Skip to content

Commit

Permalink
fix: Prevent cached bootstrap data from leaking between users w/ same…
Browse files Browse the repository at this point in the history
… first/last name (apache#26023)
  • Loading branch information
jfrag1 authored and sfirke committed Mar 22, 2024
1 parent 72806bf commit 93f6e36
Show file tree
Hide file tree
Showing 4 changed files with 15 additions and 13 deletions.
4 changes: 2 additions & 2 deletions superset/embedded/view.py
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
import json
from typing import Callable

from flask import abort, g, request
from flask import abort, request
from flask_appbuilder import expose
from flask_login import AnonymousUserMixin, login_user
from flask_wtf.csrf import same_origin
Expand Down Expand Up @@ -78,7 +78,7 @@ def embedded(
)

bootstrap_data = {
"common": common_bootstrap_payload(g.user),
"common": common_bootstrap_payload(),
"embedded": {
"dashboard_id": embedded.dashboard_id,
},
Expand Down
16 changes: 9 additions & 7 deletions superset/views/base.py
Original file line number Diff line number Diff line change
Expand Up @@ -296,7 +296,7 @@ def render_app_template(
) -> FlaskResponse:
payload = {
"user": bootstrap_user_data(g.user, include_perms=True),
"common": common_bootstrap_payload(g.user),
"common": common_bootstrap_payload(),
**(extra_bootstrap_data or {}),
}
return self.render_template(
Expand Down Expand Up @@ -380,7 +380,9 @@ def menu_data(user: User) -> dict[str, Any]:


@cache_manager.cache.memoize(timeout=60)
def cached_common_bootstrap_data(user: User, locale: str) -> dict[str, Any]:
def cached_common_bootstrap_data( # pylint: disable=unused-argument
user_id: int | None, locale: str
) -> dict[str, Any]:
"""Common data always sent to the client
The function is memoized as the return value only changes when user permissions
Expand Down Expand Up @@ -417,15 +419,15 @@ def cached_common_bootstrap_data(user: User, locale: str) -> dict[str, Any]:
"extra_sequential_color_schemes": conf["EXTRA_SEQUENTIAL_COLOR_SCHEMES"],
"extra_categorical_color_schemes": conf["EXTRA_CATEGORICAL_COLOR_SCHEMES"],
"theme_overrides": conf["THEME_OVERRIDES"],
"menu_data": menu_data(user),
"menu_data": menu_data(g.user),
}
bootstrap_data.update(conf["COMMON_BOOTSTRAP_OVERRIDES_FUNC"](bootstrap_data))
return bootstrap_data


def common_bootstrap_payload(user: User) -> dict[str, Any]:
def common_bootstrap_payload() -> dict[str, Any]:
return {
**cached_common_bootstrap_data(user, get_locale()),
**cached_common_bootstrap_data(utils.get_user_id(), get_locale()),
"flash_messages": get_flashed_messages(with_categories=True),
}

Expand Down Expand Up @@ -535,7 +537,7 @@ def show_unexpected_exception(ex: Exception) -> FlaskResponse:
def get_common_bootstrap_data() -> dict[str, Any]:
def serialize_bootstrap_data() -> str:
return json.dumps(
{"common": common_bootstrap_payload(g.user)},
{"common": common_bootstrap_payload()},
default=utils.pessimistic_json_iso_dttm_ser,
)

Expand All @@ -553,7 +555,7 @@ class SupersetModelView(ModelView):
def render_app_template(self) -> FlaskResponse:
payload = {
"user": bootstrap_user_data(g.user, include_perms=True),
"common": common_bootstrap_payload(g.user),
"common": common_bootstrap_payload(),
}
return self.render_template(
"superset/spa.html",
Expand Down
6 changes: 3 additions & 3 deletions superset/views/core.py
Original file line number Diff line number Diff line change
Expand Up @@ -604,7 +604,7 @@ def explore(
"force": force,
"user": bootstrap_user_data(g.user, include_perms=True),
"forced_height": request.args.get("height"),
"common": common_bootstrap_payload(g.user),
"common": common_bootstrap_payload(),
}
if slc:
title = slc.slice_name
Expand Down Expand Up @@ -862,7 +862,7 @@ def dashboard(
bootstrap_data=json.dumps(
{
"user": bootstrap_user_data(g.user, include_perms=True),
"common": common_bootstrap_payload(g.user),
"common": common_bootstrap_payload(),
},
default=utils.pessimistic_json_iso_dttm_ser,
),
Expand Down Expand Up @@ -953,7 +953,7 @@ def welcome(self) -> FlaskResponse:

payload = {
"user": bootstrap_user_data(g.user, include_perms=True),
"common": common_bootstrap_payload(g.user),
"common": common_bootstrap_payload(),
}

return self.render_template(
Expand Down
2 changes: 1 addition & 1 deletion superset/views/dashboard/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,7 @@ def embedded(
)

bootstrap_data = {
"common": common_bootstrap_payload(g.user),
"common": common_bootstrap_payload(),
"embedded": {"dashboard_id": dashboard_id_or_slug},
}

Expand Down

0 comments on commit 93f6e36

Please sign in to comment.