Skip to content

Commit

Permalink
(refactor)Fix saved query access for SQL Lab users
Browse files Browse the repository at this point in the history
  • Loading branch information
@LevisNgigi
LevisNgigi committed Dec 12, 2024
1 parent 423a0fe commit 0702ac1
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 11 deletions.
11 changes: 5 additions & 6 deletions superset/queries/saved_queries/api.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,10 @@
import logging
from datetime import datetime
from io import BytesIO
from typing import Any
from typing import Any, List, Tuple
from zipfile import is_zipfile, ZipFile

from flask import g, request, Response, send_file
from flask import request, Response, send_file
from flask_appbuilder.api import expose, protect, rison, safe
from flask_appbuilder.models.sqla.interface import SQLAInterface
from flask_babel import ngettext
Expand All @@ -44,7 +44,6 @@
from superset.queries.saved_queries.filters import (
SavedQueryAllTextFilter,
SavedQueryFavoriteFilter,
SavedQueryFilter,
SavedQueryTagIdFilter,
SavedQueryTagNameFilter,
)
Expand Down Expand Up @@ -81,7 +80,7 @@ class SavedQueryRestApi(BaseSupersetModelRestApi):
resource_name = "saved_query"
allow_browser_login = True

base_filters = [["id", SavedQueryFilter, lambda: []]]
base_filters: List[Tuple[Any, ...]] = []

show_columns = [
"changed_on",
Expand Down Expand Up @@ -191,10 +190,10 @@ class SavedQueryRestApi(BaseSupersetModelRestApi):
allowed_distinct_fields = {"catalog", "schema"}

def pre_add(self, item: SavedQuery) -> None:
item.user = g.user
pass

def pre_update(self, item: SavedQuery) -> None:
self.pre_add(item)
pass

@expose("/", methods=("DELETE",))
@protect()
Expand Down
7 changes: 2 additions & 5 deletions superset/queries/saved_queries/filters.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@
# under the License.
from typing import Any

from flask import g
from flask_babel import lazy_gettext as _
from flask_sqlalchemy import BaseQuery
from sqlalchemy import or_
Expand Down Expand Up @@ -82,10 +81,8 @@ class SavedQueryTagIdFilter(BaseTagIdFilter): # pylint: disable=too-few-public-
class SavedQueryFilter(BaseFilter): # pylint: disable=too-few-public-methods
def apply(self, query: BaseQuery, value: Any) -> BaseQuery:
"""
Filter saved queries to only those created by current user.
Allow access to all saved queries.
:returns: flask-sqlalchemy query
"""
return query.filter(
SavedQuery.created_by == g.user # pylint: disable=comparison-with-callable
)
return query

0 comments on commit 0702ac1

Please sign in to comment.