You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2020/01/02 16:23:51 UTC
[GitHub] [incubator-superset] dpgaspar opened a new pull request #8911:
[dashboard] Fix, prevent delete and update on dashes not owned
dpgaspar opened a new pull request #8911: [dashboard] Fix, prevent delete and update on dashes not owned
URL: https://github.com/apache/incubator-superset/pull/8911
### CATEGORY
Choose one
- [X] Bug Fix
- [ ] Enhancement (new features, refinement)
- [ ] Refactor
- [ ] Add tests
- [ ] Build / Development Environment
- [ ] Documentation
### SUMMARY
New dashboard API was not correctly preventing user's from updating dashboards they do not own. If a dashboard has slices and is published the user can `list` or `show` but should not be able to update it or delete
### TEST PLAN
Fixed tests to correctly prevent updates and deletes on this context
### ADDITIONAL INFORMATION
- [ ] Has associated issue:
- [ ] Changes UI
- [ ] Requires DB Migration.
- [ ] Confirm DB Migration upgrade and downgrade tested.
- [ ] Introduces new feature or API
- [ ] Removes existing feature or API
### REVIEWERS
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] codecov-io edited a comment on issue #8911:
[dashboard] Fix, prevent delete and update on dashes not owned
Posted by GitBox <gi...@apache.org>.
codecov-io edited a comment on issue #8911: [dashboard] Fix, prevent delete and update on dashes not owned
URL: https://github.com/apache/incubator-superset/pull/8911#issuecomment-570261423
# [Codecov](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=h1) Report
> Merging [#8911](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=desc) into [master](https://codecov.io/gh/apache/incubator-superset/commit/4b95c1f51719593fcc3ddcbba7effec11968945d?src=pr&el=desc) will **not change** coverage.
> The diff coverage is `n/a`.
[](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=tree)
```diff
@@ Coverage Diff @@
## master #8911 +/- ##
=======================================
Coverage 58.97% 58.97%
=======================================
Files 359 359
Lines 11333 11333
Branches 2787 2787
=======================================
Hits 6684 6684
Misses 4471 4471
Partials 178 178
```
------
[Continue to review full report at Codecov](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=continue).
> **Legend** - [Click here to learn more](https://docs.codecov.io/docs/codecov-delta)
> `Δ = absolute <relative> (impact)`, `ø = not affected`, `? = missing data`
> Powered by [Codecov](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=footer). Last update [4b95c1f...be670d1](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=lastupdated). Read the [comment docs](https://docs.codecov.io/docs/pull-request-comments).
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] dpgaspar merged pull request #8911:
[dashboard] Fix, prevent delete and update on dashes not owned
Posted by GitBox <gi...@apache.org>.
dpgaspar merged pull request #8911: [dashboard] Fix, prevent delete and update on dashes not owned
URL: https://github.com/apache/incubator-superset/pull/8911
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] codecov-io edited a comment on issue #8911:
[dashboard] Fix, prevent delete and update on dashes not owned
Posted by GitBox <gi...@apache.org>.
codecov-io edited a comment on issue #8911: [dashboard] Fix, prevent delete and update on dashes not owned
URL: https://github.com/apache/incubator-superset/pull/8911#issuecomment-570261423
# [Codecov](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=h1) Report
> Merging [#8911](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=desc) into [master](https://codecov.io/gh/apache/incubator-superset/commit/4b95c1f51719593fcc3ddcbba7effec11968945d?src=pr&el=desc) will **not change** coverage.
> The diff coverage is `n/a`.
[](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=tree)
```diff
@@ Coverage Diff @@
## master #8911 +/- ##
=======================================
Coverage 58.97% 58.97%
=======================================
Files 359 359
Lines 11333 11333
Branches 2787 2787
=======================================
Hits 6684 6684
Misses 4471 4471
Partials 178 178
```
------
[Continue to review full report at Codecov](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=continue).
> **Legend** - [Click here to learn more](https://docs.codecov.io/docs/codecov-delta)
> `Δ = absolute <relative> (impact)`, `ø = not affected`, `? = missing data`
> Powered by [Codecov](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=footer). Last update [4b95c1f...916cc7f](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=lastupdated). Read the [comment docs](https://docs.codecov.io/docs/pull-request-comments).
