aminghadersohi commented on code in PR #36933: URL: https://github.com/apache/superset/pull/36933#discussion_r2932173774
########## superset/embedded_chart/api.py: ########## @@ -0,0 +1,321 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +import logging +from datetime import datetime, timedelta, timezone +from typing import Any + +from flask import g, request, Response +from flask_appbuilder.api import expose, protect, safe + +from superset.commands.exceptions import CommandException +from superset.commands.explore.permalink.create import CreateExplorePermalinkCommand +from superset.daos.key_value import KeyValueDAO +from superset.embedded_chart.exceptions import ( + EmbeddedChartAccessDeniedError, + EmbeddedChartPermalinkNotFoundError, +) +from superset.explore.permalink.schemas import ExplorePermalinkSchema +from superset.extensions import event_logger, security_manager +from superset.key_value.exceptions import KeyValueParseKeyError +from superset.key_value.shared_entries import get_permalink_salt +from superset.key_value.types import ( + KeyValueResource, + MarshmallowKeyValueCodec, + SharedKey, +) +from superset.key_value.utils import decode_permalink_id +from superset.security.guest_token import ( + GuestTokenResource, + GuestTokenResourceType, + GuestTokenRlsRule, + GuestTokenUser, + GuestUser, +) +from superset.views.base_api import BaseSupersetApi, statsd_metrics + +logger = logging.getLogger(__name__) + + +class EmbeddedChartRestApi(BaseSupersetApi): + """REST API for embedded chart data retrieval.""" + + resource_name = "embedded_chart" + allow_browser_login = True + openapi_spec_tag = "Embedded Chart" + + def _validate_guest_token_access(self, permalink_key: str) -> bool: + """ + Validate that the guest token grants access to this permalink. + + Guest tokens contain a list of resources the user can access. + For embedded charts, we check that the permalink_key is in that list. + """ + user = g.user + if not isinstance(user, GuestUser): + return False + + for resource in user.resources: + if ( + resource.get("type") == GuestTokenResourceType.CHART_PERMALINK.value + and str(resource.get("id")) == permalink_key + ): + return True + return False + + def _get_permalink_value(self, permalink_key: str) -> dict[str, Any] | None: + """ + Get permalink value without access checks. + + For embedded charts, access is controlled via guest token validation, + so we skip the normal dataset/chart access checks. + """ + # Use the same salt, resource, and codec as the explore permalink command + salt = get_permalink_salt(SharedKey.EXPLORE_PERMALINK_SALT) + codec = MarshmallowKeyValueCodec(ExplorePermalinkSchema()) + key = decode_permalink_id(permalink_key, salt=salt) + return KeyValueDAO.get_value( + KeyValueResource.EXPLORE_PERMALINK, + key, + codec, + ) + + @expose("/<permalink_key>", methods=("GET",)) + @safe + @statsd_metrics + @event_logger.log_this_with_context( + action=lambda self, *args, **kwargs: f"{self.__class__.__name__}.get", + log_to_statsd=False, + ) + def get(self, permalink_key: str) -> Response: + """Get chart form_data from permalink key. + --- + get: + summary: Get embedded chart configuration + description: >- + Retrieves the form_data for rendering an embedded chart. + This endpoint is used by the embedded chart iframe to load + the chart configuration. + parameters: + - in: path + schema: + type: string + name: permalink_key + description: The chart permalink key + required: true + responses: + 200: + description: Chart permalink state + content: + application/json: + schema: + type: object + properties: + state: + type: object + properties: + formData: + type: object + description: The chart configuration formData + allowedDomains: + type: array + items: + type: string + description: Domains allowed to embed this chart + 401: + $ref: '#/components/responses/401' + 404: + $ref: '#/components/responses/404' + 500: + $ref: '#/components/responses/500' + """ + try: + # Validate guest token grants access to this permalink + if not self._validate_guest_token_access(permalink_key): + raise EmbeddedChartAccessDeniedError() + + # Get permalink value without access checks (guest token already validated) + permalink_value = self._get_permalink_value(permalink_key) + if not permalink_value: + raise EmbeddedChartPermalinkNotFoundError() + + # Return state in the format expected by the frontend: + # { state: { formData: {...}, allowedDomains: [...] } } + state = permalink_value.get("state", {}) + + return self.response( + 200, + state=state, + ) + except EmbeddedChartAccessDeniedError: + return self.response_401() + except EmbeddedChartPermalinkNotFoundError: + return self.response_404() + except (ValueError, KeyError, KeyValueParseKeyError) as ex: + logger.warning("Error fetching embedded chart: %s", ex) + return self.response_500() + + @expose("/", methods=("POST",)) + @protect() + @safe + @statsd_metrics + @event_logger.log_this_with_context( + action=lambda self, *args, **kwargs: f"{self.