Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(nav): infinite redirect and upload dataset nav permissions #19708

Merged
merged 2 commits into from
Apr 14, 2022

Conversation

ktmud
Copy link
Member

@ktmud ktmud commented Apr 14, 2022

SUMMARY

Currently there is an infinite redirect on the login page (when users are not logged in) that is triggered by an unfortunate sequence of changes:

  1. #17597 added redirect to login when API request returns 401
  2. #19051 starts to call the /api/v1/database API to find out whether there are databases with file upload enabled, even when the menu is rendered on a page where users haven't logged in. (Although I'm not sure why the redirects didn't show up in fix: update Permissions for right nav #19051's ephemeral environment.)

While debugging, I also found out that users without admin access will also see an empty "Data" menu, so I fixed that as well.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

When logged in as non admin users:

Before

Xnip2022-04-13_16-57-59

There is an empty Data menu item with no submenu.

After

Xnip2022-04-13_16-57-21

The Data menu item is removed

TESTING INSTRUCTIONS

  1. Log out and go to <superset url>/login. You may see infinitely redirect without this PR. For example, check the ephemeral environment of chore(build): upgrade less-loader #19703
  2. Log in as a non-admin user (e.g. username: alpha, passwd: general), check whether the empty menu item still exists.

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

window.location.href = `/login?next=${
window.location.pathname + window.location.search
}`;
if (!window.location.pathname.startsWith('/login')) {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only redirect when we are not on the login page so we never see infinite redirect caused by the API client ever again.

@@ -161,7 +163,7 @@ export default class SupersetClientClass {
headers,
timeout,
fetchRetryOptions,
ignoreUnauthorized,
ignoreUnauthorized = false,
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Be more explicit what is the default. I kind of feel this should probably default to true but that's another topic. Async API requests should never implicitly redirect users as it may often cause surprises. There should be better error handling on the API user side instead.

cc @geido @kgabryje could you give more context on why #17597 made redirects on 401 the default?

Copy link
Member

@nytai nytai Apr 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I strongly agree here, this behavior is quite surprising from an api client. Though I guess this approach involves the least amount of code changes.

From a UX perspective I'd suggest presenting the user with the option to re-auth. There could be unsaved work that would be lost via a the redirect.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@geido @kgabryje @suddjian do you mind following up here to change the default to true and set it to false where needed? I'm not familiar where we wanted the redirect behavior to be the default.

Copy link
Member

@etr2460 etr2460 Apr 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we always want to redirect to login on a 401. 401 means that there's no auth token at all. 403 should be used if the user is forbidden, right?

Copy link
Member Author

@ktmud ktmud Apr 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@etr2460 This option was actually added by @suddjian because he had a case where redirects aren't desired: #19144 (i.e. when Superset in embedded in another app)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ahh i see. so we're fine with rendering some stuff even when a user is logged out. I guess that's fine then, carry on!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will have a conversation about having the default to true and we'll follow up. Thank you!

show={showModal}
dbEngine={engine}
/>
{canDatabase && (
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bycatch: only render the DatabaseModal when users can create new database connection.

@@ -240,22 +240,22 @@ const SubMenuComponent: React.FunctionComponent<SubMenuProps> = props => {
if ((props.usesRouter || hasHistory) && !!tab.usesRouter) {
return (
<Menu.Item key={tab.label}>
<li
<div
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bycatch: fix a React warning about nested <li />s.

@@ -161,7 +163,7 @@ export default class SupersetClientClass {
headers,
timeout,
fetchRetryOptions,
ignoreUnauthorized,
ignoreUnauthorized = false,
Copy link
Member

@nytai nytai Apr 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I strongly agree here, this behavior is quite surprising from an api client. Though I guess this approach involves the least amount of code changes.

From a UX perspective I'd suggest presenting the user with the option to re-auth. There could be unsaved work that would be lost via a the redirect.

@codecov
Copy link

codecov bot commented Apr 14, 2022

Codecov Report

Merging #19708 (751dfd8) into master (5fc0651) will decrease coverage by 0.00%.
The diff coverage is 45.83%.

@@            Coverage Diff             @@
##           master   #19708      +/-   ##
==========================================
- Coverage   66.51%   66.50%   -0.01%     
==========================================
  Files        1684     1684              
  Lines       64560    64570      +10     
  Branches     6625     6630       +5     
==========================================
+ Hits        42939    42941       +2     
- Misses      19926    19931       +5     
- Partials     1695     1698       +3     
Flag Coverage Δ
javascript 51.14% <45.83%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
superset-frontend/src/views/components/SubMenu.tsx 85.96% <ø> (ø)
...perset-frontend/src/views/components/MenuRight.tsx 60.63% <31.57%> (-6.03%) ⬇️
...rset-ui-core/src/connection/SupersetClientClass.ts 100.00% <100.00%> (ø)
superset-frontend/src/views/CRUD/utils.tsx 64.80% <100.00%> (+0.28%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5fc0651...751dfd8. Read the comment docs.

@ktmud ktmud merged commit 32a9265 into apache:master Apr 14, 2022
sadpandajoe pushed a commit to preset-io/superset that referenced this pull request Apr 14, 2022
@sadpandajoe
Copy link
Member

🏷️ preset:2022.15

@villebro villebro added v1.5 and removed v1.5 labels Apr 25, 2022
@john-bodley john-bodley deleted the infinite-redirect branch June 8, 2022 05:32
philipher29 pushed a commit to ValtechMobility/superset that referenced this pull request Jun 9, 2022
@mistercrunch mistercrunch added 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 2.0.0 and removed 🚢 2.0.1 labels Mar 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels preset:2022.15 size/L 🚢 2.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants