You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@superset.apache.org by dp...@apache.org on 2023/10/10 11:53:46 UTC
[superset] branch master updated: fix: REST API CSRF exempt list (#25590)
This is an automated email from the ASF dual-hosted git repository.
dpgaspar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/superset.git
The following commit(s) were added to refs/heads/master by this push:
new 549abb542b fix: REST API CSRF exempt list (#25590)
549abb542b is described below
commit 549abb542b5d541b4960386d774d13dc74d72347
Author: Daniel Vaz Gaspar <da...@gmail.com>
AuthorDate: Tue Oct 10 12:53:37 2023 +0100
fix: REST API CSRF exempt list (#25590)
---
superset/views/base_api.py | 2 +-
tests/unit_tests/conftest.py | 9 +++++++++
tests/unit_tests/security/api_test.py | 31 +++++++++++++++++++++++++++++++
3 files changed, 41 insertions(+), 1 deletion(-)
diff --git a/superset/views/base_api.py b/superset/views/base_api.py
index 7a5540406a..10f0050074 100644
--- a/superset/views/base_api.py
+++ b/superset/views/base_api.py
@@ -251,7 +251,7 @@ class BaseSupersetApi(BaseSupersetApiMixin, BaseApi):
...
-class BaseSupersetModelRestApi(ModelRestApi, BaseSupersetApiMixin):
+class BaseSupersetModelRestApi(BaseSupersetApiMixin, ModelRestApi):
"""
Extends FAB's ModelResApi to implement specific superset generic functionality
"""
diff --git a/tests/unit_tests/conftest.py b/tests/unit_tests/conftest.py
index cbf728dfc7..4444fdc8c7 100644
--- a/tests/unit_tests/conftest.py
+++ b/tests/unit_tests/conftest.py
@@ -89,6 +89,15 @@ def app(request: SubRequest) -> Iterator[SupersetApp]:
app.config["TESTING"] = True
# loop over extra configs passed in by tests
+ # and update the app config
+ # to override the default configs use:
+ #
+ # @pytest.mark.parametrize(
+ # "app",
+ # [{"SOME_CONFIG": "SOME_VALUE"}],
+ # indirect=True,
+ # )
+ # def test_some_test(app_context: None) -> None:
if request and hasattr(request, "param"):
for key, val in request.param.items():
app.config[key] = val
diff --git a/tests/unit_tests/security/api_test.py b/tests/unit_tests/security/api_test.py
new file mode 100644
index 0000000000..5d596073e9
--- /dev/null
+++ b/tests/unit_tests/security/api_test.py
@@ -0,0 +1,31 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+import pytest
+
+from superset.extensions import csrf
+
+
+@pytest.mark.parametrize(
+ "app",
+ [{"WTF_CSRF_ENABLED": True}],
+ indirect=True,
+)
+def test_csrf_not_exempt(app_context: None) -> None:
+ """
+ Test that REST API is not exempt from CSRF.
+ """
+ assert csrf._exempt_blueprints == {"MenuApi", "SecurityApi", "OpenApi"}