sync (#160)

* fix: Issue apache#24493; Resolved report selection menu in chart and dashboard page (apache#25157)

* fix: DML failures in SQL Lab (apache#25190)

* fix: All values being selected in Select (apache#25202)

* docs: fix wrong type in PREFERRED_DATABASES example (apache#25200)

Signed-off-by: cmontemuino <1761056+cmontemuino@users.noreply.github.com>

* docs: add CVEs for 2.1.1 (apache#25206)

* chore: back port 2.1.1 doc changes (apache#25165)

* feat(sqllab): Show sql in the current result (apache#24787)

* docs(FAQ): add answer re: necessary specs, copy-edit existing answer (apache#24992)

* fix: `is_select` (apache#25189)

* fix: Cypress test to force mouseover (apache#25209)

* fix(sqllab): Force trino client async execution (apache#24859)

* fix: granularity_sqla and GENERIC_CHART_AXES (apache#25213)

* chore: Convert deckgl class components to functional (apache#25177)

* fix: Cypress test to force mouseover (follow-up) (apache#25223)

* fix(docs): Fixing a typo in README.md (apache#25216)

* chore(read_csv): remove deprecated argument (apache#25226)

* chore(trino): remove unnecessary index checks (apache#25211)

---------

Signed-off-by: cmontemuino <1761056+cmontemuino@users.noreply.github.com>
Co-authored-by: Sandeep Patel <33354423+suicide11@users.noreply.github.com>
Co-authored-by: Hugh A. Miles II <hughmil3s@gmail.com>
Co-authored-by: Michael S. Molina <70410625+michael-s-molina@users.noreply.github.com>
Co-authored-by: Carlos M <1761056+cmontemuino@users.noreply.github.com>
Co-authored-by: Daniel Vaz Gaspar <danielvazgaspar@gmail.com>
Co-authored-by: Elizabeth Thompson <eschutho@gmail.com>
Co-authored-by: JUST.in DO IT <justin.park@airbnb.com>
Co-authored-by: Sam Firke <sfirke@users.noreply.github.com>
Co-authored-by: Beto Dealmeida <roberto@dealmeida.net>
Co-authored-by: Rob Moore <giftig@users.noreply.github.com>
Co-authored-by: Kamil Gabryjelski <kamil.gabryjelski@gmail.com>
Co-authored-by: yousoph <sophieyou12@gmail.com>
Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>

CHANGELOG.md

@@ -19,6 +19,7 @@ under the License.
 
 ## Change Log
 
+- [2.1.1](#211-sun-apr-23-154421-2023-0100)
 - [2.1.0](#210-thu-mar-16-211305-2023--0700)
 - [2.0.1](#201-fri-nov-4-103402-2022--0400)
 - [2.0.0](#200-tue-jun-28-085302-2022--0400)
@@ -29,6 +30,51 @@ under the License.
 - [1.4.2](#142-sat-mar-19-000806-2022-0200)
 - [1.4.1](#141)
 