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] craig-rueda commented on a change in pull
request #8911: [WiP] [dashboard] Fix,
prevent delete and update on dashes not owned
Posted by GitBox <gi...@apache.org>.
craig-rueda commented on a change in pull request #8911: [WiP] [dashboard] Fix, prevent delete and update on dashes not owned
URL: https://github.com/apache/incubator-superset/pull/8911#discussion_r362571534
##########
File path: superset/views/dashboard/api.py
##########
@@ -26,13 +27,32 @@
import superset.models.core as models
from superset import appbuilder
-from superset.exceptions import SupersetException
+from superset.exceptions import SupersetException, SupersetSecurityException
from superset.utils import core as utils
from superset.views.base import BaseSupersetModelRestApi, BaseSupersetSchema
+from ..base import check_ownership
from .mixin import DashboardMixin
+def check_owner(f):
Review comment:
Since this is doing a bit more than just "checking owner" (checks for existence of instances), I think you should name it something like `api_security_wrapper`. We could potentially reuse this in other APIs as well. Otherwise, LGTM.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] villebro commented on a change in pull request
#8911: [dashboard] Fix, prevent delete and update on dashes not owned
Posted by GitBox <gi...@apache.org>.
villebro commented on a change in pull request #8911: [dashboard] Fix, prevent delete and update on dashes not owned
URL: https://github.com/apache/incubator-superset/pull/8911#discussion_r362866770
##########
File path: superset/views/base.py
##########
@@ -155,6 +155,26 @@ def wraps(self, *args, **kwargs):
return functools.update_wrapper(wraps, f)
+def api_exists_owned(f):
Review comment:
Not wanting to get hung up on details, but personally I would prefer something slightly more verbose, e.g. `check_ownership_and_item_exists`.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] dpgaspar commented on a change in pull request
#8911: [dashboard] Fix, prevent delete and update on dashes not owned
Posted by GitBox <gi...@apache.org>.
dpgaspar commented on a change in pull request #8911: [dashboard] Fix, prevent delete and update on dashes not owned
URL: https://github.com/apache/incubator-superset/pull/8911#discussion_r362808015
##########
File path: superset/views/dashboard/api.py
##########
@@ -26,13 +27,32 @@
import superset.models.core as models
from superset import appbuilder
-from superset.exceptions import SupersetException
+from superset.exceptions import SupersetException, SupersetSecurityException
from superset.utils import core as utils
from superset.views.base import BaseSupersetModelRestApi, BaseSupersetSchema
+from ..base import check_ownership
from .mixin import DashboardMixin
+def check_owner(f):
Review comment:
Agree, moved it to `views/base.py`
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] villebro commented on a change in pull request
#8911: [WiP] [dashboard] Fix, prevent delete and update on dashes not owned
Posted by GitBox <gi...@apache.org>.
villebro commented on a change in pull request #8911: [WiP] [dashboard] Fix, prevent delete and update on dashes not owned
URL: https://github.com/apache/incubator-superset/pull/8911#discussion_r362590827
##########
File path: superset/views/dashboard/api.py
##########
@@ -207,6 +229,62 @@ class DashboardRestApi(DashboardMixin, BaseSupersetModelRestApi):
}
filter_rel_fields_field = {"owners": "first_name", "slices": "slice_name"}
+ @expose("/<model_id>", methods=["PUT"])
+ @protect()
+ @check_owner
+ @safe
+ def put(self, item): # pylint: disable=arguments-differ
+ """Changes a dashboard
+ ---
+ put:
+ parameters:
+ - in: path
+ schema:
+ type: integer
+ name: pk
+ requestBody:
+ description: Model schema
+ required: true
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/{{self.__class__.__name__}}.put'
+ responses:
+ 200:
+ description: Item changed
+ content:
+ application/json:
+ schema:
+ type: object
+ properties:
+ result:
+ $ref: '#/components/schemas/{{self.__class__.__name__}}.put'
+ 400:
+ $ref: '#/components/responses/400'
+ 401:
+ $ref: '#/components/responses/401'
+ 403:
+ $ref: '#/components/responses/401'
Review comment:
should probably be `'#/components/responses/403'`
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] villebro commented on a change in pull request
#8911: [dashboard] Fix, prevent delete and update on dashes not owned
Posted by GitBox <gi...@apache.org>.
