You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@superset.apache.org by mi...@apache.org on 2023/01/05 19:57:31 UTC

[superset] 11/14: fix: deprecate approve and request_access endpoint (#22022)

This is an automated email from the ASF dual-hosted git repository.

michaelsmolina pushed a commit to branch 1.5
in repository https://gitbox.apache.org/repos/asf/superset.git

commit 387ee4ff4ffb699a05d1e306a21f33a02f76c3f9
Author: Daniel Vaz Gaspar <da...@gmail.com>
AuthorDate: Mon Nov 7 08:55:15 2022 +0000

    fix: deprecate approve and request_access endpoint (#22022)
    
    Co-authored-by: Michael S. Molina <70...@users.noreply.github.com>
    (cherry picked from commit 358a4ecedd13a20b3491ca9f536d773d87b6ca65)
---
 UPDATING.md                             |  1 +
 superset/views/core.py                  | 16 ++++++++++++++--
 tests/integration_tests/access_tests.py |  6 +++---
 3 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/UPDATING.md b/UPDATING.md
index de9588656c..cbba76216b 100644
--- a/UPDATING.md
+++ b/UPDATING.md
@@ -24,6 +24,7 @@ assists people when migrating to a new version.
 
 ## Next
 
+- [22022](https://github.com/apache/superset/pull/22022): HTTP API endpoints `/superset/approve` and `/superset/request_access` have been deprecated and their HTTP methods were changed from GET to POST
 - [21895](https://github.com/apache/superset/pull/21895): Markdown components had their security increased by adhering to the same sanitization process enforced by Github. This means that some HTML elements found in markdowns are not allowed anymore due to the security risks they impose. If you're deploying Superset in a trusted environment and wish to use some of the blocked elements, then you can use the HTML_SANITIZATION_SCHEMA_EXTENSIONS configuration to extend the default sanitizati [...]
 
 ## 1.5.2
diff --git a/superset/views/core.py b/superset/views/core.py
index 7a244fd278..863f75f004 100755
--- a/superset/views/core.py
+++ b/superset/views/core.py
@@ -272,8 +272,14 @@ class Superset(BaseSupersetView):  # pylint: disable=too-many-public-methods
 
     @has_access
     @event_logger.log_this
-    @expose("/request_access/")
+    @expose("/request_access/", methods=["POST"])
     def request_access(self) -> FlaskResponse:
+        logger.warning(
+            "%s.approve "
+            "This API endpoint is deprecated and will be removed in version 3.0.0",
+            self.__class__.__name__,
+        )
+
         datasources = set()
         dashboard_id = request.args.get("dashboard_id")
         if dashboard_id:
@@ -315,7 +321,7 @@ class Superset(BaseSupersetView):  # pylint: disable=too-many-public-methods
 
     @has_access
     @event_logger.log_this
-    @expose("/approve")
+    @expose("/approve", methods=["POST"])
     def approve(self) -> FlaskResponse:  # pylint: disable=too-many-locals,no-self-use
         def clean_fulfilled_requests(session: Session) -> None:
             for dar in session.query(DAR).all():
@@ -329,6 +335,12 @@ class Superset(BaseSupersetView):  # pylint: disable=too-many-public-methods
                     session.delete(dar)
             session.commit()
 
+        logger.warning(
+            "%s.approve "
+            "This API endpoint is deprecated and will be removed in version 3.0.0",
+            self.__class__.__name__,
+        )
+
         datasource_type = request.args["datasource_type"]
         datasource_id = request.args["datasource_id"]
         created_by_username = request.args.get("created_by")
diff --git a/tests/integration_tests/access_tests.py b/tests/integration_tests/access_tests.py
index 13febbd413..b92b83c582 100644
--- a/tests/integration_tests/access_tests.py
+++ b/tests/integration_tests/access_tests.py
@@ -304,7 +304,7 @@ class TestRequestAccess(SupersetTestCase):
         session.commit()
         access_requests = self.get_access_requests("gamma", "table", ds_1_id)
         self.assertTrue(access_requests)
-        self.client.get(
+        self.client.post(
             EXTEND_ROLE_REQUEST.format("table", ds_1_id, "gamma2", TEST_ROLE_2)
         )
         access_requests = self.get_access_requests("gamma", "table", ds_1_id)
@@ -343,7 +343,7 @@ class TestRequestAccess(SupersetTestCase):
         access_requests = self.get_access_requests("gamma", "table", ds_1_id)
         self.assertTrue(access_requests)
         # gamma2 request gets fulfilled
-        self.client.get(
+        self.client.post(
             EXTEND_ROLE_REQUEST.format("table", ds_1_id, "gamma2", TEST_ROLE_2)
         )
         access_requests = self.get_access_requests("gamma", "table", ds_1_id)
@@ -386,7 +386,7 @@ class TestRequestAccess(SupersetTestCase):
         gamma_user.roles.append(security_manager.find_role(SCHEMA_ACCESS_ROLE))
         session.commit()
         # gamma2 request gets fulfilled
-        self.client.get(
+        self.client.post(
             EXTEND_ROLE_REQUEST.format("table", ds_1_id, "gamma2", TEST_ROLE_2)
         )
         access_requests = self.get_access_requests("gamma", "table", ds_1_id)