+
+### 2.1.1 (Sun Apr 23 15:44:21 2023 +0100)
+
+**Database Migrations**
+- [#23980](https://github.com/apache/superset/pull/23980) fix(migration): handle permalink edge cases correctly (@villebro)
+- [#23888](https://github.com/apache/superset/pull/23888) chore(key-value): use json serialization for main resources (@villebro)
+
+**Fixes**
+- [#23723](https://github.com/apache/superset/pull/23723) fix: add enforce URI query params with a specific for MySQL (@dpgaspar)
+- [#24970](https://github.com/apache/superset/pull/24970) fix: update permalink schema (@eschutho)
+- [#24995](https://github.com/apache/superset/pull/24995) fix: Revert "fix(chart): Time Series set showMaxLabel as null for time xAxis (#20627) (@eschutho)
+- [#24513](https://github.com/apache/superset/pull/24513) fix(sqllab): normalize changedOn timestamp (@villebro)
+- [#23512](https://github.com/apache/superset/pull/23512) fix: Dashboard not loading with default first value in filter (@geido)
+- [#24482](https://github.com/apache/superset/pull/24482) fix(permalink): Incorrect component schema reference (@Nisden)
+- [#24166](https://github.com/apache/superset/pull/24166) fix(permalink): migrate to marshmallow codec (@villebro)
+- [#24697](https://github.com/apache/superset/pull/24697) fix: import database engine validation (@dpgaspar)
+- [#24390](https://github.com/apache/superset/pull/24390) fix: FAB CSS on Superset (@dpgaspar)
+- [#24249](https://github.com/apache/superset/pull/24249) fix: dashboard ownership check (@betodealmeida)
+- [#23801](https://github.com/apache/superset/pull/23801) fix(plugin-chart-handlebars): Fix TypeError when using handlebars columns raw mode (@fmannhardt)
+- [#23566](https://github.com/apache/superset/pull/23566) fix: Filter values are not updating when dependencies are set (@michael-s-molina)
+- [#23400](https://github.com/apache/superset/pull/23400) fix: Select all issue with "Dynamically search all filter values" in FilterBar (@geido)
+- [#23865](https://github.com/apache/superset/pull/23865) fix: Native time range filter in legacy charts (@kgabryje)
+- [#24054](https://github.com/apache/superset/pull/24054) fix: handle temporal columns in presto partitions (@giftig)
+- [#23882](https://github.com/apache/superset/pull/23882) fix: handle comments in `has_table_query` (@betodealmeida)
+- [#24137](https://github.com/apache/superset/pull/24137) fix: disable SHOW_STACKTRACE by default (@dpgaspar)
+- [#24185](https://github.com/apache/superset/pull/24185) fix: db validate parameters permission (@dpgaspar)
+- [#23769](https://github.com/apache/superset/pull/23769) fix: allow db driver distinction on enforced URI params (@dpgaspar)
+- [#23600](https://github.com/apache/superset/pull/23600) fix: load examples as anon user (@betodealmeida)
+- [#23200](https://github.com/apache/superset/pull/23200) fix: permission checks on import (@betodealmeida)
+- [#23901](https://github.com/apache/superset/pull/23901) fix: check sqlalchemy_uri (@dpgaspar)
+- [#23751](https://github.com/apache/superset/pull/23751) fix(mssql): apply top after distinct (@villebro)
+- [#23586](https://github.com/apache/superset/pull/23586) fix(dashboard-rbac): use normal rbac when no roles chosen (@villebro)
+- [#23582](https://github.com/apache/superset/pull/23582) fix(dash import): Ensure old datasource ids are not referenced in imported charts (@jfrag1)
+- [#23506](https://github.com/apache/superset/pull/23506) fix(generic-x-axis): skip initial time filter for legacy charts (@villebro)
+- [#23507](https://github.com/apache/superset/pull/23507) fix(legacy-plugin-chart-heatmap): fix adhoc column tooltip (@villebro)
+- [#23441](https://github.com/apache/superset/pull/23441) fix(chart): non existent time grain no longer breaks the application (@rdubois)
+- [#23393](https://github.com/apache/superset/pull/23393) fix(Pivot Table v2): resolved full width issue (@AkashBoora)
+- [#22851](https://github.com/apache/superset/pull/22851) fix: Validate jinja rendered query (@geido)
+
+**Others**
+- [#24586](https://github.com/apache/superset/pull/24586) chore(metastore-cache): add codec support (@villebro)
+- [#23113](https://github.com/apache/superset/pull/23113) chore(sqla): Address performance tradeoff with eager loading (@john-bodley)
+- [#24294](https://github.com/apache/superset/pull/24294) chore: update UPDATING for 2.1.0 (@eschutho)
+- [#24056](https://github.com/apache/superset/pull/24056) chore: Remove unnecessary information from response (@geido)
+
 ### 2.1.0 (Thu Mar 16 21:13:05 2023 -0700)
 
 **Database Migrations**

UPDATING.md

@@ -32,7 +32,6 @@ assists people when migrating to a new version.
 - [24628](https://github.com/apache/superset/pull/24628): Augments the foreign key constraints for the `dashboard_owner`, `report_schedule_owner`, and `slice_owner` tables to include an explicit CASCADE ON DELETE to ensure the relevant ownership records are deleted when a dataset is deleted. Scheduled downtime may be advised.
 - [24488](https://github.com/apache/superset/pull/24488): Augments the foreign key constraints for the `sql_metrics`, `sqlatable_user`, and `table_columns` tables to include an explicit CASCADE ON DELETE to ensure the relevant records are deleted when a dataset is deleted. Scheduled downtime may be advised.
 - [24335](https://github.com/apache/superset/pull/24335): Removed deprecated API `/superset/filter/<datasource_type>/<int:datasource_id>/<column>/`
-- [24185](https://github.com/apache/superset/pull/24185): `/api/v1/database/test_connection` and `api/v1/database/validate_parameters` permissions changed from `can_read` to `can_write`. Only Admin user's have access.
 - [24232](https://github.com/apache/superset/pull/24232): Enables ENABLE_TEMPLATE_REMOVE_FILTERS, DRILL_TO_DETAIL, DASHBOARD_CROSS_FILTERS by default, marks VERSIONED_EXPORT and ENABLE_TEMPLATE_REMOVE_FILTERS as deprecated.
 - [23652](https://github.com/apache/superset/pull/23652): Enables GENERIC_CHART_AXES feature flag by default.
 - [23226](https://github.com/apache/superset/pull/23226): Migrated endpoint `/estimate_query_cost/<int:database_id>` to `/api/v1/sqllab/estimate/`. Corresponding permissions are can estimate query cost on SQLLab. Make sure you add/replace the necessary permissions on any custom roles you may have.
@@ -84,6 +83,12 @@ assists people when migrating to a new version.
 
