You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2020/03/03 16:04:04 UTC
[GitHub] [incubator-superset] dpgaspar opened a new pull request #9232:
[security] Fix, let admin's be able to reset user passwords on AUTH_DB
dpgaspar opened a new pull request #9232: [security] Fix, let admin's be able to reset user passwords on AUTH_DB
URL: https://github.com/apache/incubator-superset/pull/9232
### CATEGORY
- [X] Bug Fix
- [ ] Enhancement (new features, refinement)
- [ ] Refactor
- [ ] Add tests
- [ ] Build / Development Environment
- [ ] Documentation
### SUMMARY
Let Admin user's be able to reset password when on AUTH_DB
### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
<!--- Skip this if not applicable -->
### TEST PLAN
<!--- What steps should be taken to verify the changes -->
### ADDITIONAL INFORMATION
- [ ] Has associated issue:
- [ ] Changes UI
- [ ] Requires DB Migration.
- [ ] Confirm DB Migration upgrade and downgrade tested.
- [ ] Introduces new feature or API
- [ ] Removes existing feature or API
### REVIEWERS
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] codecov-io edited a comment on issue #9232:
[security] Fix, let admin's be able to reset user passwords on AUTH_DB
Posted by GitBox <gi...@apache.org>.
codecov-io edited a comment on issue #9232: [security] Fix, let admin's be able to reset user passwords on AUTH_DB
URL: https://github.com/apache/incubator-superset/pull/9232#issuecomment-594032872
# [Codecov](https://codecov.io/gh/apache/incubator-superset/pull/9232?src=pr&el=h1) Report
> Merging [#9232](https://codecov.io/gh/apache/incubator-superset/pull/9232?src=pr&el=desc) into [master](https://codecov.io/gh/apache/incubator-superset/commit/26e916e46b1f8b066ef91fdcb2f0dcfc85c83715?src=pr&el=desc) will **not change** coverage.
> The diff coverage is `n/a`.
[![Impacted file tree graph](https://codecov.io/gh/apache/incubator-superset/pull/9232/graphs/tree.svg?width=650&token=KsB0fHcx6l&height=150&src=pr)](https://codecov.io/gh/apache/incubator-superset/pull/9232?src=pr&el=tree)
```diff
@@ Coverage Diff @@
## master #9232 +/- ##
=======================================
Coverage 58.93% 58.93%
=======================================
Files 373 373
Lines 12014 12014
Branches 2945 2945
=======================================
Hits 7080 7080
Misses 4755 4755
Partials 179 179
```
------
[Continue to review full report at Codecov](https://codecov.io/gh/apache/incubator-superset/pull/9232?src=pr&el=continue).
> **Legend** - [Click here to learn more](https://docs.codecov.io/docs/codecov-delta)
> `Δ = absolute <relative> (impact)`, `ø = not affected`, `? = missing data`
> Powered by [Codecov](https://codecov.io/gh/apache/incubator-superset/pull/9232?src=pr&el=footer). Last update [26e916e...3963f25](https://codecov.io/gh/apache/incubator-superset/pull/9232?src=pr&el=lastupdated). Read the [comment docs](https://docs.codecov.io/docs/pull-request-comments).
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] villebro commented on a change in pull request
#9232: [security] Fix, let admin's be able to reset user passwords on AUTH_DB
Posted by GitBox <gi...@apache.org>.
villebro commented on a change in pull request #9232: [security] Fix, let admin's be able to reset user passwords on AUTH_DB
URL: https://github.com/apache/incubator-superset/pull/9232#discussion_r387162503
##########
File path: superset/security/manager.py
##########
@@ -81,7 +81,11 @@ def __init__(self, **kwargs):
PermissionModelView.list_widget = SupersetSecurityListWidget
# Limiting routes on FAB model views
-UserModelView.include_route_methods = RouteMethod.CRUD_SET | {"userinfo"}
+UserModelView.include_route_methods = RouteMethod.CRUD_SET | {
+ RouteMethod.ACTION,
+ RouteMethod.ACTION_POST,
+ "userinfo",
Review comment:
Perhaps not something that needs to be addressed now (not really sure which is better). LGTM
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] dpgaspar commented on a change in pull request
#9232: [security] Fix, let admin's be able to reset user passwords on AUTH_DB
Posted by GitBox <gi...@apache.org>.
dpgaspar commented on a change in pull request #9232: [security] Fix, let admin's be able to reset user passwords on AUTH_DB
URL: https://github.com/apache/incubator-superset/pull/9232#discussion_r387159531
##########
File path: superset/security/manager.py
##########
@@ -81,7 +81,11 @@ def __init__(self, **kwargs):
PermissionModelView.list_widget = SupersetSecurityListWidget
# Limiting routes on FAB model views
-UserModelView.include_route_methods = RouteMethod.CRUD_SET | {"userinfo"}
+UserModelView.include_route_methods = RouteMethod.CRUD_SET | {
+ RouteMethod.ACTION,
+ RouteMethod.ACTION_POST,
+ "userinfo",
Review comment:
We can of course, did a quick search and found a bunch "lonely" routes. Like `download_dashboards`, `bulk_delete`, `table_metadata`. Would say that the idea here is that non repeatable ones, get referenced in place.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] dpgaspar commented on a change in pull request
#9232: [security] Fix, let admin's be able to reset user passwords on AUTH_DB
Posted by GitBox <gi...@apache.org>.
