john-bodley commented on code in PR #24350:
URL: https://github.com/apache/superset/pull/24350#discussion_r1225587171
##########
superset/views/core.py:
##########
@@ -1641,76 +1639,57 @@ def favstar( # pylint: disable=no-self-use
@has_access
@expose("/dashboard/<dashboard_id_or_slug>/")
@event_logger.log_this_with_extra_payload
- @check_dashboard_access(
- on_error=lambda msg: redirect_with_flash(DASHBOARD_LIST_URL, msg,
"danger")
- )
def dashboard(
self,
- dashboard_id_or_slug: str, # pylint: disable=unused-argument
+ dashboard_id_or_slug: str,
add_extra_log_payload: Callable[..., None] = lambda **kwargs: None,
- dashboard: Dashboard | None = None,
) -> FlaskResponse:
"""
- Server side rendering for a dashboard
- :param dashboard_id_or_slug: identifier for dashboard. used in the
decorators
+ Server side rendering for a dashboard.
+
+ :param dashboard_id_or_slug: identifier for dashboard
:param add_extra_log_payload: added by `log_this_with_manual_updates`,
set a
default value to appease pylint
- :param dashboard: added by `check_dashboard_access`
"""
+
+ dashboard = Dashboard.get(dashboard_id_or_slug)
Review Comment:
This is concerning that this is different than the DAO
[here](https://github.com/apache/superset/blob/0e3f1f638c06de11668c37329ca7141fd1159293/superset/dashboards/dao.py#L45-L68)
and that the DAO logic differs whether you pass in a UUID versus a slug/ID,
i.e., it seems like a security loophole.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org
