fix: Add user filtering to changed_by. Fixes #27986 (#29287)

Co-authored-by: Markus Eriksson <markus.eriksson@sinch.com>

superset/charts/api.py

@@ -269,10 +269,12 @@ def ensure_thumbnails_enabled(self) -> Optional[Response]:
     base_related_field_filters = {
         "owners": [["id", BaseFilterRelatedUsers, lambda: []]],
         "created_by": [["id", BaseFilterRelatedUsers, lambda: []]],
+        "changed_by": [["id", BaseFilterRelatedUsers, lambda: []]],
     }
     related_field_filters = {
         "owners": RelatedFieldFilter("first_name", FilterRelatedOwners),
         "created_by": RelatedFieldFilter("first_name", FilterRelatedOwners),
+        "changed_by": RelatedFieldFilter("first_name", FilterRelatedOwners),
     }
 
     allowed_rel_fields = {"owners", "created_by", "changed_by"}

superset/css_templates/api.py

@@ -35,7 +35,12 @@
 )
 from superset.extensions import event_logger
 from superset.models.core import CssTemplate
-from superset.views.base_api import BaseSupersetModelRestApi, statsd_metrics
+from superset.views.base_api import (
+    BaseSupersetModelRestApi,
+    RelatedFieldFilter,
+    statsd_metrics,
+)
+from superset.views.filters import BaseFilterRelatedUsers, FilterRelatedOwners
 
 logger = logging.getLogger(__name__)
 
@@ -91,6 +96,13 @@ class CssTemplateRestApi(BaseSupersetModelRestApi):
     openapi_spec_tag = "CSS Templates"
     openapi_spec_methods = openapi_spec_methods_override
 
+    related_field_filters = {
+        "changed_by": RelatedFieldFilter("first_name", FilterRelatedOwners),
+    }
+    base_related_field_filters = {
+        "changed_by": [["id", BaseFilterRelatedUsers, lambda: []]],
+    }
+
     @expose("/", methods=("DELETE",))
     @protect()
     @safe

superset/dashboards/api.py

@@ -271,13 +271,15 @@ def ensure_thumbnails_enabled(self) -> Optional[Response]:
     base_related_field_filters = {
         "owners": [["id", BaseFilterRelatedUsers, lambda: []]],
         "created_by": [["id", BaseFilterRelatedUsers, lambda: []]],
+        "changed_by": [["id", BaseFilterRelatedUsers, lambda: []]],
         "roles": [["id", BaseFilterRelatedRoles, lambda: []]],
     }
 
     related_field_filters = {
         "owners": RelatedFieldFilter("first_name", FilterRelatedOwners),
         "roles": RelatedFieldFilter("name", FilterRelatedRoles),
         "created_by": RelatedFieldFilter("first_name", FilterRelatedOwners),
+        "changed_by": RelatedFieldFilter("first_name", FilterRelatedOwners),
     }
     allowed_rel_fields = {"owners", "roles", "created_by", "changed_by"}
 

superset/databases/api.py

@@ -125,11 +125,13 @@
 from superset.utils.ssh_tunnel import mask_password_info
 from superset.views.base_api import (
     BaseSupersetModelRestApi,
+    RelatedFieldFilter,
     requires_form_data,
     requires_json,
     statsd_metrics,
 )
 from superset.views.error_handling import json_error_response
+from superset.views.filters import BaseFilterRelatedUsers, FilterRelatedOwners
 
 logger = logging.getLogger(__name__)
 
@@ -304,6 +306,13 @@ class DatabaseRestApi(BaseSupersetModelRestApi):
     openapi_spec_methods = openapi_spec_methods_override
     """ Overrides GET methods OpenApi descriptions """
 
+    related_field_filters = {
+        "changed_by": RelatedFieldFilter("first_name", FilterRelatedOwners),
+    }
+    base_related_field_filters = {
+        "changed_by": [["id", BaseFilterRelatedUsers, lambda: []]],
+    }
+
     @expose("/<int:pk>/connection", methods=("GET",))
     @protect()
     @safe

superset/datasets/api.py

@@ -242,10 +242,12 @@ class DatasetRestApi(BaseSupersetModelRestApi):
 
