Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix: restrict access to private queries in query search #875

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
May 27, 2022
Merged

fix: restrict access to private queries in query search #875

merged 8 commits into from
May 27, 2022

Conversation

kgopal492
Copy link
Contributor

fixes #865

  • add public and readable_user_ids fields to query_cell and query_execution elasticsearch indices to restrict access to queries on private datadocs
  • change elasticsearch item creation functions to allow option to generate/update specific fields
  • update querybook/server/datasources/search.py to use "must" query to ensure user has access to datadocs & queries that are returned

@kgopal492 kgopal492 requested a review from czgu May 26, 2022 19:23
@github-actions github-actions bot added the title needs formatting PR title must have type (ex. fix:) label May 26, 2022
@kgopal492 kgopal492 changed the title Fix: restrict access to private queries in query search fix: restrict access to private queries in query search May 26, 2022
@github-actions github-actions bot removed the title needs formatting PR title must have type (ex. fix:) label May 26, 2022
czgu
czgu reviewed May 26, 2022
View reviewed changes
Copy link
Collaborator

@czgu czgu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great work! minor style comments

querybook/server/logic/elasticsearch.py Outdated


def _get_partial_dict(field_to_generator, fields=None):
if fields is None:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

fields = fields or field_to_generator.keys()
return {field: field_to_generator[field]() for field in fields if field in field_to_generator}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Slightly changed to the following to check whether getter is a callable or value:

fields = fields or field_to_getter.keys()
return {
    field: getter() if callable(getter) else getter
    for field, getter in field_to_getter.items()
    if field in fields
}

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

super minor, but

for field, getter in field_to_getter.items()
    if field in fields

is n^2, so its faster to check if field in field_to_getter

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ooh good point, fixed that!

czgu
czgu previously approved these changes May 27, 2022
View reviewed changes
czgu
czgu previously approved these changes May 27, 2022
View reviewed changes
@czgu czgu merged commit 8db8ac7 into master May 27, 2022
@czgu czgu deleted the fix-search branch May 27, 2022 01:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@czgu czgu czgu approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Private DataDocs are not really Private
2 participants
@kgopal492 @czgu