Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check download perms recursively on referenced card-ids #50307

Merged
merged 4 commits into from
Nov 22, 2024
Merged

Check download perms recursively on referenced card-ids #50307

merged 4 commits into from
Nov 22, 2024
+100 −37

Conversation

noahmoss
Copy link
Member

@noahmoss noahmoss commented Nov 20, 2024
edited
Loading

Fixes #50304

In #49364 I changed query->source-table-ids to return sets of table-ids and card-ids. In that PR, I adjusted download perm enforcement to require full native perms if any card-ids were returned from that function, since we previously hadn't been considering referenced cards at all for download perms. (i.e. we were being overly permissive, allowing downloads even for queries joined to cards without download perms).

This was too restrictive, though, and ended up blocking downloads for some queries that should be allowed. The more correct behavior is to check download perms recursively for any referenced card IDs in the query, and go with the least-permissive value from that entire set.

I've fixed the logic and added a test to catch this case.

@noahmoss Graphite App
Copy link
Member Author

This stack of pull requests is managed by Graphite. Learn more about stacking.

@metabase-bot metabase-bot bot added the .Team/AdminWebapp Admin and Webapp team label Nov 20, 2024
@noahmoss noahmoss marked this pull request as ready for review November 20, 2024 22:25
@noahmoss noahmoss added the backport Automatically create PR on current release branch on merge label Nov 20, 2024
@trunk-io Trunk.io
Copy link

trunk-io bot commented Nov 20, 2024
edited
Loading

Static BadgeStatic BadgeStatic BadgeStatic Badge

Flaky Test Failure Summary Logs
delay-queue-test Logs ↗︎

View Full Report ↗︎Docs

@noahmoss noahmoss force-pushed the nm-download-perms-check-cards-recursively branch from 1301102 to caea2dd Compare November 22, 2024 19:01
@noahmoss noahmoss requested review from johnswanson and a team November 22, 2024 19:35
@escherize escherize self-requested a review November 22, 2024 19:41
noahmoss
noahmoss commented Nov 22, 2024
View reviewed changes
...est/metabase_enterprise/advanced_permissions/query_processor/middleware/permissions_test.clj
Comment on lines -83 to -84
(with-download-perms! (mt/id) {:schemas {"PUBLIC" {(mt/id 'venues) :limited
(mt/id 'checkins) :full}}}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed all these since keywords are used in mt/id everywhere else in the codebase

escherize
escherize approved these changes Nov 22, 2024
View reviewed changes
...est/metabase_enterprise/advanced_permissions/query_processor/middleware/permissions_test.clj
(streaming-test/do-test!
"A user with limited download perms for a table has their query results limited for queries on that table"
{:query {:database (mt/id)
:type :query
:query {:source-table (mt/id 'venues)
:query {:source-table (mt/id :venues)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for updating these, much cleaner with keywords.

...kend/src/metabase_enterprise/advanced_permissions/query_processor/middleware/permissions.clj
@@ -32,16 +35,23 @@
;; Remove the :native key (containing the transpiled MBQL) so that this helper function doesn't think the query is
;; a native query. Actual native queries are dispatched to a different method by the :type key.
(let [{:keys [table-ids card-ids native?]} (query-perms/query->source-ids (dissoc query :native))
table-perms (if (or native? (seq card-ids))
table-perms (if native?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the comment on 35 reads that this query cannot be native, should it be reworded? to something like:

  ;; Remove the :native key (containing the transpiled MBQL) so that this helper function doesn't mistakenly classify
  ;; the query as a native query. Actual native queries are dispatched to a different method by the :type key.

Actually, I don't see why the dissoc matters since a different defmethod will handle :native. If it's clear to you tho please update the comment.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, the dissoc is unnecessary now, I've removed it

...kend/src/metabase_enterprise/advanced_permissions/query_processor/middleware/permissions.clj Outdated
table-ids)))
card-perms (set
;; If we have any card references in the query, check perms recursively
(map (fn [card-id]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: naming anon functions makes stack traces easier to follow

Suggested change
(map (fn [card-id]
(map (fn card-perms-lookup [card-id]

@noahmoss noahmoss enabled auto-merge (squash) November 22, 2024 21:29
@noahmoss noahmoss merged commit e9f6c50 into master Nov 22, 2024
136 checks passed
@noahmoss noahmoss deleted the nm-download-perms-check-cards-recursively branch November 22, 2024 22:27
github-automation-metabase pushed a commit that referenced this pull request Nov 22, 2024
@noahmoss
Check download perms recursively on referenced card-ids (#50307)
7b1cbd7
@github-automation-metabase github-automation-metabase mentioned this pull request Nov 22, 2024
Merged
github-automation-metabase added a commit that referenced this pull request Nov 25, 2024
@github-automation-metabase @noahmoss
Check download perms recursively on referenced card-ids (#50307) (#50431
f7a48af 
)

Co-authored-by: Noah Moss <32746338+noahmoss@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@escherize escherize escherize approved these changes

@johnswanson johnswanson Awaiting requested review from johnswanson

Assignees

@noahmoss noahmoss

Labels
backport Automatically create PR on current release branch on merge .Team/AdminWebapp Admin and Webapp team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Users without Full Download Permissions Cannot DL Results of certain Questions
2 participants
@noahmoss @escherize