-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Be more permissive when parameters are safe #3383
Merged
Merged
Changes from 29 commits
Commits
Show all changes
38 commits
Select commit
Hold shift + click to select a range
cd2cee7
use the textless endpoint (/api/queries/:id/results) for pristine
e8ceeb7
reverse conditional. not not is making me the headaches.
06917ce
add ParameterizedQuery#is_safe with an inital naive implementation which
31e2238
allow getting new query results even if user has only view permissions
c93ed69
Merge branch 'master' into use-textless-endpoint-for-pristine-queries
d11e4e7
Merge branch 'use-textless-endpoint-for-pristine-queries' into be-mor…
f858ca0
fix lint error - getDerivedStateFromProps should be placed after state
9bd2308
Merge branch 'fix-time-ago-lint' into be-more-permissive-when-paramet…
04a1adf
Merge branch 'master' into use-textless-endpoint-for-pristine-queries
9fc9fcb
Revert "use the textless endpoint (/api/queries/:id/results) for pris…
ab5eb8f
move execution preparation to a different function, which will be soon
df4e9e4
go to textless /api/queries/:id/results by default
49c9a68
let the query view decide if text or textless endpoint is needed
65e742c
Merge branch 'use-textless-endpoint-for-pristine-queries' into be-mor…
8716626
Merge branch 'master' into be-more-permissive-when-parameters-are-safe
d308a4d
allow safe queries to be executed in the UI even if the user has no
8807e6a
Merge branch 'master' into be-more-permissive-when-parameters-are-safe
6c385c0
change `run_query`'s signature to accept a ParameterizedQuery instead of
4682368
use dict#get instead of a None guard
da45021
use ParameterizedQuery in queries handler as well
5493f97
Merge branch 'master' into be-more-permissive-when-parameters-are-safe
ae139fa
test that /queries/:id/results allows execution of safe queries even if
c1b2d12
Merge branch 'master' into be-more-permissive-when-parameters-are-safe
4518d12
lint
2202403
raise HTTP 400 when receiving invalid parameter values. Fixes #3394
926b679
Merge branch 'master' into be-more-permissive-when-parameters-are-safe
df62d8d
Merge branch 'master' into be-more-permissive-when-parameters-are-safe
ca08af3
remove unused methods
c698a03
avoid cyclic imports by importing only when needed
97df888
Merge branch 'master' into be-more-permissive-when-parameters-are-safe
fca4f1e
verify that a ParameterizedQuery without any parameters is considered
70ea5b9
Merge branch 'master' into be-more-permissive-when-parameters-are-safe
c66cfab
Merge branch 'master' into be-more-permissive-when-parameters-are-safe
dc3f221
Merge branch 'master' into be-more-permissive-when-parameters-are-safe
8027ed2
Merge branch 'be-more-permissive-when-parameters-are-safe' of github.…
65b6b2a
Merge branch 'master' into be-more-permissive-when-parameters-are-safe
5bdab05
introduce query.parameter_schema
9d5e231
encapsulate ParameterizedQuery creation inside Query
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -10,6 +10,7 @@ | |
from redash import models | ||
from redash.permissions import has_access, view_only | ||
from redash.utils import json_loads | ||
from redash.utils.parameterized_query import ParameterizedQuery | ||
|
||
|
||
def public_widget(widget): | ||
|
@@ -100,6 +101,7 @@ def serialize_query(query, with_stats=False, with_visualizations=False, with_use | |
'options': query.options, | ||
'version': query.version, | ||
'tags': query.tags or [], | ||
'is_safe': ParameterizedQuery(query.query_text, query.options.get("parameters", [])).is_safe, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Not the first time I see this. Maybe we should have a There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||
} | ||
|
||
if with_user: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if the user changes the query and it's no longer safe?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Then he will get a 403 back from the server. I'll say this is an edge case, which while not handled in the most elegant way, is a good enough solution.
We might want to consider a better error message there, though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should prevent editing query source when the user doesn't have Full Access permission to the data source. We might actually be doing this already.
Then this becomes a non issue. We can open a separate issue for this.