fix(Embedded): Skip CSRF validation for dashboard download endpoints #31798
Conversation
![korbit-ai[bot]](https://avatars.githubusercontent.com/in/322216?s=60&v=4){kind=small}
There was a problem hiding this comment.
Review by Korbit AI
Korbit automatically attempts to detect when you fix issues in new commits.
| Category | Issue | Fix Detected |
|---|---|---|
 |
Incorrect HTTP Status Code for Disabled Features ▹ view |
Files scanned
| File Path | Reviewed |
|---|---|
| superset/views/base_api.py | ✅ |
| superset/dashboards/api.py | ✅ |
Explore our documentation to understand the languages and file types we support and the files we ignore.
Need a new review? Comment
/korbit-reviewon this PR and I'll review your latest changes.Korbit Guide: Usage and Customization
Interacting with Korbit
- You can manually ask Korbit to review your PR using the
/korbit-reviewcommand in a comment at the root of your PR.- You can ask Korbit to generate a new PR description using the
/korbit-generate-pr-descriptioncommand in any comment on your PR.- Too many Korbit comments? I can resolve all my comment threads if you use the
/korbit-resolvecommand in any comment on your PR.- Chat with Korbit on issues we post by tagging @korbit-ai in your reply.
- Help train Korbit to improve your reviews by giving a 👍 or 👎 on the comments Korbit posts.
Customizing Korbit
- Check out our docs on how you can make Korbit work best for you and your team.
- Customize Korbit for your organization through the Korbit Console.
Current Korbit Configuration
General Settings
Setting Value Review Schedule Automatic excluding drafts Max Issue Count 10 Automatic PR Descriptions ❌ Issue Categories
Category Enabled Naming ✅ Database Operations ✅ Documentation ✅ Logging ✅ Error Handling ✅ Systems and Environment ✅ Objects and Data Structures ✅ Readability and Maintainability ✅ Asynchronous Processing ✅ Design Patterns ✅ Third-Party Libraries ✅ Performance ✅ Security ✅ Functionality ✅ Feedback and Support
Note
Korbit Pro is free for open source projects 🎉
Looking to add Korbit to your team? Get started with a free 2 week trial here
| if not all(is_feature_enabled(flag) for flag in feature_flags): | ||
| return self.response_404() |
There was a problem hiding this comment.
Incorrect HTTP Status Code for Disabled Features 
Tell me more
What is the issue?
The decorator returns a 404 Not Found response when feature flags are disabled, which is semantically incorrect and misleading.
Why this matters
A 404 response indicates a resource was not found, but in this case, the resource exists but is intentionally disabled. This could confuse API clients and monitoring systems trying to understand why the endpoint is not accessible.
Suggested change ∙ Feature Preview
Return a 403 Forbidden status code which better represents that the feature exists but access is not permitted:
if not all(is_feature_enabled(flag) for flag in feature_flags):
return self.response_403()Chat with Korbit by mentioning @korbit-ai, and give a 👍 or 👎 to help Korbit improve your reviews.
| @@ -1141,6 +1130,7 @@ def thumbnail(self, pk: int, digest: str, **kwargs: Any) -> WerkzeugResponse: | |||
| ) | |||
|
|
|||
| @expose("/<pk>/cache_dashboard_screenshot/", methods=("POST",)) | |||
| @validate_feature_flags(["THUMBNAILS", "ENABLE_DASHBOARD_SCREENSHOT_ENDPOINTS"]) | |||
There was a problem hiding this comment.
I am thinking if we really need the couple here at this point or ENABLE_DASHBOARD_SCREENSHOT_ENDPOINTS will suffice. What's your thought? I have been meaning to remove this dependency before and this could be a good chance.
There was a problem hiding this comment.
@geido if we remove the requirement to have THUMBNAILS enabled for this endpoint, but then we keep it at the digest endpoint, then at the end the process would still not work unless you have both enabled.
Also, currently when you trigger a "screenshot generation" it returns the digest link, which returns a 404 status code until it's being processed. If THUMBNAILS is disabled, it would return 404 forever and users wouldn't have an easy way to spot the issue.
I think we could either:
- Remove the
THUMBNAILScheck for this endpoint, and then update the check on thedigestendpoint to validate for eitherTHUMBNAILSORENABLE_DASHBOARD_SCREENSHOT_ENDPOINTS. This way you can still download a dashboard screenshot without havingTHUMBNAILSFF enabled; or - Update the other endpoint to return a different status code if the
THUMBNAILSFF is disabled. Also update the frontend (if that's not the case yet) to validate if both FFs are enabled to decide if frontend or backend processing should be used.
One potential issue with the first approach is that environments with ENABLE_DASHBOARD_SCREENSHOT_ENDPOINTS enabled but THUMBNAILS disabled would still expose the digest endpoint, so it's possible that disabling THUMBNAILS FF would no longer be sufficient to remove thumbnails from displaying in the card views.
Let me know your thoughts!
There was a problem hiding this comment.
Alright. I think there is a case here to keep both. Maybe @fisjac can consider the above for the work that he is doing around screenshot generation for future improvements. Thanks for this!
Vitor-Avila
force-pushed
the
fix/remove-csrf-validation-embedded-downloads
branch
from
cfe5ee8 to
7c68ea5
Compare
SUMMARY
#29953 removed the CSRF requirement for endpoints used to download a dashboard as PNG/PDF, so that these work in embedded mode.
This PR changes the FF validation logic for these endpoints from using
before_requestto a new decorator, asbefore_requestwas causing issues to theWTF_CSRF_EXEMPT_LISTconfig.BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
No UI changes.
TESTING INSTRUCTIONS
ADDITIONAL INFORMATION