chore: Remove unnecessary information from response (#24056)

apache · Jun 6, 2023 · 12bcc5b · 12bcc5b
1 parent 0a48ffb
commit 12bcc5b
Show file tree

Hide file tree

Showing 16 changed files with 404 additions and 24 deletions.
diff --git a/superset/charts/api.py b/superset/charts/api.py
@@ -129,7 +129,6 @@ def ensure_thumbnails_enabled(self) -> Optional[Response]:
         "owners.first_name",
         "owners.id",
         "owners.last_name",
-        "owners.username",
         "dashboards.id",
         "dashboards.dashboard_title",
         "params",
@@ -171,7 +170,6 @@ def ensure_thumbnails_enabled(self) -> Optional[Response]:
         "owners.first_name",
         "owners.id",
         "owners.last_name",
-        "owners.username",
         "dashboards.id",
         "dashboards.dashboard_title",
         "params",

diff --git a/superset/connectors/sqla/models.py b/superset/connectors/sqla/models.py
@@ -44,7 +44,7 @@
 import pandas as pd
 import sqlalchemy as sa
 import sqlparse
-from flask import escape, Markup
+from flask import current_app, escape, Markup
 from flask_appbuilder import Model
 from flask_babel import lazy_gettext as _
 from jinja2.exceptions import TemplateError
@@ -655,7 +655,10 @@ def changed_by_name(self) -> str:
 
     @property
     def changed_by_url(self) -> str:
-        if not self.changed_by:
+        if (
+            not self.changed_by
+            or not current_app.config["ENABLE_BROAD_ACTIVITY_ACCESS"]
+        ):
             return ""
         return f"/superset/profile/{self.changed_by.username}"
 

diff --git a/superset/dashboards/api.py b/superset/dashboards/api.py
@@ -167,7 +167,6 @@ def ensure_thumbnails_enabled(self) -> Optional[Response]:
         "certification_details",
         "changed_by.first_name",
         "changed_by.last_name",
-        "changed_by.username",
         "changed_by.id",
         "changed_by_name",
         "changed_by_url",
@@ -179,10 +178,8 @@ def ensure_thumbnails_enabled(self) -> Optional[Response]:
         "created_by.last_name",
         "dashboard_title",
         "owners.id",
-        "owners.username",
         "owners.first_name",
         "owners.last_name",
-        "owners.email",
         "roles.id",
         "roles.name",
         "is_managed_externally",

diff --git a/superset/dashboards/schemas.py b/superset/dashboards/schemas.py
@@ -163,10 +163,10 @@ class DashboardGetResponseSchema(Schema):
     certification_details = fields.String(description=certification_details_description)
     changed_by_name = fields.String()
     changed_by_url = fields.String()
-    changed_by = fields.Nested(UserSchema)
+    changed_by = fields.Nested(UserSchema(exclude=(["username"])))
     changed_on = fields.DateTime()
     charts = fields.List(fields.String(description=charts_description))
-    owners = fields.List(fields.Nested(UserSchema))
+    owners = fields.List(fields.Nested(UserSchema(exclude=(["username"]))))
     roles = fields.List(fields.Nested(RolesSchema))
     changed_on_humanized = fields.String(data_key="changed_on_delta_humanized")
     is_managed_externally = fields.Boolean(allow_none=True, default=False)

diff --git a/superset/datasets/api.py b/superset/datasets/api.py
@@ -103,7 +103,7 @@ class DatasetRestApi(BaseSupersetModelRestApi):
         "changed_by_name",
         "changed_by_url",
         "changed_by.first_name",
-        "changed_by.username",
+        "changed_by.last_name",
         "changed_on_utc",
         "changed_on_delta_humanized",
         "default_endpoint",
@@ -113,7 +113,6 @@ class DatasetRestApi(BaseSupersetModelRestApi):
         "extra",
         "kind",
         "owners.id",
-        "owners.username",
         "owners.first_name",
         "owners.last_name",
         "schema",
@@ -146,7 +145,6 @@ class DatasetRestApi(BaseSupersetModelRestApi):
         "template_params",
         "select_star",
         "owners.id",
-        "owners.username",
         "owners.first_name",
         "owners.last_name",
         "columns.advanced_data_type",

diff --git a/superset/models/dashboard.py b/superset/models/dashboard.py
@@ -23,6 +23,7 @@
 from typing import Any, Callable, Dict, List, Optional, Set, Tuple, Type, Union
 
 import sqlalchemy as sqla
+from flask import current_app
 from flask_appbuilder import Model
 from flask_appbuilder.models.decorators import renders
 from flask_appbuilder.security.sqla.models import User
@@ -264,7 +265,10 @@ def changed_by_name(self) -> str:
 