dpgaspar commented on a change in pull request #9232: [security] Fix, let admin's be able to reset user passwords on AUTH_DB
URL: https://github.com/apache/incubator-superset/pull/9232#discussion_r387159531
##########
File path: superset/security/manager.py
##########
@@ -81,7 +81,11 @@ def __init__(self, **kwargs):
PermissionModelView.list_widget = SupersetSecurityListWidget
# Limiting routes on FAB model views
-UserModelView.include_route_methods = RouteMethod.CRUD_SET | {"userinfo"}
+UserModelView.include_route_methods = RouteMethod.CRUD_SET | {
+ RouteMethod.ACTION,
+ RouteMethod.ACTION_POST,
+ "userinfo",
Review comment:
We can of course, did a quick search and found a bunch of "lonely" routes. Like `download_dashboards`, `bulk_delete`, `table_metadata`. Would say that the idea here is that non repeatable ones, get referenced in place.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] villebro commented on a change in pull request
#9232: [security] Fix, let admin's be able to reset user passwords on AUTH_DB
Posted by GitBox <gi...@apache.org>.
villebro commented on a change in pull request #9232: [security] Fix, let admin's be able to reset user passwords on AUTH_DB
URL: https://github.com/apache/incubator-superset/pull/9232#discussion_r387134344
##########
File path: superset/security/manager.py
##########
@@ -81,7 +81,11 @@ def __init__(self, **kwargs):
PermissionModelView.list_widget = SupersetSecurityListWidget
# Limiting routes on FAB model views
-UserModelView.include_route_methods = RouteMethod.CRUD_SET | {"userinfo"}
+UserModelView.include_route_methods = RouteMethod.CRUD_SET | {
+ "userinfo",
+ "action_post",
+ "action",
+}
Review comment:
Should we be using `constants.RouteMethod.ACTION_POST` etc here?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] dpgaspar commented on a change in pull request
#9232: [security] Fix, let admin's be able to reset user passwords on AUTH_DB
Posted by GitBox <gi...@apache.org>.
dpgaspar commented on a change in pull request #9232: [security] Fix, let admin's be able to reset user passwords on AUTH_DB
URL: https://github.com/apache/incubator-superset/pull/9232#discussion_r387146248
##########
File path: superset/security/manager.py
##########
@@ -81,7 +81,11 @@ def __init__(self, **kwargs):
PermissionModelView.list_widget = SupersetSecurityListWidget
# Limiting routes on FAB model views
-UserModelView.include_route_methods = RouteMethod.CRUD_SET | {"userinfo"}
+UserModelView.include_route_methods = RouteMethod.CRUD_SET | {
+ "userinfo",
+ "action_post",
+ "action",
+}
Review comment:
oh! yes, right you are
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] dpgaspar merged pull request #9232: [security]
Fix, let admin's be able to reset user passwords on AUTH_DB
Posted by GitBox <gi...@apache.org>.
dpgaspar merged pull request #9232: [security] Fix, let admin's be able to reset user passwords on AUTH_DB
URL: https://github.com/apache/incubator-superset/pull/9232
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] villebro commented on a change in pull request
#9232: [security] Fix, let admin's be able to reset user passwords on AUTH_DB
Posted by GitBox <gi...@apache.org>.
villebro commented on a change in pull request #9232: [security] Fix, let admin's be able to reset user passwords on AUTH_DB
URL: https://github.com/apache/incubator-superset/pull/9232#discussion_r387150285
##########
File path: superset/security/manager.py
##########
@@ -81,7 +81,11 @@ def __init__(self, **kwargs):
PermissionModelView.list_widget = SupersetSecurityListWidget
# Limiting routes on FAB model views
-UserModelView.include_route_methods = RouteMethod.CRUD_SET | {"userinfo"}
+UserModelView.include_route_methods = RouteMethod.CRUD_SET | {
+ RouteMethod.ACTION,
+ RouteMethod.ACTION_POST,
+ "userinfo",
Review comment:
The `userinfo` looks lonely here with the constants. Wondering if we should collect these somewhere, too.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] codecov-io commented on issue #9232:
[security] Fix, let admin's be able to reset user passwords on AUTH_DB
Posted by GitBox <gi...@apache.org>.
codecov-io commented on issue #9232: [security] Fix, let admin's be able to reset user passwords on AUTH_DB
URL: https://github.com/apache/incubator-superset/pull/9232#issuecomment-594032872
# [Codecov](https://codecov.io/gh/apache/incubator-superset/pull/9232?src=pr&el=h1) Report
> Merging [#9232](https://codecov.io/gh/apache/incubator-superset/pull/9232?src=pr&el=desc) into [master](https://codecov.io/gh/apache/incubator-superset/commit/26e916e46b1f8b066ef91fdcb2f0dcfc85c83715?src=pr&el=desc) will **not change** coverage.
> The diff coverage is `n/a`.
[![Impacted file tree graph](https://codecov.io/gh/apache/incubator-superset/pull/9232/graphs/tree.svg?width=650&token=KsB0fHcx6l&height=150&src=pr)](https://codecov.io/gh/apache/incubator-superset/pull/9232?src=pr&el=tree)
```diff
@@ Coverage Diff @@
## master #9232 +/- ##
=======================================
Coverage 58.93% 58.93%
=======================================
Files 373 373
Lines 12014 12014
Branches 2945 2945
=======================================
Hits 7080 7080
Misses 4755 4755
Partials 179 179
```
------
[Continue to review full report at Codecov](https://codecov.io/gh/apache/incubator-superset/pull/9232?src=pr&el=continue).
> **Legend** - [Click here to learn more](https://docs.codecov.io/docs/codecov-delta)
> `Δ = absolute <relative> (impact)`, `ø = not affected`, `? = missing data`
> Powered by [Codecov](https://codecov.io/gh/apache/incubator-superset/pull/9232?src=pr&el=footer). Last update [26e916e...6561462](https://codecov.io/gh/apache/incubator-superset/pull/9232?src=pr&el=lastupdated). Read the [comment docs](https://docs.codecov.io/docs/pull-request-comments).
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org