 - [24982](https://github.com/apache/superset/pull/24982): By default, physical datasets on Oracle-like dialects like Snowflake will now use denormalized column names. However, existing datasets won't be affected. To change this behavior, the "Advanced" section on the dataset modal has a "Normalize column names" flag which can be changed to change this behavior.
 
+## 2.1.1
+- [24185](https://github.com/apache/superset/pull/24185): `/api/v1/database/test_connection` and `api/v1/database/validate_parameters` permissions changed from `can_read` to `can_write`. Only Admin user's have access.
+
+### Other
+- [23888](https://github.com/apache/superset/pull/23888): Database Migration for json serialization instead of pickle should upgrade/downgrade correctly when bumping to/from this patch version
+
 ## 2.1.0
 
 - [22809](https://github.com/apache/superset/pull/22809): Migrated endpoint `/superset/sql_json` and `/superset/results/` to `/api/v1/sqllab/execute/` and `/api/v1/sqllab/results/` respectively. Corresponding permissions are `can sql_json on Superset` to `can execute on SQLLab`, `can results on Superset` to `can results on SQLLab`. Make sure you add/replace the necessary permissions on any custom roles you may have.

docs/docs/databases/db-connection-ui.mdx

@@ -28,7 +28,7 @@ We added a new configuration option where the admin can define their preferred d
 # displayed prominently in the "Add Database" dialog. You should
 # use the "engine_name" attribute of the corresponding DB engine spec
 # in `superset/db_engine_specs/`.
-PREFERRED_DATABASES: List[str] = [
+PREFERRED_DATABASES: list[str] = [
     "PostgreSQL",
     "Presto",
     "MySQL",

docs/docs/frequently-asked-questions.mdx

@@ -6,35 +6,52 @@ sidebar_position: 7
 
 ## Frequently Asked Questions
 
+
+### How big of a dataset can Superset handle?
+
+Superset can work with even gigantic databases! Superset acts as a thin layer above your underlying
+databases or data engines, which do all the processing.  Superset simply visualizes the results of
+the query.
+
+The key to achieving acceptable performance in Superset is whether your database can execute queries
+and return results at a speed that is acceptable to your users. If you experience slow performance with
+Superset, benchmark and tune your data warehouse.
+
+### What are the computing specifications required to run Superset?
+
+The specs of your Superset installation depend on how many users you have and what their activity is, not
+on the size of your data.  Superset admins in the community have reported 8GB RAM, 2vCPUs as adequate to
+run a moderately-sized instance. To develop Superset, e.g., compile code or build images, you may
+need more power.
+
+Monitor your resource usage and increase or decrease as needed. Note that Superset usage has a tendency
+to occur in spikes, e.g., if everyone in a meeting loads the same dashboard at once.
+
+Superset's application metadata does not require a very large database to store it, though
+the log file grows over time.
+
+
 ### Can I join / query multiple tables at one time?
 
 Not in the Explore or Visualization UI. A Superset SQLAlchemy datasource can only be a single table
 or a view.
 
-When working with tables, the solution would be to materialize a table that contains all the fields
+When working with tables, the solution would be to create a table that contains all the fields
 needed for your analysis, most likely through some scheduled batch process.
 
-A view is a simple logical layer that abstract an arbitrary SQL queries as a virtual table. This can
-allow you to join and union multiple tables, and to apply some transformation using arbitrary SQL
-expressions. The limitation there is your database performance as Superset effectively will run a
+A view is a simple logical layer that abstracts an arbitrary SQL queries as a virtual table. This can
+allow you to join and union multiple tables and to apply some transformation using arbitrary SQL
+expressions. The limitation there is your database performance, as Superset effectively will run a
 query on top of your query (view). A good practice may be to limit yourself to joining your main
 large table to one or many small tables only, and avoid using _GROUP BY_ where possible as Superset
 will do its own _GROUP BY_ and doing the work twice might slow down performance.
 
-Whether you use a table or a view, the important factor is whether your database is fast enough to
-serve it in an interactive fashion to provide a good user experience in Superset.
+Whether you use a table or a view, performance depends on how fast your database can deliver
+the result to users interacting with Superset.
 
 However, if you are using SQL Lab, there is no such limitation. You can write SQL queries to join
 multiple tables as long as your database account has access to the tables.
 
