You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@superset.apache.org by mi...@apache.org on 2023/12/04 17:09:32 UTC
(superset) 05/16: fix: Prevent cached bootstrap data from leaking between users w/ same first/last name (#26023)
This is an automated email from the ASF dual-hosted git repository.
michaelsmolina pushed a commit to branch 3.0
in repository https://gitbox.apache.org/repos/asf/superset.git
commit ff5de2547853733254694bb9abc9796375ff684a
Author: Jack Fragassi <jf...@gmail.com>
AuthorDate: Tue Nov 21 15:39:42 2023 -0800
fix: Prevent cached bootstrap data from leaking between users w/ same first/last name (#26023)
---
superset/embedded/view.py | 4 ++--
superset/views/base.py | 18 +++++++++++-------
superset/views/core.py | 6 +++---
superset/views/dashboard/views.py | 2 +-
4 files changed, 17 insertions(+), 13 deletions(-)
diff --git a/superset/embedded/view.py b/superset/embedded/view.py
index e59a6ced90..462c6046fa 100644
--- a/superset/embedded/view.py
+++ b/superset/embedded/view.py
@@ -17,7 +17,7 @@
import json
from typing import Callable
-from flask import abort, g, request
+from flask import abort, request
from flask_appbuilder import expose
from flask_login import AnonymousUserMixin, login_user
from flask_wtf.csrf import same_origin
@@ -78,7 +78,7 @@ class EmbeddedView(BaseSupersetView):
)
bootstrap_data = {
- "common": common_bootstrap_payload(g.user),
+ "common": common_bootstrap_payload(),
"embedded": {
"dashboard_id": embedded.dashboard_id,
},
diff --git a/superset/views/base.py b/superset/views/base.py
index a0102bf3bb..c77a3e5c87 100644
--- a/superset/views/base.py
+++ b/superset/views/base.py
@@ -14,6 +14,8 @@
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
+from __future__ import annotations
+
import dataclasses
import functools
import logging
@@ -295,7 +297,7 @@ class BaseSupersetView(BaseView):
def render_app_template(self) -> FlaskResponse:
payload = {
"user": bootstrap_user_data(g.user, include_perms=True),
- "common": common_bootstrap_payload(g.user),
+ "common": common_bootstrap_payload(),
}
return self.render_template(
"superset/spa.html",
@@ -383,7 +385,9 @@ def menu_data(user: User) -> dict[str, Any]:
@cache_manager.cache.memoize(timeout=60)
-def cached_common_bootstrap_data(user: User, locale: str) -> dict[str, Any]:
+def cached_common_bootstrap_data( # pylint: disable=unused-argument
+ user_id: int | None, locale: str
+) -> dict[str, Any]:
"""Common data always sent to the client
The function is memoized as the return value only changes when user permissions
@@ -420,15 +424,15 @@ def cached_common_bootstrap_data(user: User, locale: str) -> dict[str, Any]:
"extra_sequential_color_schemes": conf["EXTRA_SEQUENTIAL_COLOR_SCHEMES"],
"extra_categorical_color_schemes": conf["EXTRA_CATEGORICAL_COLOR_SCHEMES"],
"theme_overrides": conf["THEME_OVERRIDES"],
- "menu_data": menu_data(user),
+ "menu_data": menu_data(g.user),
}
bootstrap_data.update(conf["COMMON_BOOTSTRAP_OVERRIDES_FUNC"](bootstrap_data))
return bootstrap_data
-def common_bootstrap_payload(user: User) -> dict[str, Any]:
+def common_bootstrap_payload() -> dict[str, Any]:
return {
- **cached_common_bootstrap_data(user, get_locale()),
+ **cached_common_bootstrap_data(utils.get_user_id(), get_locale()),
"flash_messages": get_flashed_messages(with_categories=True),
}
@@ -538,7 +542,7 @@ def show_unexpected_exception(ex: Exception) -> FlaskResponse:
def get_common_bootstrap_data() -> dict[str, Any]:
def serialize_bootstrap_data() -> str:
return json.dumps(
- {"common": common_bootstrap_payload(g.user)},
+ {"common": common_bootstrap_payload()},
default=utils.pessimistic_json_iso_dttm_ser,
)
@@ -556,7 +560,7 @@ class SupersetModelView(ModelView):
def render_app_template(self) -> FlaskResponse:
payload = {
"user": bootstrap_user_data(g.user, include_perms=True),
- "common": common_bootstrap_payload(g.user),
+ "common": common_bootstrap_payload(),
}
return self.render_template(
"superset/spa.html",
diff --git a/superset/views/core.py b/superset/views/core.py
index e39edb99af..22e09f9ff4 100755
--- a/superset/views/core.py
+++ b/superset/views/core.py
@@ -636,7 +636,7 @@ class Superset(BaseSupersetView): # pylint: disable=too-many-public-methods
"force": force,
"user": bootstrap_user_data(g.user, include_perms=True),
"forced_height": request.args.get("height"),
- "common": common_bootstrap_payload(g.user),
+ "common": common_bootstrap_payload(),
}
if slc:
title = slc.slice_name
@@ -896,7 +896,7 @@ class Superset(BaseSupersetView): # pylint: disable=too-many-public-methods
bootstrap_data=json.dumps(
{
"user": bootstrap_user_data(g.user, include_perms=True),
- "common": common_bootstrap_payload(g.user),
+ "common": common_bootstrap_payload(),
},
default=utils.pessimistic_json_iso_dttm_ser,
),
@@ -990,7 +990,7 @@ class Superset(BaseSupersetView): # pylint: disable=too-many-public-methods
payload = {
"user": bootstrap_user_data(g.user, include_perms=True),
- "common": common_bootstrap_payload(g.user),
+ "common": common_bootstrap_payload(),
}
return self.render_template(
diff --git a/superset/views/dashboard/views.py b/superset/views/dashboard/views.py
index ba8b8b2fb3..e3a931105a 100644
--- a/superset/views/dashboard/views.py
+++ b/superset/views/dashboard/views.py
@@ -151,7 +151,7 @@ class Dashboard(BaseSupersetView):
)
bootstrap_data = {
- "common": common_bootstrap_payload(g.user),
+ "common": common_bootstrap_payload(),
"embedded": {"dashboard_id": dashboard_id_or_slug},
}