__class__.__name__}.post", + log_to_statsd=False, + ) + def post(self) -> Response: + """Create an embeddable chart with guest token. + --- + post: + summary: Create embeddable chart + description: >- + Creates an embeddable chart configuration with a guest token. + The returned iframe_url and guest_token can be used to embed + the chart in external applications. + requestBody: + required: true + content: + application/json: + schema: + type: object + required: + - form_data + properties: + form_data: + type: object + description: Chart form_data configuration + allowed_domains: + type: array + items: + type: string + description: Domains allowed to embed this chart + ttl_minutes: + type: integer + default: 60 + description: Time-to-live for the embed in minutes + responses: + 200: + description: Embeddable chart created + content: + application/json: + schema: + type: object + properties: + iframe_url: + type: string + description: URL to use in iframe src + guest_token: + type: string + description: Guest token for authentication + permalink_key: + type: string + description: Permalink key for the chart + expires_at: + type: string + format: date-time + description: When the embed expires + 400: + $ref: '#/components/responses/400' + 401: + $ref: '#/components/responses/401' + 500: + $ref: '#/components/responses/500' + """ + try: + body = request.json or {} + form_data = body.get("form_data", {}) + allowed_domains: list[str] = body.get("allowed_domains", []) + ttl_minutes: int = body.get("ttl_minutes", 60) + + if not form_data: + return self.response_400(message="form_data is required") Review Comment: The i18n pattern in this codebase is not consistently applied to API error messages. Looking at existing endpoints: - `superset/sqllab/api.py`: `response_400(message="client_id is required")` (no i18n) - `superset/databases/api.py`: `response_400(message="Unexpected Invalid file type")` (no i18n) - `superset/themes/api.py`: `response_400(message="Request body is required")` (no i18n) - `superset/cachekeys/api.py`: `response_400(message="Request is incorrect")` (no i18n) - `superset/views/users/api.py`: `response_400(message="At least one field must be provided.")` (no i18n) While `charts/data/api.py` does use `_("Request is not JSON")`, the majority of API error messages in the codebase use plain strings. These are developer/API-facing messages returned as JSON responses (not rendered in the UI), so i18n is generally less critical for them. Happy to add `_()` wrapping if there's a push to standardize this across the codebase, but the current code is consistent with the prevailing pattern. ########## superset/charts/api.py: ########## @@ -1184,3 +1196,253 @@ def import_(self) -> Response: ) command.run() return self.response(200, message="OK") + + @expose("/<id_or_uuid>/embedded", methods=("GET",)) + @protect() + @safe + @permission_name("read") + @statsd_metrics + @event_logger.log_this_with_context( + action=lambda self, *args, **kwargs: f"{self.__class__.__name__}.get_embedded", + log_to_statsd=False, + ) + def get_embedded(self, id_or_uuid: str) -> Response: + """Get the chart's embedded configuration. + --- + get: + summary: Get the chart's embedded configuration + parameters: + - in: path + schema: + type: string + name: id_or_uuid + description: The chart id or uuid + responses: + 200: + description: Result contains the embedded chart config + content: + application/json: + schema: + type: object + properties: + result: + $ref: '#/components/schemas/EmbeddedChartResponseSchema' + 401: + $ref: '#/components/responses/401' + 404: + $ref: '#/components/responses/404' + 500: + $ref: '#/components/responses/500' + """ + try: + chart = ChartDAO.get_by_id_or_uuid(id_or_uuid) + except ChartNotFoundError: + return self.response_404() + + if not chart.embedded: + return self.response(404) + embedded: EmbeddedChart = chart.embedded[0] + result = self.embedded_response_schema.dump(embedded) + return self.response(200, result=result) + + @expose("/<id_or_uuid>/embedded", methods=["POST", "PUT"]) + @protect() + @safe + @permission_name("set_embedded") + @statsd_metrics + @event_logger.log_this_with_context( + action=lambda self, *args, **kwargs: f"{self.__class__.__name__}.set_embedded", + log_to_statsd=False, + ) + def set_embedded(self, id_or_uuid: str) -> Response: + """Set a chart's embedded configuration. + --- + post: + summary: Set a chart's embedded configuration + parameters: + - in: path + schema: + type: string + name: id_or_uuid + description: The chart id or uuid + requestBody: + description: The embedded configuration to set + required: true + content: + application/json: + schema: EmbeddedChartConfigSchema + responses: + 200: + description: Successfully set the configuration + content: + application/json: + schema: + type: object + properties: + result: + $ref: '#/components/schemas/EmbeddedChartResponseSchema' + 401: + $ref: '#/components/responses/401' + 404: + $ref: '#/components/responses/404' + 500: + $ref: '#/components/responses/500' + put: + description: >- + Sets a chart's embedded configuration. + parameters: + - in: path + schema: + type: string + name: id_or_uuid + description: The chart id or uuid + requestBody: + description: The embedded configuration to set + required: true + content: + application/json: + schema: EmbeddedChartConfigSchema + responses: + 200: + description: Successfully set the configuration + content: + application/json: + schema: + type: object + properties: + result: + $ref: '#/components/schemas/EmbeddedChartResponseSchema' + 401: + $ref: '#/components/responses/401' + 404: + $ref: '#/components/responses/404' + 500: + $ref: '#/components/responses/500' + """ + try: + chart = ChartDAO.get_by_id_or_uuid(id_or_uuid) + except ChartNotFoundError: + return self.response_404() + + try: + body = self.embedded_config_schema.load(request.json) + + embedded = EmbeddedChartDAO.upsert( + chart, + body["allowed_domains"], + ) + db.session.commit() # pylint: disable=consider-using-transaction + + result = self.embedded_response_schema.dump(embedded) + return self.response(200, result=result) + except ValidationError as error: + db.session.rollback() # pylint: disable=consider-using-transaction + return self.response_400(message=error.messages) + + @expose("/<id_or_uuid>/embedded", methods=("DELETE",)) + @protect() + @safe + @permission_name("set_embedded") + @statsd_metrics + @event_logger.log_this_with_context( + action=lambda self, + *args, + **kwargs: f"{self.__class__.__name__}.delete_embedded", + log_to_statsd=False, + ) + def delete_embedded(self, id_or_uuid: str) -> Response: + """Delete a chart's embedded configuration. + --- + delete: + summary: Delete a chart's embedded configuration + parameters: + - in: path + schema: + type: string + name: id_or_uuid + description: The chart id or uuid + responses: + 200: + description: Successfully removed the configuration + content: + application/json: + schema: + type: object + properties: + message: + type: string + 401: + $ref: '#/components/responses/401' + 404: + $ref: '#/components/responses/404' + 500: + $ref: '#/components/responses/500' + """ + try: + chart = ChartDAO.get_by_id_or_uuid(id_or_uuid) + except ChartNotFoundError: + return self.response_404() + + DeleteEmbeddedChartCommand(chart).run() + return self.response(200, message="OK") + + @expose("/embedded", methods=("GET",)) + @protect() + @safe + @permission_name("read") + @statsd_metrics + @event_logger.log_this_with_context( + action=lambda self, *args, **kwargs: f"{self.__class__.__name__}.list_embedded", + log_to_statsd=False, + ) + def list_embedded(self) -> Response: + """List all embedded chart configurations. + --- + get: + summary: List all embedded chart configurations + responses: + 200: + description: List of embedded charts + content: + application/json: + schema: + type: object + properties: + result: + type: array + items: + type: object + properties: + uuid: + type: string + chart_id: + type: integer + chart_name: + type: string + allowed_domains: + type: array + items: + type: string + changed_on: + type: string + 401: + $ref: '#/components/responses/401' + 500: + $ref: '#/components/responses/500' + """ + embedded_charts = ( + db.session.query(EmbeddedChart) + .join(Slice, EmbeddedChart.chart_id == Slice.id) + .all() + ) + result = [ + { + "uuid": str(ec.uuid), + "chart_id": ec.chart_id, + "chart_name": ec.chart.slice_name if ec.chart else None, + "allowed_domains": ec.allowed_domains, + "changed_on": ec.changed_on.isoformat() if ec.changed_on else None, + } + for ec in embedded_charts + ] Review Comment: The `list_embedded` endpoint does apply a user permission filter. Looking at lines 1433-1438: ```python # Filter to only charts the current user owns or has access to embedded_charts = ( db.session.query(EmbeddedChart) .join(Slice, EmbeddedChart.chart_id == Slice.id) .filter(Slice.created_by_fk == g.user.get_id()) .all() ) ``` The query joins `EmbeddedChart` with `Slice` (the chart model) and filters by `Slice.created_by_fk == g.user.get_id()`, so users only see embedded configurations for charts they created. Additionally, the endpoint has `@protect()` and `@permission_name("read")` decorators (lines 1390-1392), which enforce FAB RBAC permissions before the handler even executes. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