-### How BIG can my datasource be?
-
-It can be gigantic! Superset acts as a thin layer above your underlying databases or data engines.
-
-As mentioned above, the main criteria is whether your database can execute queries and return
-results in a time frame that is acceptable to your users. Many distributed databases out there can
-execute queries that scan through terabytes in an interactive fashion.
-
 ### How do I create my own visualization?
 
 We recommend reading the instructions in
@@ -192,8 +209,9 @@ only a few database engines are supported for use as the OLTP backend / metadata
 
 Superset is tested using MySQL, PostgreSQL, and SQLite backends. It’s recommended you install
 Superset on one of these database servers for production.  Installation on other OLTP databases
-may work but isn’t tested. Column-store, non-OLTP databases are not designed for this type of workload.
-
+may work but isn’t tested.  It has been reported that [Microsoft SQL Server does *not*
+work as a Superset backend](https://github.com/apache/superset/issues/18961). Column-store,
+non-OLTP databases are not designed for this type of workload.
 
 ### How can I configure OAuth authentication and authorization?
 

docs/docs/security/cves.mdx

@@ -4,20 +4,34 @@ hide_title: true
 sidebar_position: 2
 ---
 
+#### Version 2.1.1
+
+| CVE            | Title                                                                   | Affected |
+|:---------------|:------------------------------------------------------------------------|---------:|
+| CVE-2023-36387 | Improper API permission for low privilege users                         |  < 2.1.1 |
+| CVE-2023-36388 | Improper API permission for low privilege users allows for SSRF         |  < 2.1.1 |
+| CVE-2023-27523 | Improper data permission validation on Jinja templated queries          |  < 2.1.1 |
+| CVE-2023-27526 | Improper Authorization check on import charts                           |  < 2.1.1 |
+| CVE-2023-39264 | Stack traces enabled by default                                         |  < 2.1.1 |
+| CVE-2023-39265 | Possible Unauthorized Registration of SQLite Database Connections       |  < 2.1.1 |
+| CVE-2023-37941 | Metadata db write access can lead to remote code execution              |  < 2.1.1 |
+| CVE-2023-32672 | SQL parser edge case bypasses data access authorization                 |  < 2.1.1 |
+
+
 #### Version 2.1.0
 
-| CVE            | Title                                                                   | Affected          |
-| :------------- | :---------------------------------------------------------------------- | -----------------:|
-| CVE-2023-25504 | Possible SSRF on import datasets                                        | <= 2.1.0          |
-| CVE-2023-27524 | Session validation vulnerability when using provided default SECRET_KEY | <= 2.1.0          |
-| CVE-2023-27525 | Incorrect default permissions for Gamma role                            | <= 2.1.0          |
-| CVE-2023-30776 | Database connection password leak                                       | <= 2.1.0          |
+| CVE            | Title                                                                   | Affected |
+|:---------------|:------------------------------------------------------------------------|---------:|
+| CVE-2023-25504 | Possible SSRF on import datasets                                        |  < 2.1.0 |
+| CVE-2023-27524 | Session validation vulnerability when using provided default SECRET_KEY |  < 2.1.0 |
+| CVE-2023-27525 | Incorrect default permissions for Gamma role                            |  < 2.1.0 |
+| CVE-2023-30776 | Database connection password leak                                       |  < 2.1.0 |
 
 
 #### Version 2.0.1
 
-| CVE            | Title                                                       | Affected          |
-| :------------- | :---------------------------------------------------------- | -----------------:|
+| CVE            | Title                                                       |          Affected |
+|:---------------|:------------------------------------------------------------|------------------:|
 | CVE-2022-41703 | SQL injection vulnerability in adhoc clauses                | < 2.0.1 or <1.5.2 |
 | CVE-2022-43717 | Cross-Site Scripting on dashboards                          | < 2.0.1 or <1.5.2 |
 | CVE-2022-43718 | Cross-Site Scripting vulnerability on upload forms          | < 2.0.1 or <1.5.2 |

superset-frontend/cypress-base/cypress/e2e/explore/chart.test.js

@@ -32,13 +32,13 @@ function openDashboardsAddedTo() {
   cy.getBySel('actions-trigger').click();
   cy.get('.ant-dropdown-menu-submenu-title')
     .contains('Dashboards added to')
-    .trigger('mouseover');
+    .trigger('mouseover', { force: true });
 }
 
 function closeDashboardsAddedTo() {
   cy.get('.ant-dropdown-menu-submenu-title')
     .contains('Dashboards added to')
-    .trigger('mouseout');
+    .trigger('mouseout', { force: true });
   cy.getBySel('actions-trigger').click();
 }