Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: disallow users from viewing other user's profile on config #21302

Conversation

dpgaspar
Copy link
Member

@dpgaspar dpgaspar commented Sep 1, 2022

SUMMARY

Allowing users to access each others profiles is not ideal and can give unwanted access to lightly sensitive (private) data, that option is not ideal to every company, but can be perfectly fine for others.

ENABLE_BROAD_ACTIVITY_ACCESS is a config option that is already in-place and restricts access for a user to access other user's activity access. That data is shown on the profile page.

This PR leverages the same config key to enable/disable links and access to profiles from dashboards and charts.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

With ENABLE_BROAD_ACTIVITY_ACCESS = True (default) nothing changes

Screenshot 2022-09-02 at 14 13 11

Screenshot 2022-09-02 at 14 14 26

With ENABLE_BROAD_ACTIVITY_ACCESS = False

Screenshot 2022-09-02 at 14 17 05

Screenshot 2022-09-02 at 14 17 27

Trying to access other user's profile, by changing the URL directly:
Screenshot 2022-09-02 at 14 19 07

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@codecov
Copy link

codecov bot commented Sep 1, 2022

Codecov Report

Merging #21302 (8b1bd5a) into master (ad34f9d) will increase coverage by 0.05%.
The diff coverage is 73.20%.

❗ Current head 8b1bd5a differs from pull request most recent head 9c8d88a. Consider uploading reports for the commit 9c8d88a to get more accurate results

@@            Coverage Diff             @@
##           master   #21302      +/-   ##
==========================================
+ Coverage   66.44%   66.50%   +0.05%     
==========================================
  Files        1784     1789       +5     
  Lines       68237    68381     +144     
  Branches     7263     7279      +16     
==========================================
+ Hits        45342    45474     +132     
+ Misses      21026    21020       -6     
- Partials     1869     1887      +18     
Flag Coverage Δ
hive 52.94% <46.35%> (-0.05%) ⬇️
mysql 80.82% <75.49%> (+<0.01%) ⬆️
postgres 80.87% <75.49%> (+<0.01%) ⬆️
presto 52.84% <46.35%> (-0.05%) ⬇️
python 81.33% <75.49%> (-0.02%) ⬇️
sqlite 79.42% <75.49%> (-0.01%) ⬇️
unit ?

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
...cy-preset-chart-nvd3/src/TimePivot/controlPanel.ts 50.00% <ø> (ø)
...hart-echarts/src/MixedTimeseries/transformProps.ts 0.00% <0.00%> (ø)
superset-frontend/src/SqlLab/App.jsx 0.00% <0.00%> (ø)
...d/src/SqlLab/components/TabbedSqlEditors/index.jsx 54.23% <0.00%> (-0.94%) ⬇️
...ntend/src/SqlLab/components/TableElement/index.tsx 72.30% <ø> (ø)
...tend/src/dashboard/components/AnchorLink/index.tsx 81.25% <ø> (ø)
superset-frontend/src/utils/localStorageHelpers.ts 90.00% <ø> (ø)
superset-frontend/src/views/App.tsx 0.00% <0.00%> (ø)
...aseModal/DatabaseConnectionForm/EncryptedField.tsx 10.00% <ø> (ø)
...c/views/CRUD/data/database/DatabaseModal/styles.ts 76.69% <ø> (ø)
... and 58 more

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

}: any) =>
enableBroadUserAccess ? (
<a href={changedByUrl}>
{lastSavedBy?.first_name
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A minor enhancement, but since this is the same as the one below, can you please put it in a separate constant and just reference it in both places

@@ -1335,6 +1335,7 @@ def EMAIL_HEADER_MUTATOR( # pylint: disable=invalid-name,unused-argument
MENU_HIDE_USER_INFO = False

# Set to False to only allow viewing own recent activity
# or to disallow users from viewing other users profile page
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at the code we are just removing the links to the profiles. Is there anything else that is actually blocking the user to visit a profile?

Copy link
Member Author

@dpgaspar dpgaspar Sep 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, on the backend change, the call to get_user_activity_access_error will assert if ENABLE_BROAD_ACTIVITY_ACCESS is True or not, if it's False and the user_id is not equal to the current user, the response will be 403 with an error msg. Following same pattern already in-place on other endpoints on /superset.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok thanks for adding that

Copy link
Member

@geido geido left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Copy link
Member

@villebro villebro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with a miniscule nit

@@ -213,14 +215,19 @@ function ChartList(props: ChartListProps) {
const canExport =
hasPerm('can_export') && isFeatureEnabled(FeatureFlag.VERSIONED_EXPORT);
const initialSort = [{ id: 'changed_on_delta_humanized', desc: true }];

const enableBroadUserAccess =
bootstrapData?.common?.conf?.ENABLE_BROAD_ACTIVITY_ACCESS || false;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably better safe than sorry, but in a similar context on the backend we always do config["ENABLE_BROAD_ACTIVITY_ACCESS"] instead of ``config.get("ENABLE_BROAD_ACTIVITY_ACCESS")`, since we assume the variable should always be defined. So maybe we could get by with

Suggested change
bootstrapData?.common?.conf?.ENABLE_BROAD_ACTIVITY_ACCESS || false;
bootstrapData?.common?.conf?.ENABLE_BROAD_ACTIVITY_ACCESS;

(arguably that whole bootstrapData object with all nested fields should also be fully available)

@@ -132,6 +133,8 @@ function DashboardList(props: DashboardListProps) {
const [importingDashboard, showImportModal] = useState<boolean>(false);
const [passwordFields, setPasswordFields] = useState<string[]>([]);
const [preparingExport, setPreparingExport] = useState<boolean>(false);
const enableBroadUserAccess =
bootstrapData?.common?.conf?.ENABLE_BROAD_ACTIVITY_ACCESS || false;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels size/M v2.0 🍒 1.5.2 🍒 1.5.3 🍒 2.0.1 🚢 2.1.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants