You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@superset.apache.org by "villebro (via GitHub)" <gi...@apache.org> on 2023/06/15 12:46:06 UTC

[GitHub] [superset] villebro commented on a diff in pull request #24400: chore: remove deprecated apis and ENABLE_BROAD_ACTIVITY_ACCESS

villebro commented on code in PR #24400:
URL: https://github.com/apache/superset/pull/24400#discussion_r1230955621


##########
superset/views/core.py:
##########
@@ -1363,27 +1076,20 @@ def welcome(self) -> FlaskResponse:
 
     @has_access
     @event_logger.log_this
-    @expose("/profile/<username>/")
-    def profile(self, username: str) -> FlaskResponse:
+    @expose("/profile/")
+    def profile(self) -> FlaskResponse:
         """User profile page"""
-        user = (
-            db.session.query(ab_models.User).filter_by(username=username).one_or_none()
-        )
-        # Prevent returning 404 when user is not found to prevent username scanning
-        user_id = -1 if not user else user.id
-        # Prevent unauthorized access to other user's profiles,
-        # unless configured to do so with ENABLE_BROAD_ACTIVITY_ACCESS
-        if error_obj := self.get_user_activity_access_error(user_id):
-            return error_obj
-
+        user = g.user if hasattr(g, "user") and g.user else None

Review Comment:
   I think this snippet or a variation of it appears in LOTS of places. We should replace all of these with a single util to DRY this up and add tests for all expected cases. I can do it if needed (I think this PR is big enough already, so it should not be obfuscated with more chores).



##########
superset/views/core.py:
##########
@@ -1363,27 +1076,20 @@ def welcome(self) -> FlaskResponse:
 
     @has_access
     @event_logger.log_this
-    @expose("/profile/<username>/")
-    def profile(self, username: str) -> FlaskResponse:
+    @expose("/profile/")
+    def profile(self) -> FlaskResponse:

Review Comment:
   ❤️ 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org