refactor: Removes the deprecated ENABLE_EXPLORE_JSON_CSRF_PROTECTION feature flag (#26344)

2024-01-18 10:29:51 -03:00 · 2024-01-18 10:29:51 -03:00 · cf20b3439c
parent b06ab7d8e3
commit cf20b3439c
6 changed files with 21 additions and 17 deletions
--- a/RESOURCES/FEATURE_FLAGS.md
+++ b/RESOURCES/FEATURE_FLAGS.md
@ -86,7 +86,6 @@ These features flags currently default to True and **will be removed in a future
 - DASHBOARD_CROSS_FILTERS
 - DASHBOARD_FILTERS_EXPERIMENTAL
 - DASHBOARD_NATIVE_FILTERS
- ENABLE_EXPLORE_JSON_CSRF_PROTECTION
 - ENABLE_JAVASCRIPT_CONTROLS
 - GENERIC_CHART_AXES
 - KV_STORE
--- a/UPDATING.md
+++ b/UPDATING.md
@ -30,6 +30,7 @@ assists people when migrating to a new version.

 ### Breaking Changes

+- [26344](https://github.com/apache/superset/issues/26344): Removes the deprecated `ENABLE_EXPLORE_JSON_CSRF_PROTECTION` feature flag. The previous value of the feature flag was `False` and now the feature is permanently removed.
 - [26345](https://github.com/apache/superset/issues/26345): Removes the deprecated `ENABLE_TEMPLATE_REMOVE_FILTERS` feature flag. The previous value of the feature flag was `True` and now the feature is permanently enabled.
 - [26346](https://github.com/apache/superset/issues/26346): Removes the deprecated `REMOVE_SLICE_LEVEL_LABEL_COLORS` feature flag. The previous value of the feature flag was `False` and now the feature is permanently removed.
 - [26348](https://github.com/apache/superset/issues/26348): Removes the deprecated `CLIENT_CACHE` feature flag. The previous value of the feature flag was `False` and now the feature is permanently removed.
--- a/docs/docs/installation/configuring-superset.mdx
+++ b/docs/docs/installation/configuring-superset.mdx
@ -358,7 +358,6 @@ You can enable or disable features with flag from `superset_config.py`:

 ```python
 FEATURE_FLAGS = {
-    'ENABLE_EXPLORE_JSON_CSRF_PROTECTION': False,
    'PRESTO_EXPAND_DATA': False,
 }
 ```
--- a/superset/config.py
+++ b/superset/config.py
@ -409,14 +409,6 @@ DEFAULT_FEATURE_FLAGS: dict[str, bool] = {
    # editor no longer shows. Currently this is set to false so that the editor
    # option does show, but we will be depreciating it.
    "DISABLE_LEGACY_DATASOURCE_EDITOR": True,
-    # For some security concerns, you may need to enforce CSRF protection on
-    # all query request to explore_json endpoint. In Superset, we use
-    # `flask-csrf <https://sjl.bitbucket.io/flask-csrf/>`_ add csrf protection
-    # for all POST requests, but this protection doesn't apply to GET method.
-    # When ENABLE_EXPLORE_JSON_CSRF_PROTECTION is set to true, your users cannot
-    # make GET request to explore_json. explore_json accepts both GET and POST request.
-    # See `PR 7935 <https://github.com/apache/superset/pull/7935>`_ for more details.
-    "ENABLE_EXPLORE_JSON_CSRF_PROTECTION": False,  # deprecated
    "ENABLE_TEMPLATE_PROCESSING": False,
    # Allow for javascript controls components
    # this enables programmers to customize certain charts (like the
--- a/superset/views/core.py
+++ b/superset/views/core.py
@ -15,6 +15,7 @@
 # specific language governing permissions and limitations
 # under the License.
 # pylint: disable=invalid-name
+# pylint: disable=too-many-lines
 from __future__ import annotations

 import contextlib
@ -238,19 +239,24 @@ class Superset(BaseSupersetView):  # pylint: disable=too-many-public-methods
        except SupersetException as ex:
            return json_error_response(utils.error_msg_from_exception(ex), 400)

-    EXPLORE_JSON_METHODS = ["POST"]
-    if not is_feature_enabled("ENABLE_EXPLORE_JSON_CSRF_PROTECTION"):
-        EXPLORE_JSON_METHODS.append("GET")
-
    @api
    @has_access_api
    @handle_api_exception
    @event_logger.log_this
    @expose(
        "/explore_json/<datasource_type>/<int:datasource_id>/",
-        methods=EXPLORE_JSON_METHODS,
+        methods=(
+            "GET",
+            "POST",
+        ),
+    )
+    @expose(
+        "/explore_json/",
+        methods=(
+            "GET",
+            "POST",
+        ),
    )
-    @expose("/explore_json/", methods=EXPLORE_JSON_METHODS)
    @etag_cache()
    @check_resource_permissions(check_datasource_perms)
    @deprecated(eol_version="4.0.0")
--- a/tests/integration_tests/core_tests.py
+++ b/tests/integration_tests/core_tests.py
@ -559,8 +559,15 @@ class TestCore(SupersetTestCase):
        self.assertEqual(clean_query, rendered_query)

    def test_slice_payload_no_datasource(self):
+        form_data = {
+            "viz_type": "dist_bar",
+        }
        self.login(username="admin")
-        data = self.get_json_resp("/superset/explore_json/", raise_on_error=False)
+        rv = self.client.post(
+            "/superset/explore_json/",
+            data={"form_data": json.dumps(form_data)},
+        )
+        data = json.loads(rv.data.decode("utf-8"))

        self.assertEqual(
            data["errors"][0]["message"],