villebro commented on a change in pull request #8911: [dashboard] Fix, prevent delete and update on dashes not owned
URL: https://github.com/apache/incubator-superset/pull/8911#discussion_r362867378
##########
File path: superset/views/dashboard/api.py
##########
@@ -229,9 +211,9 @@ class DashboardRestApi(DashboardMixin, BaseSupersetModelRestApi):
}
filter_rel_fields_field = {"owners": "first_name", "slices": "slice_name"}
- @expose("/<model_id>", methods=["PUT"])
+ @expose("/<pk>", methods=["PUT"])
Review comment:
is there some reason `model_id` was changed back to `pk`? I think `model_id` here was nice, but if there is a convention to use `pk` then disregard.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] villebro commented on a change in pull request
#8911: [WiP] [dashboard] Fix, prevent delete and update on dashes not owned
Posted by GitBox <gi...@apache.org>.
villebro commented on a change in pull request #8911: [WiP] [dashboard] Fix, prevent delete and update on dashes not owned
URL: https://github.com/apache/incubator-superset/pull/8911#discussion_r362591000
##########
File path: superset/views/dashboard/api.py
##########
@@ -258,60 +336,43 @@ def post(self):
except SQLAlchemyError as e:
return self.response_422(message=str(e))
- @expose("/<pk>", methods=["PUT"])
+ @expose("/<model_id>", methods=["DELETE"])
@protect()
+ @check_owner
@safe
- def put(self, pk):
- """Changes a dashboard
+ def delete(self, item): # pylint: disable=arguments-differ
+ """Delete Dashboard
---
- put:
+ delete:
parameters:
- in: path
schema:
type: integer
name: pk
- requestBody:
- description: Model schema
- required: true
- content:
- application/json:
- schema:
- $ref: '#/components/schemas/{{self.__class__.__name__}}.put'
responses:
200:
- description: Item changed
+ description: Dashboard delete
content:
application/json:
schema:
type: object
properties:
- result:
- $ref: '#/components/schemas/{{self.__class__.__name__}}.put'
- 400:
- $ref: '#/components/responses/400'
+ message:
+ type: string
401:
$ref: '#/components/responses/401'
+ 403:
+ $ref: '#/components/responses/401'
Review comment:
should probably be `'#/components/responses/403'`
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] dpgaspar commented on a change in pull request
#8911: [dashboard] Fix, prevent delete and update on dashes not owned
Posted by GitBox <gi...@apache.org>.
dpgaspar commented on a change in pull request #8911: [dashboard] Fix, prevent delete and update on dashes not owned
URL: https://github.com/apache/incubator-superset/pull/8911#discussion_r362876475
##########
File path: superset/views/dashboard/api.py
##########
@@ -229,9 +211,9 @@ class DashboardRestApi(DashboardMixin, BaseSupersetModelRestApi):
}
filter_rel_fields_field = {"owners": "first_name", "slices": "slice_name"}
- @expose("/<model_id>", methods=["PUT"])
+ @expose("/<pk>", methods=["PUT"])
Review comment:
Yes, under the wood all other ModelRestApi's were exposing an OpenAPi spec with `pk`, so for the sake of consistency I changed it back
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] dpgaspar commented on issue #8911: [dashboard]
Fix, prevent delete and update on dashes not owned
Posted by GitBox <gi...@apache.org>.
dpgaspar commented on issue #8911: [dashboard] Fix, prevent delete and update on dashes not owned
URL: https://github.com/apache/incubator-superset/pull/8911#issuecomment-570572264
@villebro totally agree, changed the imports, explicit is better and saves unnecessary namespace dict gets
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] codecov-io edited a comment on issue #8911:
[WiP] [dashboard] Fix, prevent delete and update on dashes not owned
Posted by GitBox <gi...@apache.org>.
codecov-io edited a comment on issue #8911: [WiP] [dashboard] Fix, prevent delete and update on dashes not owned
URL: https://github.com/apache/incubator-superset/pull/8911#issuecomment-570261423
# [Codecov](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=h1) Report
> Merging [#8911](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=desc) into [master](https://codecov.io/gh/apache/incubator-superset/commit/4b95c1f51719593fcc3ddcbba7effec11968945d?src=pr&el=desc) will **not change** coverage.
