Query Result API response shouldn't include query information for non authenticated users #3985
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
July 16, 2019 09:12
…isualization and therefore do not return any promise
…se something needs to be done with it at a later time, and it's the right thing to do anyway
added 2 commits
July 16, 2019 11:17
arikfr
reviewed
Jul 16, 2019
| @@ -57,6 +57,14 @@ def _get_column_lists(columns): | |||
| return fieldnames, special_columns | |||
|
|
|||
|
|
|||
| def serialize_query_result(query_result, is_api_user): | |||
| if is_api_user: | |||
There was a problem hiding this comment.
It's safe to use current_user in the serialization code instead of passing is_api_user. It's not a big deal for this PR, but #3782 will extend this method to apply other checks anyway.
redash/serializers/query_result.py
Outdated
| def serialize_query_result(query_result, is_api_user): | ||
| if is_api_user: | ||
| publicly_needed_keys = ['data', 'retrieved_at'] | ||
| return {key: query_result.to_dict()[key] for key in publicly_needed_keys} |
There was a problem hiding this comment.
Current implementation will call to_dict multiple times, which will result in calling json_loads multiple times.
You should make sure to call to_dict only once, and you can also use project instead of "manual" extraction.
There was a problem hiding this comment.
You've shown me project before, and I was looking for it with the wrong search term (looked for dict masking in Python, but all examples were soooo complicated). Thanks! 371ecd2
harveyrendell
pushed a commit
to pushpay/redash
that referenced
this pull request
Nov 14, 2019
… authenticated users (getredash#3985) * avoid catching errors on text widgets' load(), as they don't have a visualization and therefore do not return any promise * throw error when failing to load widgets on public dashboards - in case something needs to be done with it at a later time, and it's the right thing to do anyway * use Promise.resolve instead of checking for undefined * call serialize_query_result instead of directly calling to_dict * filter unneeded query result fields for unauthenticated users * test for serialization filtering * lint * use project instead of list comprehension
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Query Results API response should include the bare minimum fields if this is an API call (dashboard, query) and not an authenticated user.
We need to move the serialization logic into
redash.serializersand apply the relevant checks.