.
nice this will help the IDE a lot!
(cherry picked from commit d497dca)
SUMMARY
While testing 4.1 migrations, I noticed that the return types of the security manager calls were not being correctly validated by the IDE. To fix this, I added a type hint to our proxy definition and was able to find and fix problems in the code.
TESTING INSTRUCTIONS
CI should be sufficient.
ADDITIONAL INFORMATION