Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix: allow users with view only acces to use the queries in Query Results #4112

Merged
merged 4 commits into from
Sep 1, 2019
Merged

Fix: allow users with view only acces to use the queries in Query Results #4112

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
bcb8281
Fix: allow users with view only acces to access the queries
arikfr Sep 1, 2019
99c5d44
Add tests
arikfr Sep 1, 2019
32ba5d7
Update error message
arikfr Sep 1, 2019
bb4f768
Update error message. Take 2
arikfr Sep 1, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 27 additions & 20 deletions redash/query_runner/query_results.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
import sqlite3

from redash import models
from redash.permissions import has_access, not_view_only
from redash.permissions import has_access, view_only
from redash.query_runner import BaseQueryRunner, TYPE_STRING, guess_type, register
from redash.utils import json_dumps, json_loads

Expand All @@ -24,7 +24,8 @@ def extract_query_ids(query):


def extract_cached_query_ids(query):
queries = re.findall(r'(?:join|from)\s+cached_query_(\d+)', query, re.IGNORECASE)
queries = re.findall(r'(?:join|from)\s+cached_query_(\d+)', query,
re.IGNORECASE)
return [int(q) for q in queries]


Expand All @@ -34,9 +35,12 @@ def _load_query(user, query_id):
if user.org_id != query.org_id:
raise PermissionError("Query id {} not found.".format(query.id))

if not has_access(query.data_source, user, not_view_only):
raise PermissionError(u"You are not allowed to execute queries on {} data source (used for query id {}).".format(
query.data_source.name, query.id))
# TODO: this duplicates some of the logic we already have in the redash.handlers.query_results.
# We should merge it so it's consistent.
if not has_access(query.data_source, user, view_only):
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the actual change. The rest is my auto formatter 😬

raise PermissionError(
u"You are not allowed to execute queries on {} data source (used for query id {})."
.format(query.data_source.name, query.id))

return query

Expand All @@ -47,16 +51,22 @@ def get_query_results(user, query_id, bring_from_cache):
if query.latest_query_data_id is not None:
results = query.latest_query_data.data
else:
raise Exception("No cached result available for query {}.".format(query.id))
raise Exception("No cached result available for query {}.".format(
query.id))
else:
results, error = query.data_source.query_runner.run_query(query.query_text, user)
results, error = query.data_source.query_runner.run_query(
query.query_text, user)
if error:
raise Exception("Failed loading results for query id {}.".format(query.id))
raise Exception("Failed loading results for query id {}.".format(
query.id))

return json_loads(results)


def create_tables_from_query_ids(user, connection, query_ids, cached_query_ids=[]):
def create_tables_from_query_ids(user,
connection,
query_ids,
cached_query_ids=[]):
for query_id in set(cached_query_ids):
results = get_query_results(user, query_id, True)
table_name = 'cached_query_{query_id}'.format(query_id=query_id)
Expand All @@ -81,8 +91,7 @@ def flatten(value):

def create_table(connection, table_name, query_results):
try:
columns = [column['name']
for column in query_results['columns']]
columns = [column['name'] for column in query_results['columns']]
safe_columns = [fix_column_name(column) for column in columns]

column_list = ", ".join(safe_columns)
Expand All @@ -91,7 +100,8 @@ def create_table(connection, table_name, query_results):
logger.debug("CREATE TABLE query: %s", create_table)
connection.execute(create_table)
except sqlite3.OperationalError as exc:
raise CreateTableError(u"Error creating table {}: {}".format(table_name, exc.message))
raise CreateTableError(u"Error creating table {}: {}".format(
table_name, exc.message))

insert_template = u"insert into {table_name} ({column_list}) values ({place_holders})".format(
table_name=table_name,
Expand All @@ -108,11 +118,7 @@ class Results(BaseQueryRunner):

@classmethod
def configuration_schema(cls):
return {
"type": "object",
"properties": {
}
}
return {"type": "object", "properties": {}}

@classmethod
def annotate_query(cls):
Expand All @@ -127,16 +133,17 @@ def run_query(self, query, user):

query_ids = extract_query_ids(query)
cached_query_ids = extract_cached_query_ids(query)
create_tables_from_query_ids(user, connection, query_ids, cached_query_ids)
create_tables_from_query_ids(user, connection, query_ids,
cached_query_ids)

cursor = connection.cursor()

try:
cursor.execute(query)

if cursor.description is not None:
columns = self.fetch_columns(
[(i[0], None) for i in cursor.description])
columns = self.fetch_columns([(i[0], None)
for i in cursor.description])

rows = []
column_names = [c['name'] for c in columns]
Expand Down