dpgaspar commented on code in PR #31421:
URL: https://github.com/apache/superset/pull/31421#discussion_r1905517635
##########
superset/queries/saved_queries/api.py:
##########
@@ -196,6 +199,102 @@ def pre_add(self, item: SavedQuery) -> None:
def pre_update(self, item: SavedQuery) -> None:
self.pre_add(item)
+ class SavedQueryRestApi(BaseSupersetModelRestApi):
+ datamodel = SQLAInterface(SavedQuery)
+
+ @has_access_api
+ @expose("/<int:pk>", methods=["GET"])
+ @protect()
+ @safe
+ @statsd_metrics
+ def get(self, pk: int, **kwargs: Any) -> Response:
+ """
+ Retrieve a specific saved query.
+
+ ---
+ get:
+ summary: Retrieve a specific saved query
+ description: >
+ Fetches the details of a saved query based on its primary key (ID).
+ The endpoint ensures that only the query owner or users with the
+ appropriate permissions ('can_read') can access the saved query.
+ parameters:
+ - in: path
+ name: pk
+ required: true
+ schema:
+ type: integer
+ description: The primary key (ID) of the saved query to retrieve.
+ responses:
+ 200:
+ description: Details of the saved query
+ content:
+ application/json:
+ schema:
+ type: object
+ properties:
+ database:
+ type: object
+ description: The database associated with the query.
+ result:
+ type: object
+ description: Details of the saved query.
+ 401:
+ $ref: '#/components/responses/401'
+ 403:
+ $ref: '#/components/responses/403'
+ 404:
+ $ref: '#/components/responses/404'
+ 500:
+ $ref: '#/components/responses/500'
+ """
+ try:
+ saved_query = db.session.query(SavedQuery).get(pk)
+ if not saved_query:
+ return self.response_404()
+
+ is_owner = saved_query.user_id == g.user.id
+ has_access = security_manager.can_access("can_read", "SavedQuery")
Review Comment:
The `can_read` on `SavedQuery` is already guaranteed by the `@protect`
decorator, so it seem redundant to check if the saved query belongs to the
user, since it will grant access to all queries to all users.
This does not seem like the correct approach, currently SavedQueries are not
shared on Superset, if we want to add this functionality, we can share links
using a UUID or wait until we have use group entities and expose queries to
groups
##########
superset/queries/saved_queries/api.py:
##########
@@ -196,6 +199,102 @@ def pre_add(self, item: SavedQuery) -> None:
def pre_update(self, item: SavedQuery) -> None:
self.pre_add(item)
+ class SavedQueryRestApi(BaseSupersetModelRestApi):
+ datamodel = SQLAInterface(SavedQuery)
Review Comment:
This looks like a duplicate class definition inside the same class
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
