* return message explaining unsafe sharing
* use backend-generated message for public dashboards
* use backend-generated message for embeds
* Update redash/handlers/query_results.py
Co-Authored-By: Arik Fraimovich <arik@arikfr.com>
* refactor simple (non-interpolated) query result handler error messages to a single location
* use error_messages to test out unsafe error messages (along with a couple of others)
* Update redash/handlers/query_results.py
Co-Authored-By: Ran Byron <ranbena@gmail.com>
* Update redash/handlers/query_results.py
Co-Authored-By: Arik Fraimovich <arik@arikfr.com>
* change has_access and require_access signatures to work with the objects that require access, instead of their groups
* use the textless endpoint (/api/queries/:id/results) for pristine
queriest
* Revert "use the textless endpoint (/api/queries/:id/results) for pristine"
This reverts commit cd2cee77385ecf79efd2f1aa21fab0dd43943264.
* go to textless /api/queries/:id/results by default
* change `run_query`'s signature to accept a ParameterizedQuery instead of
constructing it inside
* raise HTTP 400 when receiving invalid parameter values. Fixes#3394
* enqueue jobs for ApiUsers
* rename `id` to `user_id`
* support executing queries using Query api_keys by instantiating an ApiUser that would be able to execute the specific query
* show deprecation messages for ALLOW_PARAMETERS_IN_EMBEDS. Also, move
other message (email not verified) to use the same mechanism
* add link to forum message regarding embed deprecation
* change API to /api/queries/:id/dropdowns/:dropdown_id
* split to 2 different dropdown endpoints and implement the second
* add test cases for /api/queries/:id/dropdowns/:id
* use new /dropdowns endpoint in frontend
* first e2e test for sharing embeds
* Pleasing the CodeClimate overlords
* All glory to CodeClimate
* remove residues from bad rebase
* add query id and data source id to serialized public dashboards
* add global parameters directive to public dashboards page
* allow access to a query by the api_key of the dashboard which includes
it
* rename `object` to `obj`
* simplify permission tests once `has_access` accepts groups
* support global parameters for public dashboards
* change has_access and require_access signatures to work with the objects that require access, instead of their groups
* rename `object` to `obj`
* simplify permission tests once `has_access` accepts groups
* no need to log `is_api_key`
* send parameters to public dashboard page
* allow access to a query by the api_key of the dashboard which includes it
* disable sharing if dashboard is associated with unsafe queries
* remove cypress test added in the wrong place due to a faulty rebase
* add support for clicking buttons in cy.clickThrough
* Cypress test which verifies that dashboards with safe queries can be shared
* Cypress test which verifies that dashboards with unsafe queries can't be shared
* remove duplicate tests
* use this.enabled and negate when needed
* remove stale comment
* add another Cypress test to verify that unauthenticated users have access to public dashboards with parameters
* obviously, I commit 'only' the first time I use it
* search for query access by query id and not api_key
* no need to fetch latest query data as it is loaded by frontend from the textless endpoint
* test that queries associated with dashboards are accessible when supplying the dashboard api_key
* propagate `isDirty` down to `QueryBasedParameterInput`
* go to /api/:id/dropdown while editing a query, since dropdown queries might still not be associated with the parent. see #3711
* show helpful error message if dropdown values cannot be fetched
* use backticks instead of line concatenation
* remove requirement to have direct access to dropdown query in order validate it. parent query association checks are sufficient
* remove isDirty-based implementation and allow dropdown queries through nested ACL even if they aren't associated yet (given that the user has _direct_ access to the dropdown query)
* fix tests to cover all cases for /api/queries/:id/dropdowns/:id
* fix indentation
* require access to the query, not the data source
* resolve dashboard user by query id
* apply new copy to Cypress tests
* if only something would have prevented me from commiting an 'only' call 🤔
* very important handling of whitespace
* respond to parameter's Apply button
* text widgets are safe for sharing
* remove redundant event
* add a safety check that object has dashboard_api_keys before calling it
* supply a parameter value for text parameters to have it show up
* add parameter values for date and datetime
* use the current year and month to avoid pagination
* use Cypress.moment() instead of preinstalled moment()
* explicitly create parameters
* refresh query data if a querystring parameter is provided
* avoid sending a data_source_id - it's only relevant to unsaved queries, since a saved query's data_source is available in the backend
* remove empty query text workaround
* provide default value to parameter
* add a few more dashboard sharing specs
* lint
* wait for DynamicTable to appear to reveal that actual results are displaying
* override error message for unsafely shared widgets
* Allow calling query results endpoint without parameters.
* Fix: allow serializing empty or bad dates
* Revert "Fix: allow serializing empty or bad dates"
This reverts commit cc49319d9ef5b09744264d8e3eb6c173c87f5a20.