     @property
     def changed_by_url(self) -> str:
-        if not self.changed_by:
+        if (
+            not self.changed_by
+            or not current_app.config["ENABLE_BROAD_ACTIVITY_ACCESS"]
+        ):
             return ""
         return f"/superset/profile/{self.changed_by.username}"
 

diff --git a/superset/models/filter_set.py b/superset/models/filter_set.py
@@ -20,6 +20,7 @@
 import logging
 from typing import Any, Dict
 
+from flask import current_app
 from flask_appbuilder import Model
 from sqlalchemy import Column, ForeignKey, Integer, MetaData, String, Text
 from sqlalchemy.orm import relationship
@@ -67,7 +68,10 @@ def changed_by_name(self) -> str:
 
     @property
     def changed_by_url(self) -> str:
-        if not self.changed_by:
+        if (
+            not self.changed_by
+            or not current_app.config["ENABLE_BROAD_ACTIVITY_ACCESS"]
+        ):
             return ""
         return f"/superset/profile/{self.changed_by.username}"
 

diff --git a/superset/models/slice.py b/superset/models/slice.py
@@ -22,6 +22,7 @@
 from urllib import parse
 
 import sqlalchemy as sqla
+from flask import current_app
 from flask_appbuilder import Model
 from flask_appbuilder.models.decorators import renders
 from markupsafe import escape, Markup
@@ -326,7 +327,12 @@ def slice_link(self) -> Markup:
 
     @property
     def changed_by_url(self) -> str:
-        return f"/superset/profile/{self.changed_by.username}"  # type: ignore
+        if (
+            not self.changed_by
+            or not current_app.config["ENABLE_BROAD_ACTIVITY_ACCESS"]
+        ):
+            return ""
+        return f"/superset/profile/{self.changed_by.username}"
 
     @property
     def icons(self) -> str:

diff --git a/superset/queries/api.py b/superset/queries/api.py
@@ -82,7 +82,6 @@ class QueryRestApi(BaseSupersetModelRestApi):
         "user.first_name",
         "user.id",
         "user.last_name",
-        "user.username",
         "start_time",
         "end_time",
         "tmp_table_name",

diff --git a/superset/queries/schemas.py b/superset/queries/schemas.py
@@ -65,7 +65,7 @@ class QuerySchema(Schema):
     tab_name = fields.String()
     tmp_table_name = fields.String()
     tracking_url = fields.String()
-    user = fields.Nested(UserSchema)
+    user = fields.Nested(UserSchema(exclude=["username"]))
 
     class Meta:  # pylint: disable=too-few-public-methods
         model = Query

diff --git a/superset/tags/schemas.py b/superset/tags/schemas.py
@@ -0,0 +1,59 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from marshmallow import fields, Schema
+
+from superset.dashboards.schemas import UserSchema
+
+delete_tags_schema = {"type": "array", "items": {"type": "string"}}
+
+object_type_description = "A title for the tag."
+
+openapi_spec_methods_override = {
+    "get": {"get": {"description": "Get a tag detail information."}},
+    "get_list": {
+        "get": {
+            "description": "Get a list of tags, use Rison or JSON query "
+            "parameters for filtering, sorting, pagination and "
+            " for selecting specific columns and metadata.",
+        }
+    },
+    "info": {
+        "get": {
+            "description": "Several metadata information about tag API " "endpoints.",
+        }
+    },
+}
+
+
+class TaggedObjectEntityResponseSchema(Schema):
+    id = fields.Int()
+    type = fields.String()
+    name = fields.String()
+    url = fields.String()
+    changed_on = fields.DateTime()
+    created_by = fields.Nested(UserSchema(exclude=["username"]))
+    creator = fields.String()
+
+
+class TagGetResponseSchema(Schema):
+    id = fields.Int()
+    name = fields.String()
+    type = fields.String()
+
+
+class TagPostSchema(Schema):
+    tags = fields.List(fields.String())
diff --git a/tests/integration_tests/charts/api_tests.py b/tests/integration_tests/charts/api_tests.py
@@ -605,6 +605,114 @@ def test_update_chart(self):
         db.session.delete(model)
         db.session.commit()
 
+    @pytest.mark.usefixtures("load_birth_names_dashboard_with_slices")
+    def test_chart_activity_access_disabled(self):
+        """
+        Chart API: Test ENABLE_BROAD_ACTIVITY_ACCESS = False
+        """
+        access_flag = app.config["ENABLE_BROAD_ACTIVITY_ACCESS"]
+        app.config["ENABLE_BROAD_ACTIVITY_ACCESS"] = False
+        admin = self.get_user("admin")
+        birth_names_table_id = SupersetTestCase.get_table(name="birth_names").id
+        chart_id = self.insert_chart("title", [admin.id], birth_names_table_id).id
+        chart_data = {
+            "slice_name": (new_name := "title1_changed"),
+        }
+        self.login(username="admin")
+        uri = f"api/v1/chart/{chart_id}"
+        rv = self.put_assert_metric(uri, chart_data, "put")
+        self.assertEqual(rv.status_code, 200)
+        model = db.session.query(Slice).get(chart_id)
+
+        self.assertEqual(model.slice_name, new_name)
+        self.assertEqual(model.changed_by_url, "")
+
+        app.config["ENABLE_BROAD_ACTIVITY_ACCESS"] = access_flag
+        db.session.delete(model)
+        db.session.commit()
+
+    @pytest.mark.usefixtures("load_birth_names_dashboard_with_slices")
+    def test_chart_activity_access_enabled(self):
+        """
+        Chart API: Test ENABLE_BROAD_ACTIVITY_ACCESS = True
+        """
+        access_flag = app.config["ENABLE_BROAD_ACTIVITY_ACCESS"]
+        app.config["ENABLE_BROAD_ACTIVITY_ACCESS"] = True
+        admin = self.get_user("admin")
+        birth_names_table_id = SupersetTestCase.get_table(name="birth_names").id
+        chart_id = self.insert_chart("title", [admin.id], birth_names_table_id).id
+        chart_data = {
+            "slice_name": (new_name := "title1_changed"),
+        }
+        self.login(username="admin")
+        uri = f"api/v1/chart/{chart_id}"
+        rv = self.put_assert_metric(uri, chart_data, "put")
+        self.assertEqual(rv.status_code, 200)
+        model = db.session.query(Slice).get(chart_id)
+
+        self.assertEqual(model.slice_name, new_name)
+        self.assertEqual(model.changed_by_url, "/superset/profile/admin")
+
+        app.config["ENABLE_BROAD_ACTIVITY_ACCESS"] = access_flag
+        db.session.delete(model)
+        db.session.commit()
+
+    @pytest.mark.usefixtures("load_birth_names_dashboard_with_slices")
+    def test_chart_get_list_no_username(self):
+        """
+        Chart API: Tests that no username is returned
+        """
+        admin = self.get_user("admin")
+        birth_names_table_id = SupersetTestCase.get_table(name="birth_names").id
+        chart_id = self.insert_chart("title", [admin.id], birth_names_table_id).id
+        chart_data = {
+            "slice_name": (new_name := "title1_changed"),
+            "owners": [admin.id],
+        }
+        self.login(username="admin")
+        uri = f"api/v1/chart/{chart_id}"
+        rv = self.put_assert_metric(uri, chart_data, "put")
+        self.assertEqual(rv.status_code, 200)
+        model = db.session.query(Slice).get(chart_id)
+
+        response = self.get_assert_metric("api/v1/chart/", "get_list")
+        res = json.loads(response.data.decode("utf-8"))["result"]
+
+        current_chart = [d for d in res if d["id"] == chart_id][0]
+        self.assertEqual(current_chart["slice_name"], new_name)
+        self.assertNotIn("username", current_chart["changed_by"].keys())
+        self.assertNotIn("username", current_chart["owners"][0].keys())
+
+        db.session.delete(model)
+        db.session.commit()
+
+    @pytest.mark.usefixtures("load_birth_names_dashboard_with_slices")
+    def test_chart_get_no_username(self):
+        """
+        Chart API: Tests that no username is returned
+        """
+        admin = self.get_user("admin")
+        birth_names_table_id = SupersetTestCase.get_table(name="birth_names").id
+        chart_id = self.insert_chart("title", [admin.id], birth_names_table_id).id
+        chart_data = {
+            "slice_name": (new_name := "title1_changed"),
+            "owners": [admin.id],
+        }
+        self.login(username="admin")
+        uri = f"api/v1/chart/{chart_id}"
+        rv = self.put_assert_metric(uri, chart_data, "put")
+        self.assertEqual(rv.status_code, 200)
+        model = db.session.query(Slice).get(chart_id)
+
+        response = self.get_assert_metric(uri, "get")
+        res = json.loads(response.data.decode("utf-8"))["result"]
+
+        self.assertEqual(res["slice_name"], new_name)
+        self.assertNotIn("username", res["owners"][0].keys())
+
+        db.session.delete(model)
+        db.session.commit()
+
     def test_update_chart_new_owner_not_admin(self):
         """
         Chart API: Test update set new owner implicitly adds logged in owner
@@ -823,7 +931,6 @@ def test_get_chart(self):
             "owners": [
                 {
                     "id": 1,
-                    "username": "admin",
                     "first_name": "admin",
                     "last_name": "user",
                 }