* [Explore view] Use POST method for charting requests
* fix per code review comments
* more code review fixes
* code review fix: remove duplicated calls for getting values from request
* [Explore view] Use POST method for charting requests
* fix per code review comments
* more code review fixes
* code review fix: remove duplicated calls for getting values from request
* [geo] introduce "Auto Zoom" control
On geospatial visualization, checking the "Auto Zoom" control makes it
such that the viewport is fitted to the data upon rendering the chart.
For dashboards with region filters, the map should jump to the right
position.
Eventually we should enhance this to fly and ease to the position in an
animated way.
* Added TODO notes
This fixes an issue with the newer Google's DBAPI library, which moved Row from google.cloud.bigquery._helper.Row to google.cloud.bigquery.Row, causing ImportError
* Switched yaml.load to yaml.safe_load to prevent code execution via crafted yaml files
Python's yaml.laod can lead to code execution via crafted yaml files such as:
```
code_exec: !!python/object/apply:subprocess.check_output ['ls']
```
* Fixed XSS via bleach
It was possible to get an XSS via the markdown library via simply setting a description containing arbitary HTML tags.
It was also possible to create links that went to the `javascript:` link handler (eg `[example](javascript:alert(0)`)
Using bleach to sanitize it solves both of these.
* Added XFO header by default to prevent clickjacking attacks
Note that with this application clickjacking can be relatively severe via the SQLLab functionality
which allows executing arbitary SQL.
* Added justification for dangerouslySetInnerHTML
* Fixed linting errors
* Fixed linting errors
* Add permissions checks for save_or_overwrite_slice
* Change is_owner to check_ownership
* Add translation to chart and dashboard error messages
* Appease the python linter by using single quotes
Druid sometimes returns error message that are contained in "<>", as in
`<urlopen error [Errno 61] Connection refused>`. Since Superset's
approach is often to bubble up messages coming from external library,
it's impossible to predict whether it will contain special characters.
There are some cases where our error handling does return some html
(presto?),
but we should manage that upstream. Plus the current setup has security concerns,
so let's move away from that.
fillna would miss out on identifying STRING columns for Druid and
replace None in string columns with a numeric `0`. This
mixed type column would confuse
pandas down the line on some operations like `df.pivot_table`.
Though flask has a builtin web debugger, ipdb some times still work
better. So I think add ipdb to dev dependencies is a good option for
people who prefer CLI debugging.
* cast postgresql date_trunc() to timestamp without time zone to prevent pandas error
* fix formatting for flake8
* change cast to timezone conversion instead
* Update installation.rst for Ubuntu 16.04 LTS
Ubuntu 16.04 by default install python2.7 alongside with python 3.5 and set python2.7 as default. If you have created a virtualenv with python3.5 compilation fails due to wrong python-dev library installed.
If you install ``python3.5-dev`` the build for the wheel package of ``cryptography`` run fine.
* Add options in D3_TIME_FORMAT_OPTIONS for non-english Time Format.
Added '%d/%m/%Y' and '%d/%m/%Y %H:%M:%S' as valid drop-down option for Axis Format
* [cli] permission cleanup on 'superset init'
FAB sometimes creates NULL/None permissions in the database,
presumably a race condition when multiple gunicorn workers start at the
same time, and those create issues raising "AttributeError: 'NoneType'
object has no attribute 'name'"
* Linting
Ubuntu 16.04 by default install python2.7 alongside with python 3.5 and set python2.7 as default. If you have created a virtualenv with python3.5 compilation fails due to wrong python-dev library installed.
If you install ``python3.5-dev`` the build for the wheel package of ``cryptography`` run fine.
* Use the query_obj as the basis for the cache key
When we recently moved from hashing form_data to define the cache_key
towards using the rendered query instead,
it made is such that non deterministic form
control values like relative times specified in "from" and "until" time
bound resulted in making those miss cache 100% of the time.
Here we move away from using the rendered query and using the query_obj
instead.
* Deprecating using form_data in templates