* propagate `isDirty` down to `QueryBasedParameterInput`
* go to /api/:id/dropdown while editing a query, since dropdown queries might still not be associated with the parent. see #3711
* show helpful error message if dropdown values cannot be fetched
* use backticks instead of line concatenation
* remove requirement to have direct access to dropdown query in order validate it. parent query association checks are sufficient
* remove isDirty-based implementation and allow dropdown queries through nested ACL even if they aren't associated yet (given that the user has _direct_ access to the dropdown query)
* fix tests to cover all cases for /api/queries/:id/dropdowns/:id
* fix indentation
* require access to the query, not the data source
* use require_access instead of has_access
* change has_access and require_access signatures to work with the objects that require access, instead of their groups
* change has_access and require_access signatures to work with the objects that require access, instead of their groups
* use the textless endpoint (/api/queries/:id/results) for pristine
queriest
* Revert "use the textless endpoint (/api/queries/:id/results) for pristine"
This reverts commit cd2cee77385ecf79efd2f1aa21fab0dd43943264.
* go to textless /api/queries/:id/results by default
* change `run_query`'s signature to accept a ParameterizedQuery instead of
constructing it inside
* raise HTTP 400 when receiving invalid parameter values. Fixes#3394
* support querystring params
* extract coercing of numbers to function, along with a friendlier
implementation
* wire embeds to textless endpoint
* allow users with view_only permissions to execute queries on the
textless endpoint, as it only allows safe queries to run
* enqueue jobs for ApiUsers
* add parameters component for embeds
* include existing parameters in embed code
* fetch correct values for json requests
* remove previous embed parameter code
* rename `id` to `user_id`
* support executing queries using Query api_keys by instantiating an ApiUser that would be able to execute the specific query
* bring back ALLOW_PARAMETERS_IN_EMBEDS (with link on deprecation coming up)
* show deprecation messages for ALLOW_PARAMETERS_IN_EMBEDS. Also, move
other message (email not verified) to use the same mechanism
* add link to forum message on setting deprecation
* rephrase deprecation message
* add link to forum message regarding embed deprecation
* change API to /api/queries/:id/dropdowns/:dropdown_id
* split to 2 different dropdown endpoints and implement the second
* add test cases for /api/queries/:id/dropdowns/:id
* use new /dropdowns endpoint in frontend
* first e2e test for sharing embeds
* Pleasing the CodeClimate overlords
* All glory to CodeClimate
* change has_access and require_access signatures to work with the objects that require access, instead of their groups
* split has_access between normal users and ApiKey users
* remove residues from bad rebase
* allow access to safe queries via api keys
* rename `object` to `obj`
* support both objects and group dicts in `has_access` and `require_access`
* simplify permission tests once `has_access` accepts groups
* change has_access and require_access signatures to work with the objects that require access, instead of their groups
* rename `object` to `obj`
* support both objects and group dicts in `has_access` and `require_access`
* simplify permission tests once `has_access` accepts groups
* fix bad rebase
* send embed parameters through POST data
* no need to log `is_api_key`
* move query fetching by api_key to within the Query model
* fetch user by adding a get_by_id function on the User model
* pass parameters as POST data (fixes test failure introduced by switching
from query string parameters to POST data)
* test the right thing - queries with safe parameters should be embeddable
* introduce cy.clickThrough
* add another Cypress test to make sure unsafe queries cannot be embedded
* serialize Parameters into query string
* set is_api_key as the last parameter to (hopefully) avoid
backward-dependency problems
* Update redash/models/parameterized_query.py
Co-Authored-By: rauchy <omer@rauchy.net>
* attempt to fix empty percy snapshots
* snap percies after DOM is fully loaded
* change API to /api/queries/:id/dropdowns/:dropdown_id
* extract property
* split to 2 different dropdown endpoints and implement the second
* make access control optional for dropdowns (assuming it is verified at a
different level)
* add test cases for /api/queries/:id/dropdowns/:id
* use new /dropdowns endpoint in frontend
* require access to dropdown queries when creating or updating parent
queries
* rename Query resource dropdown endpoints
* check access to dropdown query associations in one fugly query
* move ParameterizedQuery to models folder
* add dropdown association tests to query creation
* move group by query ids query into models.Query
* use bound parameters for groups query
* format groups query
* use new associatedDropdowns endpoint in dashboards
* pass down parameter and let it return dropdown options. Go Levko!
* change API to /api/queries/:id/dropdowns/:dropdown_id
* split to 2 different dropdown endpoints and implement the second
* use new /dropdowns endpoint in frontend
* pass down parameter and let it return dropdown options. Go Levko!
* fix bad rebase
* add comment to clarify the purpose of checking the queryId
* use the textless endpoint (/api/queries/:id/results) for pristine
queriest
* reverse conditional. not not is making me the headaches.
* add ParameterizedQuery#is_safe with an inital naive implementation which
treats any query with a text parameter as not safe. This will be
remedied later when DB drivers will handle these parameters.
* allow getting new query results even if user has only view permissions
to the data source (given that the query is safe)
* fix lint error - getDerivedStateFromProps should be placed after state
* Revert "use the textless endpoint (/api/queries/:id/results) for pristine"
This reverts commit cd2cee77385ecf79efd2f1aa21fab0dd43943264.
