codeant-ai-for-open-source[bot] commented on code in PR #40443:
URL: https://github.com/apache/superset/pull/40443#discussion_r3326069778
##########
superset/extensions/api.py:
##########
@@ -167,6 +170,53 @@ def get(self, publisher: str, name: str, **kwargs: Any) ->
Response:
extension_data = build_extension_data(extension)
return self.response(200, result=extension_data)
+ @protect()
+ @safe
+ @expose("/settings", methods=("GET",))
+ def get_settings(self, **kwargs: Any) -> Response:
+ """Get global extension admin settings.
+ ---
+ get:
+ summary: Get extension admin settings (active chatbot, enabled
flags).
+ responses:
+ 200:
+ description: Extension settings
+ """
+ return self.response(200, result=GetExtensionSettingsCommand().run())
+
+ @protect()
+ @safe
+ @expose("/settings", methods=("PUT",))
+ def put_settings(self, **kwargs: Any) -> Response:
+ """Update global extension admin settings.
+ ---
+ put:
+ summary: Update extension admin settings.
+ requestBody:
+ content:
+ application/json:
+ schema:
+ type: object
+ properties:
+ active_chatbot_id:
+ type: string
+ nullable: true
+ enabled:
+ type: object
+ additionalProperties:
+ type: boolean
+ responses:
+ 200:
+ description: Updated settings
+ 403:
+ $ref: '#/components/responses/403'
+ """
+ if not security_manager.is_admin():
+ return self.response(403, message="Admin access required.")
+ body = request.get_json(silent=True) or {}
+ result = UpdateExtensionSettingsCommand(body).run()
Review Comment:
**Suggestion:** `put_settings` forwards whatever JSON value is parsed
directly into `UpdateExtensionSettingsCommand`, but that command assumes a
mapping and calls `.get(...)` on it. If a client sends a valid non-object
payload (for example `[]`), this path raises an `AttributeError` and returns a
500. Enforce that the parsed body is a dict (object) before invoking the
command, and return a 400 for other JSON types. [api mismatch]
<details>
<summary><b>Severity Level:</b> Major ⚠️</summary>
```mdx
- ❌ Admin extension settings update endpoint can crash on bad JSON.
- ⚠️ Unvalidated payload types cause unexpected server errors.
```
</details>
<details>
<summary><b>Steps of Reproduction ✅ </b></summary>
```mdx
1. Enable the `ENABLE_EXTENSIONS` feature flag so `ExtensionsRestApi` is
registered, as
shown in `superset/initialization/__init__.py:16-19` where
`appbuilder.add_api(ExtensionsRestApi)` is called when the flag is on.
2. Start Superset, authenticate as an admin user, and issue an HTTP `PUT`
request to
`/api/v1/extensions/settings` (resource name `extensions` from
`superset/extensions/api.py:36` and `@expose("/settings", methods=("PUT",))`
at line 189)
with header `Content-Type: application/json`.
3. Use a valid non-object JSON payload such as the JSON string `"foo"` as
the request
body; in `ExtensionsRestApi.put_settings` at
`superset/extensions/api.py:214-218`,
`security_manager.is_admin()` passes and line 216 executes `body =
request.get_json(silent=True) or {}`, which assigns the Python string
`"foo"` to `body`.
4. The same method constructs `UpdateExtensionSettingsCommand(body)` at line
217; in
`superset/commands/extension/settings/update.py:42` the constructor stores
`self._body =
body`, and `run()` at line 48 later executes `enabled =
self._body.get("enabled")` (line
~56) on a string, raising an `AttributeError('str' object has no attribute
'get')` and
causing the `/api/v1/extensions/settings` update request to fail with a
server error
instead of a clean 4xx.
```
</details>
[Fix in
Cursor](https://app.codeant.ai/fix-in-ide?tool=cursor&prompt_id=d9dbc9a07b54449ca3eb9d977e84451b&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
| [Fix in VSCode
Claude](https://app.codeant.ai/fix-in-ide?tool=vscode-claude&prompt_id=d9dbc9a07b54449ca3eb9d977e84451b&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
*(Use Cmd/Ctrl + Click for best experience)*
<details>
<summary><b>Prompt for AI Agent 🤖 </b></summary>
```mdx
This is a comment left during a code review.
**Path:** superset/extensions/api.py
**Line:** 216:217
**Comment:**
*Api Mismatch: `put_settings` forwards whatever JSON value is parsed
directly into `UpdateExtensionSettingsCommand`, but that command assumes a
mapping and calls `.get(...)` on it. If a client sends a valid non-object
payload (for example `[]`), this path raises an `AttributeError` and returns a
500. Enforce that the parsed body is a dict (object) before invoking the
command, and return a 400 for other JSON types.
Validate the correctness of the flagged issue. If correct, How can I resolve
this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask
user if the user wants to fix the rest of the comments as well. if said yes,
then fetch all the comments validate the correctness and implement a minimal fix
```
</details>
<a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40443&comment_hash=951e1323395233b1139c646f58119d1c0319470d5c225bf2bd919f997b71166f&reaction=like'>👍</a>
| <a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40443&comment_hash=951e1323395233b1139c646f58119d1c0319470d5c225bf2bd919f997b71166f&reaction=dislike'>👎</a>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