> The diff coverage is `n/a`.
[](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=tree)
```diff
@@ Coverage Diff @@
## master #8911 +/- ##
=======================================
Coverage 58.97% 58.97%
=======================================
Files 359 359
Lines 11333 11333
Branches 2787 2787
=======================================
Hits 6684 6684
Misses 4471 4471
Partials 178 178
```
------
[Continue to review full report at Codecov](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=continue).
> **Legend** - [Click here to learn more](https://docs.codecov.io/docs/codecov-delta)
> `Δ = absolute <relative> (impact)`, `ø = not affected`, `? = missing data`
> Powered by [Codecov](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=footer). Last update [4b95c1f...67bc7e3](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=lastupdated). Read the [comment docs](https://docs.codecov.io/docs/pull-request-comments).
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] codecov-io edited a comment on issue #8911:
[WiP] [dashboard] Fix, prevent delete and update on dashes not owned
Posted by GitBox <gi...@apache.org>.
codecov-io edited a comment on issue #8911: [WiP] [dashboard] Fix, prevent delete and update on dashes not owned
URL: https://github.com/apache/incubator-superset/pull/8911#issuecomment-570261423
# [Codecov](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=h1) Report
> Merging [#8911](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=desc) into [master](https://codecov.io/gh/apache/incubator-superset/commit/4b95c1f51719593fcc3ddcbba7effec11968945d?src=pr&el=desc) will **not change** coverage.
> The diff coverage is `n/a`.
[](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=tree)
```diff
@@ Coverage Diff @@
## master #8911 +/- ##
=======================================
Coverage 58.97% 58.97%
=======================================
Files 359 359
Lines 11333 11333
Branches 2787 2787
=======================================
Hits 6684 6684
Misses 4471 4471
Partials 178 178
```
------
[Continue to review full report at Codecov](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=continue).
> **Legend** - [Click here to learn more](https://docs.codecov.io/docs/codecov-delta)
> `Δ = absolute <relative> (impact)`, `ø = not affected`, `? = missing data`
> Powered by [Codecov](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=footer). Last update [4b95c1f...079d46c](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=lastupdated). Read the [comment docs](https://docs.codecov.io/docs/pull-request-comments).
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] dpgaspar commented on a change in pull request
#8911: [WiP] [dashboard] Fix, prevent delete and update on dashes not owned
Posted by GitBox <gi...@apache.org>.
dpgaspar commented on a change in pull request #8911: [WiP] [dashboard] Fix, prevent delete and update on dashes not owned
URL: https://github.com/apache/incubator-superset/pull/8911#discussion_r362594917
##########
File path: superset/views/dashboard/api.py
##########
@@ -207,6 +229,62 @@ class DashboardRestApi(DashboardMixin, BaseSupersetModelRestApi):
}
filter_rel_fields_field = {"owners": "first_name", "slices": "slice_name"}
+ @expose("/<model_id>", methods=["PUT"])
+ @protect()
+ @check_owner
+ @safe
+ def put(self, item): # pylint: disable=arguments-differ
+ """Changes a dashboard
+ ---
+ put:
+ parameters:
+ - in: path
+ schema:
+ type: integer
+ name: pk
+ requestBody:
+ description: Model schema
+ required: true
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/{{self.__class__.__name__}}.put'
+ responses:
+ 200:
+ description: Item changed
+ content:
+ application/json:
+ schema:
+ type: object
+ properties:
+ result:
+ $ref: '#/components/schemas/{{self.__class__.__name__}}.put'
+ 400:
+ $ref: '#/components/responses/400'
+ 401:
+ $ref: '#/components/responses/401'
+ 403:
+ $ref: '#/components/responses/401'
Review comment:
I Know... 403 is not implemented on FAB, and the `responses` OpenAPI override forces (for now) a full override of the responses. I'll improve this on FAB and get back to this with a proper solution
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] codecov-io commented on issue #8911:
[dashboard] Fix, prevent delete and update on dashes not owned
Posted by GitBox <gi...@apache.org>.
codecov-io commented on issue #8911: [dashboard] Fix, prevent delete and update on dashes not owned
URL: https://github.com/apache/incubator-superset/pull/8911#issuecomment-570261423
# [Codecov](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=h1) Report
> Merging [#8911](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=desc) into [master](https://codecov.io/gh/apache/incubator-superset/commit/4b95c1f51719593fcc3ddcbba7effec11968945d?src=pr&el=desc) will **not change** coverage.
