You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2021/11/17 21:06:18 UTC

[GitHub] [superset] etr2460 opened a new pull request #17468: chore: Add test for flask wtf csrf exempt config

etr2460 opened a new pull request #17468:
URL: https://github.com/apache/superset/pull/17468


   <!---
   Please write the PR title following the conventions at https://www.conventionalcommits.org/en/v1.0.0/
   Example:
   fix(dashboard): load charts correctly
   -->
   
   ### SUMMARY
   Follow up from https://github.com/apache/superset/pull/17429 to try and add a test to ensure this doesn't break again
   
   ### TESTING INSTRUCTIONS
   CI, haven't been able to test locally, so opened this to run the tests in ci
   
   ### ADDITIONAL INFORMATION
   <!--- Check any relevant boxes with "x" -->
   <!--- HINT: Include "Fixes #nnn" if you are fixing an existing issue -->
   - [ ] Has associated issue:
   - [ ] Required feature flags:
   - [ ] Changes UI
   - [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351))
     - [ ] Migration is atomic, supports rollback & is backwards-compatible
     - [ ] Confirm DB migration upgrade and downgrade tested
     - [ ] Runtime estimates and downtime expectations provided
   - [ ] Introduces new feature or API
   - [ ] Removes existing feature or API
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] ofekisr commented on a change in pull request #17468: chore: Add test for flask wtf csrf exempt config

Posted by GitBox <gi...@apache.org>.

ofekisr commented on a change in pull request #17468:
URL: https://github.com/apache/superset/pull/17468#discussion_r752607177



##########
File path: tests/integration_tests/config_tests.py
##########
@@ -168,6 +168,17 @@ def test_full_setting(self):
         self.assertEqual(dttm_col.python_date_format, "epoch_s")
         self.assertEqual(dttm_col.expression, "CAST(dttm as INTEGER)")
 
+    def test_wtf_csrf_exempt_list(self):
+        # ensure that the exempt apis actually exist
+
+        # Derived from logic in flask-wtf:
+        # https://github.com/wtforms/flask-wtf/blob/v1.0.0/src/flask_wtf/csrf.py#L223-L224
+        all_view_functions = {
+            f"{view.__module__}.{view.__name__}" for view in app.view_functions.values()
+        }
+        for exempt_api in app.config["WTF_CSRF_EXEMPT_LIST"]:

Review comment:
       Rare use case, but you should check against the default config (superset.config) and not from the test config 
   




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] ofekisr commented on a change in pull request #17468: chore: Add test for flask wtf csrf exempt config

Posted by GitBox <gi...@apache.org>.

ofekisr commented on a change in pull request #17468:
URL: https://github.com/apache/superset/pull/17468#discussion_r752607177



##########
File path: tests/integration_tests/config_tests.py
##########
@@ -168,6 +168,17 @@ def test_full_setting(self):
         self.assertEqual(dttm_col.python_date_format, "epoch_s")
         self.assertEqual(dttm_col.expression, "CAST(dttm as INTEGER)")
 
+    def test_wtf_csrf_exempt_list(self):
+        # ensure that the exempt apis actually exist
+
+        # Derived from logic in flask-wtf:
+        # https://github.com/wtforms/flask-wtf/blob/v1.0.0/src/flask_wtf/csrf.py#L223-L224
+        all_view_functions = {
+            f"{view.__module__}.{view.__name__}" for view in app.view_functions.values()
+        }
+        for exempt_api in app.config["WTF_CSRF_EXEMPT_LIST"]:

Review comment:
       Rare use case, but you should check against the default config (superset.config) and not from the test config even if the test config does not contain "WTF_CSRF_EXEMPT_LIST" key
   




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] ofekisr commented on a change in pull request #17468: chore: Add test for flask wtf csrf exempt config

Posted by GitBox <gi...@apache.org>.

ofekisr commented on a change in pull request #17468:
URL: https://github.com/apache/superset/pull/17468#discussion_r752607177



##########
File path: tests/integration_tests/config_tests.py
##########
@@ -168,6 +168,17 @@ def test_full_setting(self):
         self.assertEqual(dttm_col.python_date_format, "epoch_s")
         self.assertEqual(dttm_col.expression, "CAST(dttm as INTEGER)")
 
+    def test_wtf_csrf_exempt_list(self):
+        # ensure that the exempt apis actually exist
+
+        # Derived from logic in flask-wtf:
+        # https://github.com/wtforms/flask-wtf/blob/v1.0.0/src/flask_wtf/csrf.py#L223-L224
+        all_view_functions = {
+            f"{view.__module__}.{view.__name__}" for view in app.view_functions.values()
+        }
+        for exempt_api in app.config["WTF_CSRF_EXEMPT_LIST"]:

Review comment:
       Rare use case, but you should check against the default config (superset.config) and not from the test config even if the test config does not contains "WTF_CSRF_EXEMPT_LIST" key
   




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] ofekisr commented on pull request #17468: chore: Add test for flask wtf csrf exempt config

Posted by GitBox <gi...@apache.org>.

ofekisr commented on pull request #17468:
URL: https://github.com/apache/superset/pull/17468#issuecomment-972760703


   > Any ideas why tests are failing here? My new test is working at least :/
   
   you should debug it, contact me if you need help


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] etr2460 commented on pull request #17468: chore: Add test for flask wtf csrf exempt config

Posted by GitBox <gi...@apache.org>.

etr2460 commented on pull request #17468:
URL: https://github.com/apache/superset/pull/17468#issuecomment-972300917


   Any ideas why tests are failing here? My new test is working at least :/


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org