refactor: Removes the deprecated ENABLE_EXPLORE_JSON_CSRF_PROTECTION …

…feature flag (#26344)
apache · Jan 18, 2024 · cf20b34 · cf20b34
1 parent b06ab7d
commit cf20b34
Show file tree

Hide file tree

Showing 6 changed files with 21 additions and 17 deletions.
diff --git a/RESOURCES/FEATURE_FLAGS.md b/RESOURCES/FEATURE_FLAGS.md
@@ -86,7 +86,6 @@ These features flags currently default to True and **will be removed in a future
 - DASHBOARD_CROSS_FILTERS
 - DASHBOARD_FILTERS_EXPERIMENTAL
 - DASHBOARD_NATIVE_FILTERS
-- ENABLE_EXPLORE_JSON_CSRF_PROTECTION
 - ENABLE_JAVASCRIPT_CONTROLS
 - GENERIC_CHART_AXES
 - KV_STORE

diff --git a/UPDATING.md b/UPDATING.md
@@ -30,6 +30,7 @@ assists people when migrating to a new version.
 
 ### Breaking Changes
 
+- [26344](https://github.com/apache/superset/issues/26344): Removes the deprecated `ENABLE_EXPLORE_JSON_CSRF_PROTECTION` feature flag. The previous value of the feature flag was `False` and now the feature is permanently removed.
 - [26345](https://github.com/apache/superset/issues/26345): Removes the deprecated `ENABLE_TEMPLATE_REMOVE_FILTERS` feature flag. The previous value of the feature flag was `True` and now the feature is permanently enabled.
 - [26346](https://github.com/apache/superset/issues/26346): Removes the deprecated `REMOVE_SLICE_LEVEL_LABEL_COLORS` feature flag. The previous value of the feature flag was `False` and now the feature is permanently removed.
 - [26348](https://github.com/apache/superset/issues/26348): Removes the deprecated `CLIENT_CACHE` feature flag. The previous value of the feature flag was `False` and now the feature is permanently removed.

diff --git a/docs/docs/installation/configuring-superset.mdx b/docs/docs/installation/configuring-superset.mdx
@@ -358,7 +358,6 @@ You can enable or disable features with flag from `superset_config.py`:
 
 ```python
 FEATURE_FLAGS = {
- 'ENABLE_EXPLORE_JSON_CSRF_PROTECTION': False,
  'PRESTO_EXPAND_DATA': False,
 }
 ```

diff --git a/superset/config.py b/superset/config.py
@@ -409,14 +409,6 @@ class D3Format(TypedDict, total=False):
  # editor no longer shows. Currently this is set to false so that the editor
  # option does show, but we will be depreciating it.
  "DISABLE_LEGACY_DATASOURCE_EDITOR": True,
- # For some security concerns, you may need to enforce CSRF protection on
- # all query request to explore_json endpoint. In Superset, we use
- # `flask-csrf <https://sjl.bitbucket.io/flask-csrf/>`_ add csrf protection
- # for all POST requests, but this protection doesn't apply to GET method.
- # When ENABLE_EXPLORE_JSON_CSRF_PROTECTION is set to true, your users cannot
- # make GET request to explore_json. explore_json accepts both GET and POST request.
- # See `PR 7935 <https://github.com/apache/superset/pull/7935>`_ for more details.
- "ENABLE_EXPLORE_JSON_CSRF_PROTECTION": False, # deprecated
  "ENABLE_TEMPLATE_PROCESSING": False,
  # Allow for javascript controls components
  # this enables programmers to customize certain charts (like the

diff --git a/superset/views/core.py b/superset/views/core.py
@@ -15,6 +15,7 @@
 # specific language governing permissions and limitations
 # under the License.
 # pylint: disable=invalid-name
+# pylint: disable=too-many-lines
 from __future__ import annotations
 
 import contextlib
@@ -238,19 +239,24 @@ def explore_json_data(self, cache_key: str) -> FlaskResponse:
  except SupersetException as ex:
  return json_error_response(utils.error_msg_from_exception(ex), 400)
 
- EXPLORE_JSON_METHODS = ["POST"]
- if not is_feature_enabled("ENABLE_EXPLORE_JSON_CSRF_PROTECTION"):
- EXPLORE_JSON_METHODS.append("GET")
-
  @api
  @has_access_api
  @handle_api_exception
  @event_logger.log_this
  @expose(
  "/explore_json/<datasource_type>/<int:datasource_id>/",
- methods=EXPLORE_JSON_METHODS,
+ methods=(
+ "GET",
+ "POST",
+ ),
+ )
+ @expose(
+ "/explore_json/",
+ methods=(
+ "GET",
+ "POST",
+ ),
  )
- @expose("/explore_json/", methods=EXPLORE_JSON_METHODS)
  @etag_cache()
  @check_resource_permissions(check_datasource_perms)
  @deprecated(eol_version="4.0.0")

diff --git a/tests/integration_tests/core_tests.py b/tests/integration_tests/core_tests.py
@@ -559,8 +559,15 @@ def test_comments_in_sqlatable_query(self):
  self.assertEqual(clean_query, rendered_query)
 
  def test_slice_payload_no_datasource(self):
+ form_data = {
+ "viz_type": "dist_bar",
+ }
  self.login(username="admin")
- data = self.get_json_resp("/superset/explore_json/", raise_on_error=False)
+ rv = self.client.post(
+ "/superset/explore_json/",
+ data={"form_data": json.dumps(form_data)},
+ )
+ data = json.loads(rv.data.decode("utf-8"))
 
  self.assertEqual(
  data["errors"][0]["message"],