> The diff coverage is `n/a`.
[](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=tree)
```diff
@@ Coverage Diff @@
## master #8911 +/- ##
=======================================
Coverage 58.97% 58.97%
=======================================
Files 359 359
Lines 11333 11333
Branches 2787 2787
=======================================
Hits 6684 6684
Misses 4471 4471
Partials 178 178
```
------
[Continue to review full report at Codecov](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=continue).
> **Legend** - [Click here to learn more](https://docs.codecov.io/docs/codecov-delta)
> `Δ = absolute <relative> (impact)`, `ø = not affected`, `? = missing data`
> Powered by [Codecov](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=footer). Last update [4b95c1f...be670d1](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=lastupdated). Read the [comment docs](https://docs.codecov.io/docs/pull-request-comments).
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] dpgaspar commented on a change in pull request
#8911: [WiP] [dashboard] Fix, prevent delete and update on dashes not owned
Posted by GitBox <gi...@apache.org>.
dpgaspar commented on a change in pull request #8911: [WiP] [dashboard] Fix, prevent delete and update on dashes not owned
URL: https://github.com/apache/incubator-superset/pull/8911#discussion_r362594917
##########
File path: superset/views/dashboard/api.py
##########
@@ -207,6 +229,62 @@ class DashboardRestApi(DashboardMixin, BaseSupersetModelRestApi):
}
filter_rel_fields_field = {"owners": "first_name", "slices": "slice_name"}
+ @expose("/<model_id>", methods=["PUT"])
+ @protect()
+ @check_owner
+ @safe
+ def put(self, item): # pylint: disable=arguments-differ
+ """Changes a dashboard
+ ---
+ put:
+ parameters:
+ - in: path
+ schema:
+ type: integer
+ name: pk
+ requestBody:
+ description: Model schema
+ required: true
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/{{self.__class__.__name__}}.put'
+ responses:
+ 200:
+ description: Item changed
+ content:
+ application/json:
+ schema:
+ type: object
+ properties:
+ result:
+ $ref: '#/components/schemas/{{self.__class__.__name__}}.put'
+ 400:
+ $ref: '#/components/responses/400'
+ 401:
+ $ref: '#/components/responses/401'
+ 403:
+ $ref: '#/components/responses/401'
Review comment:
I Know... 403 is not implemented on FAB, and the `responses` OpenAPI override forces (for now) a full override of the responses. I'll improve this on FAB and get back to this with a proper solution. I would say it's not a blocking issue
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [incubator-superset] codecov-io edited a comment on issue #8911:
[dashboard] Fix, prevent delete and update on dashes not owned
Posted by GitBox <gi...@apache.org>.
codecov-io edited a comment on issue #8911: [dashboard] Fix, prevent delete and update on dashes not owned
URL: https://github.com/apache/incubator-superset/pull/8911#issuecomment-570261423
# [Codecov](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=h1) Report
> Merging [#8911](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=desc) into [master](https://codecov.io/gh/apache/incubator-superset/commit/4b95c1f51719593fcc3ddcbba7effec11968945d?src=pr&el=desc) will **not change** coverage.
> The diff coverage is `n/a`.
[](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=tree)
```diff
@@ Coverage Diff @@
## master #8911 +/- ##
=======================================
Coverage 58.97% 58.97%
=======================================
Files 359 359
Lines 11333 11333
Branches 2787 2787
=======================================
Hits 6684 6684
Misses 4471 4471
Partials 178 178
```
------
[Continue to review full report at Codecov](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=continue).
> **Legend** - [Click here to learn more](https://docs.codecov.io/docs/codecov-delta)
> `Δ = absolute <relative> (impact)`, `ø = not affected`, `? = missing data`
> Powered by [Codecov](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=footer). Last update [4b95c1f...67bc7e3](https://codecov.io/gh/apache/incubator-superset/pull/8911?src=pr&el=lastupdated). Read the [comment docs](https://docs.codecov.io/docs/pull-request-comments).
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org