pt
/
superset
mirror of https://github.com/apache/superset.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix: query search low privileged user search access denied (#11017)

This commit is contained in:
Daniel Vaz Gaspar 2020-09-23 14:16:24 +01:00 committed by GitHub
parent 50852dfbbf
commit ba009b7c09
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
superset/views/core.py
View File

@ -2469,14 +2469,15 @@ class Superset(BaseSupersetView): # pylint: disable=too-many-public-methods
:returns: Response with list of sql query dicts
"""
query = db.session.query(Query)
if security_manager.can_access_all_queries():
search_user_id = request.args.get("user_id")
elif (
request.args.get("user_id") is not None
and request.args.get("user_id") != g.user.get_user_id()
):
return Response(status=403, mimetype="application/json")
elif request.args.get("user_id") is not None:
try:
search_user_id = int(cast(int, request.args.get("user_id")))
except ValueError:
return Response(status=400, mimetype="application/json")
if search_user_id != g.user.get_user_id():
return Response(status=403, mimetype="application/json")
else:
search_user_id = g.user.get_user_id()
database_id = request.args.get("database_id")
@ -2486,6 +2487,7 @@ class Superset(BaseSupersetView): # pylint: disable=too-many-public-methods
from_time = request.args.get("from")
to_time = request.args.get("to")
query = db.session.query(Query)
if search_user_id:
# Filter on user_id
query = query.filter(Query.user_id == search_user_id)
@ -2500,7 +2502,7 @@ class Superset(BaseSupersetView): # pylint: disable=too-many-public-methods
if search_text:
# Filter on search text
query = query.filter(Query.sql.like("%{}%".format(search_text)))
query = query.filter(Query.sql.like(f"%{search_text}%"))
if from_time:
query = query.filter(Query.start_time > int(from_time))