* move execution preparation to a different function, which will be soon
reused
* go to textless /api/queries/:id/results by default
* let the query view decide if text or textless endpoint is needed
* allow safe queries to be executed in the UI even if the user has no
permission to execute and create new query results
* change `run_query`'s signature to accept a ParameterizedQuery instead of
constructing it inside
* use dict#get instead of a None guard
* use ParameterizedQuery in queries handler as well
* test that /queries/:id/results allows execution of safe queries even if
user has view_only permissions
* lint
* raise HTTP 400 when receiving invalid parameter values. Fixes#3394
* remove unused methods
* avoid cyclic imports by importing only when needed
* verify that a ParameterizedQuery without any parameters is considered
safe
* introduce query.parameter_schema
* encapsulate ParameterizedQuery creation inside Query
* stop testing `collect_query_parameters`, it's an implementation detail
* add tests for `missing_query_params`
* rename SQLQuery -> ParameterizedSqlQuery
* rename sql_query.py to parameterized_query.py
* split to parameterized queries and parameterized SQL queries, where
parameterized queries only do templating and parameterized SQL queries
add tree validation on top of it
* move missing parameter detection to ParameterizedQuery
* get rid of some old code
* fix tests
* set syntax to `custom`
* revert the max-age-related refactoring
* 👋 tree validations 😢
* BaseQueryRunner is no longer a factory for ParameterizedQuery, for now
* add an endpoint for running a query by its id and (optional) parameters
without having to provide the query text
* adds parameter schema to ParameterizedQuery
* adds parameter schema validation (currently for strings)
* validate number parameters
* validate date parameters
* validate parameters on POST /api/queries/<id>/results
* validate enum parameters
* validate date range parameters
* validate query-based dropdowns by preprocessing them at the handler
level and converting them to a populated enum
* change _is_date_range to be a tad more succinct
* a single assignment with a `map` is sufficiently explanatory
* Update redash/utils/parameterized_query.py
Co-Authored-By: rauchy <omer@rauchy.net>
* Update redash/utils/parameterized_query.py
Co-Authored-By: rauchy <omer@rauchy.net>
* Update redash/utils/parameterized_query.py
Co-Authored-By: rauchy <omer@rauchy.net>
* Update redash/utils/parameterized_query.py
Co-Authored-By: rauchy <omer@rauchy.net>
* Update redash/handlers/query_results.py
Co-Authored-By: rauchy <omer@rauchy.net>
* Update redash/utils/parameterized_query.py
Co-Authored-By: rauchy <omer@rauchy.net>
* build error message inside the error
* support all types of numbers as number parameters
* check for permissions when populating query-based dropdowns
* check for access to query before running it
* check for empty rows when populating query-based enums
* don't bother loading query results if user doesn't have access
* 💥 on unexpected parameter types
* parameter schema default is a list, not a dictionary
* fix a totally unrelated typo
* remove redundant null guards
* introduce /dropdown.json endpoint with dummy data
* wire frontend to /dropdown.json
* always return name/value combos from /dropdown.json
* load actual data into /dropdown.json
* pluck correct values for `name` and `value`
* reuse dropdwon plucking logic in QueryResultResource
* simplify _get_dropdown_values
* when doing parameter validation, we only care about the value and not
the display name
* rename dropdown to dropdownOptions
* move dropdown_values to utils/parameterized_query.py
* stop converting queries to enums and encapsulate the work inside
ParameterizedQuery (almost - /dropdown.json would still access the
dropdown_values method)
* re-order arguments by importance
* test query parameter validation
* tests for dropdown_values logic
* remove `.json` suffix to the dropdown endpoint
* allow `BaseResource` to handle JSON stuff
* move _pluck_name_and_value outside its containing method
* case-insensitive lookup when plucking name and value
* separate concerns and simplify test isolation for `dropdown_values`
* pick the default column according to the order specified in the query
result columns attribute
* use `current_org` instead of passing `org`
* test that user has access to the query when calling the /dropdown
endpoint
* add an endpoint for running a query by its id and (optional) parameters
without having to provide the query text
* check for access to query before running it
* Consistently use simplejson to loading and dumping JSON.
This introduces the new functions redash.utils.json_dumps and redash.utils.json_loads and simplifies the custom encoder setup.
UUIDs are now handled by the default encoder, too.
Fixes#2807.
Use string comparison in parse_boolean instead of the (simple)json module.
This is one huge change for the permissions system and related:
* (Backward incompatible:) Remove the table based permissions in favour of the new model.
* Manage permission to view or query datasources based on groups.
* Add the concept of Organization. It's irrelevant for most deployments, but allows for
multi-tenant support in re:dash.
* Replace ActivityLog with Event based rows (old data in activity_log table is retained).
* Enforce permissions on the server-side. There were some permissions that were only enforced
on the client side. This is no more. All permissions are enforced by the server.
* Added new permission: 'super-admin' to access the status and Flask-Admin interface.
* Make sure that html is never cached by the browser - this is to make sure that the browser
will always ask for the new Javascript/CSS resources (if such are available).
