You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2018/11/12 18:08:22 UTC
[GitHub] john-bodley closed pull request #6355: [404] Aborting for views
with invalid dashboard/slice IDs
john-bodley closed pull request #6355: [404] Aborting for views with invalid dashboard/slice IDs
URL: https://github.com/apache/incubator-superset/pull/6355
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/superset/views/core.py b/superset/views/core.py
index 9b79b7574c..37a4b6ab2c 100755
--- a/superset/views/core.py
+++ b/superset/views/core.py
@@ -9,7 +9,7 @@
from urllib import parse
from flask import (
- flash, g, Markup, redirect, render_template, request, Response, url_for,
+ abort, flash, g, Markup, redirect, render_template, request, Response, url_for,
)
from flask_appbuilder import expose, SimpleFormView
from flask_appbuilder.actions import action
@@ -1028,11 +1028,11 @@ def get_form_data(self, slice_id=None, use_slice_data=False):
# Include the slice_form_data if request from explore or slice calls
# or if form_data only contains slice_id
if slice_id and (use_slice_data or contains_only_slc_id):
- slc = db.session.query(models.Slice).filter_by(id=slice_id).first()
- slice_form_data = slc.form_data.copy()
-
- slice_form_data.update(form_data)
- form_data = slice_form_data
+ slc = db.session.query(models.Slice).filter_by(id=slice_id).one_or_none()
+ if slc:
+ slice_form_data = slc.form_data.copy()
+ slice_form_data.update(form_data)
+ form_data = slice_form_data
update_time_range(form_data)
@@ -1068,6 +1068,8 @@ def get_viz(
@expose('/slice/<slice_id>/')
def slice(self, slice_id):
form_data, slc = self.get_form_data(slice_id, use_slice_data=True)
+ if not slc:
+ abort(404)
endpoint = '/superset/explore/?form_data={}'.format(
parse.quote(json.dumps(form_data)),
)
@@ -2099,7 +2101,9 @@ def dashboard(self, dashboard_id):
else:
qry = qry.filter_by(slug=dashboard_id)
- dash = qry.one()
+ dash = qry.one_or_none()
+ if not dash:
+ abort(404)
datasources = set()
for slc in dash.slices:
datasource = slc.datasource
diff --git a/tests/core_tests.py b/tests/core_tests.py
index 70b6341662..2acd842c40 100644
--- a/tests/core_tests.py
+++ b/tests/core_tests.py
@@ -62,6 +62,10 @@ def test_login(self):
data=dict(username='admin', password='wrongPassword'))
self.assertIn('User confirmation needed', resp)
+ def test_dashboard_endpoint(self):
+ resp = self.client.get('/superset/dashboard/-1/')
+ assert resp.status_code == 404
+
def test_slice_endpoint(self):
self.login(username='admin')
slc = self.get_slice('Girls', db.session)
@@ -74,6 +78,9 @@ def test_slice_endpoint(self):
'/superset/slice/{}/?standalone=true'.format(slc.id))
assert 'List Roles' not in resp
+ resp = self.client.get('/superset/slice/-1/')
+ assert resp.status_code == 404
+
def test_cache_key(self):
self.login(username='admin')
slc = self.get_slice('Girls', db.session)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org