     base_related_field_filters = {
         "owners": [["id", BaseFilterRelatedUsers, lambda: []]],
+        "changed_by": [["id", BaseFilterRelatedUsers, lambda: []]],
         "database": [["id", DatabaseFilter, lambda: []]],
     }
     related_field_filters = {
         "owners": RelatedFieldFilter("first_name", FilterRelatedOwners),
+        "changed_by": RelatedFieldFilter("first_name", FilterRelatedOwners),
         "database": "database_name",
     }
     search_filters = {

superset/queries/api.py

@@ -144,11 +144,13 @@ class QueryRestApi(BaseSupersetModelRestApi):
     ]
     base_related_field_filters = {
         "created_by": [["id", BaseFilterRelatedUsers, lambda: []]],
+        "changed_by": [["id", BaseFilterRelatedUsers, lambda: []]],
         "user": [["id", BaseFilterRelatedUsers, lambda: []]],
         "database": [["id", DatabaseFilter, lambda: []]],
     }
     related_field_filters = {
         "created_by": RelatedFieldFilter("first_name", FilterRelatedOwners),
+        "changed_by": RelatedFieldFilter("first_name", FilterRelatedOwners),
         "user": RelatedFieldFilter("first_name", FilterRelatedOwners),
     }
 

superset/queries/saved_queries/api.py

@@ -56,9 +56,11 @@
 from superset.utils import json
 from superset.views.base_api import (
     BaseSupersetModelRestApi,
+    RelatedFieldFilter,
     requires_form_data,
     statsd_metrics,
 )
+from superset.views.filters import BaseFilterRelatedUsers, FilterRelatedOwners
 
 logger = logging.getLogger(__name__)
 
@@ -179,8 +181,12 @@ class SavedQueryRestApi(BaseSupersetModelRestApi):
 
     related_field_filters = {
         "database": "database_name",
+        "changed_by": RelatedFieldFilter("first_name", FilterRelatedOwners),
+    }
+    base_related_field_filters = {
+        "database": [["id", DatabaseFilter, lambda: []]],
+        "changed_by": [["id", BaseFilterRelatedUsers, lambda: []]],
     }
-    base_related_field_filters = {"database": [["id", DatabaseFilter, lambda: []]]}
     allowed_rel_fields = {"database", "changed_by", "created_by"}
     allowed_distinct_fields = {"catalog", "schema"}
 

superset/reports/api.py

@@ -228,6 +228,7 @@ def ensure_alert_reports_enabled(self) -> Optional[Response]:
         "database": [["id", DatabaseFilter, lambda: []]],
         "owners": [["id", BaseFilterRelatedUsers, lambda: []]],
         "created_by": [["id", BaseFilterRelatedUsers, lambda: []]],
+        "changed_by": [["id", BaseFilterRelatedUsers, lambda: []]],
     }
     text_field_rel_fields = {
         "dashboard": "dashboard_title",
@@ -239,6 +240,7 @@ def ensure_alert_reports_enabled(self) -> Optional[Response]:
         "chart": "slice_name",
         "database": "database_name",
         "created_by": RelatedFieldFilter("first_name", FilterRelatedOwners),
+        "changed_by": RelatedFieldFilter("first_name", FilterRelatedOwners),
         "owners": RelatedFieldFilter("first_name", FilterRelatedOwners),
     }
 

superset/row_level_security/api.py

@@ -47,10 +47,15 @@
 from superset.views.base import DatasourceFilter
 from superset.views.base_api import (
     BaseSupersetModelRestApi,
+    RelatedFieldFilter,
     requires_json,
     statsd_metrics,
 )
-from superset.views.filters import BaseFilterRelatedRoles
+from superset.views.filters import (
+    BaseFilterRelatedRoles,
+    BaseFilterRelatedUsers,
+    FilterRelatedOwners,
+)
 
 logger = logging.getLogger(__name__)
 
@@ -129,9 +134,13 @@ class RLSRestApi(BaseSupersetModelRestApi):
     edit_model_schema = RLSPutSchema()
 
     allowed_rel_fields = {"tables", "roles", "created_by", "changed_by"}
+    related_field_filters = {
+        "changed_by": RelatedFieldFilter("first_name", FilterRelatedOwners),
+    }
     base_related_field_filters = {
         "tables": [["id", DatasourceFilter, lambda: []]],
         "roles": [["id", BaseFilterRelatedRoles, lambda: []]],
+        "changed_by": [["id", BaseFilterRelatedUsers, lambda: []]],
     }
 
     openapi_spec_methods = openapi_spec_methods_override