You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2021/03/23 00:21:11 UTC

[GitHub] [airflow] mik-laj commented on a change in pull request #14895: Add REST API query sort and order to some endpoints

mik-laj commented on a change in pull request #14895:
URL: https://github.com/apache/airflow/pull/14895#discussion_r599160578



##########
File path: airflow/api_connexion/parameters.py
##########
@@ -86,3 +87,32 @@ def wrapped_function(*args, **kwargs):
         return cast(T, wrapped_function)
 
     return format_parameters_decorator
+
+
+def apply_sorting(model, query, order_by, to_replace=None):
+    """Apply sorting to query"""
+    if to_replace:
+        for key, value in to_replace.items():
+            if key == order_by:
+                order_by = value
+    if order_by.strip('-') not in (i.name for i in model.__table__.columns):

Review comment:
       It is not. looks safe because it allows you to sort on any attribute of an object, also on one that is hidden. e.g. password, account creation date. This way, we may be vulnerable to password leakage.  
   
   Some attributes have a different name in the API and others in the API object, eg in REST APII, we use connection_id, and in the database conn_id. I think it's worth using one field name convention in the API.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org