[GitHub] [superset] dpgaspar commented on a diff in pull request #24400: chore: remove deprecated apis and ENABLE_BROAD_ACTIVITY_ACCESS

["dpgaspar (via GitHub)" <gi...@apache.org>]

dpgaspar commented on code in PR #24400:
URL: https://github.com/apache/superset/pull/24400#discussion_r1230316614


##########
superset/views/core.py:
##########
@@ -1363,27 +1087,17 @@ def welcome(self) -> FlaskResponse:
 
     @has_access
     @event_logger.log_this
-    @expose("/profile/<username>/")
-    def profile(self, username: str) -> FlaskResponse:
+    @expose("/profile/")
+    def profile(self) -> FlaskResponse:
         """User profile page"""
-        user = (
-            db.session.query(ab_models.User).filter_by(username=username).one_or_none()
-        )
-        # Prevent returning 404 when user is not found to prevent username scanning
-        user_id = -1 if not user else user.id
-        # Prevent unauthorized access to other user's profiles,
-        # unless configured to do so with ENABLE_BROAD_ACTIVITY_ACCESS
-        if error_obj := self.get_user_activity_access_error(user_id):
-            return error_obj
-
         payload = {
-            "user": bootstrap_user_data(user, include_perms=True),
+            "user": bootstrap_user_data(g.user, include_perms=True),

Review Comment:
   Good point, it should be `AnonymousUser` from flask-login or `GuestUser`, but added some safe guard, and we're returning 404 now



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org