From dd39138e6e9215c1548ff564b82487e83d2e8a94 Mon Sep 17 00:00:00 2001 From: Jack <41238731+fisjac@users.noreply.github.com> Date: Thu, 7 Nov 2024 11:24:15 -0600 Subject: [PATCH] fix(chart data): removing query from /chart/data payload when accessing as guest user (#30858) --- superset/charts/data/api.py | 7 ++- tests/integration_tests/charts/api_tests.py | 56 +++++++++++++++++++++ 2 files changed, 62 insertions(+), 1 deletion(-) diff --git a/superset/charts/data/api.py b/superset/charts/data/api.py index ae88fdef5ad15..653b09896e86f 100644 --- a/superset/charts/data/api.py +++ b/superset/charts/data/api.py @@ -394,8 +394,13 @@ def _process_data(query_data: Any) -> Any: ) if result_format == ChartDataResultFormat.JSON: + queries = result["queries"] + if security_manager.is_guest_user(): + for query in queries: + with contextlib.suppress(KeyError): + del query["query"] response_data = json.dumps( - {"result": result["queries"]}, + {"result": queries}, default=json.json_int_dttm_ser, ignore_nan=True, ) diff --git a/tests/integration_tests/charts/api_tests.py b/tests/integration_tests/charts/api_tests.py index a99ba04f78427..784c4651ada29 100644 --- a/tests/integration_tests/charts/api_tests.py +++ b/tests/integration_tests/charts/api_tests.py @@ -24,6 +24,7 @@ import prison import pytest import yaml +from flask import g from flask_babel import lazy_gettext as _ from parameterized import parameterized from sqlalchemy import and_ @@ -62,6 +63,7 @@ dataset_config, dataset_metadata_config, ) +from tests.integration_tests.fixtures.query_context import get_query_context from tests.integration_tests.fixtures.tags import ( create_custom_tags, # noqa: F401 get_filter_params, @@ -2327,3 +2329,57 @@ def test_update_chart_no_tag_changes(self): security_manager.add_permission_role(alpha_role, write_tags_perm) security_manager.add_permission_role(alpha_role, tag_charts_perm) + + @patch("superset.security.manager.SupersetSecurityManager.has_guest_access") + @patch("superset.security.manager.SupersetSecurityManager.is_guest_user") + @pytest.mark.usefixtures("load_birth_names_dashboard_with_slices") + def test_get_chart_data_as_guest_user( + self, is_guest_user, has_guest_access + ): # get_guest_rls_filters + """ + Chart API: Test create simple chart + """ + self.login(ADMIN_USERNAME) + g.user.rls = [] + is_guest_user.return_value = True + has_guest_access.return_value = True + + with mock.patch.object(Slice, "get_query_context") as mock_get_query_context: + mock_get_query_context.return_value = get_query_context("birth_names") + rv = self.client.post( + "api/v1/chart/data", # noqa: F541 + json={ + "datasource": {"id": 2, "type": "table"}, + "queries": [ + { + "extras": {"where": "", "time_grain_sqla": "P1D"}, + "columns": ["name"], + "metrics": [{"label": "sum__num"}], + "orderby": [("sum__num", False)], + "row_limit": 100, + "granularity": "ds", + "time_range": "100 years ago : now", + "timeseries_limit": 0, + "timeseries_limit_metric": None, + "order_desc": True, + "filters": [ + {"col": "gender", "op": "==", "val": "boy"}, + {"col": "num", "op": "IS NOT NULL"}, + { + "col": "name", + "op": "NOT IN", + "val": ["", '"abc"'], + }, + ], + "having": "", + "where": "", + } + ], + "result_format": "json", + "result_type": "full", + }, + ) + data = json.loads(rv.data.decode("utf-8")) + result = data["result"] + excluded_key = "query" + assert all([excluded_key not in query for query in result])