You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@superset.apache.org by jo...@apache.org on 2018/11/12 18:08:25 UTC
[incubator-superset] branch master updated: [404] Aborting for
views with invalid dashboard/slice IDs (#6355)
This is an automated email from the ASF dual-hosted git repository.
johnbodley pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-superset.git
The following commit(s) were added to refs/heads/master by this push:
new 0873abd [404] Aborting for views with invalid dashboard/slice IDs (#6355)
0873abd is described below
commit 0873abde1293c9f85bcda944735841a7b3be1fba
Author: John Bodley <45...@users.noreply.github.com>
AuthorDate: Mon Nov 12 10:08:20 2018 -0800
[404] Aborting for views with invalid dashboard/slice IDs (#6355)
---
superset/views/core.py | 18 +++++++++++-------
tests/core_tests.py | 7 +++++++
2 files changed, 18 insertions(+), 7 deletions(-)
diff --git a/superset/views/core.py b/superset/views/core.py
index 575e0de..675b041 100755
--- a/superset/views/core.py
+++ b/superset/views/core.py
@@ -9,7 +9,7 @@ import traceback
from urllib import parse
from flask import (
- flash, g, Markup, redirect, render_template, request, Response, url_for,
+ abort, flash, g, Markup, redirect, render_template, request, Response, url_for,
)
from flask_appbuilder import expose, SimpleFormView
from flask_appbuilder.actions import action
@@ -1028,11 +1028,11 @@ class Superset(BaseSupersetView):
# Include the slice_form_data if request from explore or slice calls
# or if form_data only contains slice_id
if slice_id and (use_slice_data or contains_only_slc_id):
- slc = db.session.query(models.Slice).filter_by(id=slice_id).first()
- slice_form_data = slc.form_data.copy()
-
- slice_form_data.update(form_data)
- form_data = slice_form_data
+ slc = db.session.query(models.Slice).filter_by(id=slice_id).one_or_none()
+ if slc:
+ slice_form_data = slc.form_data.copy()
+ slice_form_data.update(form_data)
+ form_data = slice_form_data
update_time_range(form_data)
@@ -1068,6 +1068,8 @@ class Superset(BaseSupersetView):
@expose('/slice/<slice_id>/')
def slice(self, slice_id):
form_data, slc = self.get_form_data(slice_id, use_slice_data=True)
+ if not slc:
+ abort(404)
endpoint = '/superset/explore/?form_data={}'.format(
parse.quote(json.dumps(form_data)),
)
@@ -2099,7 +2101,9 @@ class Superset(BaseSupersetView):
else:
qry = qry.filter_by(slug=dashboard_id)
- dash = qry.one()
+ dash = qry.one_or_none()
+ if not dash:
+ abort(404)
datasources = set()
for slc in dash.slices:
datasource = slc.datasource
diff --git a/tests/core_tests.py b/tests/core_tests.py
index 70b6341..2acd842 100644
--- a/tests/core_tests.py
+++ b/tests/core_tests.py
@@ -62,6 +62,10 @@ class CoreTests(SupersetTestCase):
data=dict(username='admin', password='wrongPassword'))
self.assertIn('User confirmation needed', resp)
+ def test_dashboard_endpoint(self):
+ resp = self.client.get('/superset/dashboard/-1/')
+ assert resp.status_code == 404
+
def test_slice_endpoint(self):
self.login(username='admin')
slc = self.get_slice('Girls', db.session)
@@ -74,6 +78,9 @@ class CoreTests(SupersetTestCase):
'/superset/slice/{}/?standalone=true'.format(slc.id))
assert 'List Roles' not in resp
+ resp = self.client.get('/superset/slice/-1/')
+ assert resp.status_code == 404
+
def test_cache_key(self):
self.login(username='admin')
slc = self.get_slice('Girls', db.session)