dashboard/dashboard/create_health_report.py - Issue 2622303003: Allows a user to create_health_reports.

Side by Side Diff: dashboard/dashboard/create_health_report.py

Issue 2622303003: Allows a user to create_health_reports. (Closed)

Patch Set: removing changes from other CL Created 3 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
(Empty)
	1 # Copyright 2017 The Chromium Authors. All rights reserved.

	2 # Use of this source code is governed by a BSD-style license that can be

	3 # found in the LICENSE file.

	4

	5 """Provides the web interface for adding and editing sheriff rotations."""

	6

	7 from dashboard.common import request_handler

	8 from dashboard.common import xsrf

	9 from dashboard.models import table_config

	10

	11

	12 class CreateHealthReportHandler(request_handler.RequestHandler):

	13

	14 def get(self):

	15 """Renders the UI with the form fields."""

	16 self.RenderHtml('create_health_report.html', {})

	17

	18 @xsrf.TokenRequired

	19 def post(self):

	20 """POSTS the data to the datastore."""

	21 internal_only = self.request.get('internal-only') == 'true'

	22 name = self.request.get('name')

	23 master_bot = self.request.get('masterBot').splitlines()
	sullivan 2017/01/11 20:59:15 It's poor security to rely on the user to supply w It's poor security to rely on the user to supply whether or not this should be internal only. We should either: 1 Make the report internal_only if any of the bots are internal_only 2 Make each report public but not display data from internal_only bots to external users. This would be secure because our hooks prevent us from displaying this data accidentally. I think 1) is better because it's less error-prone; 2 should work but it's too complicated. jessimb 2017/01/11 21:31:21 Would that check go as a datastore pre-hook? Show quoted text On 2017/01/11 at 20:59:15, sullivan wrote: > It's poor security to rely on the user to supply whether or not this should be internal only. We should either: > > 1 Make the report internal_only if any of the bots are internal_only > 2 Make each report public but not display data from internal_only bots to external users. This would be secure because our hooks prevent us from displaying this data accidentally. > > I think 1) is better because it's less error-prone; 2 should work but it's too complicated. Would that check go as a datastore pre-hook? sullivan 2017/01/11 21:38:03 yep! Show quoted text On 2017/01/11 21:31:21, jessimb wrote: > On 2017/01/11 at 20:59:15, sullivan wrote: > > It's poor security to rely on the user to supply whether or not this should be > internal only. We should either: > > > > 1 Make the report internal_only if any of the bots are internal_only > > 2 Make each report public but not display data from internal_only bots to > external users. This would be secure because our hooks prevent us from > displaying this data accidentally. > > > > I think 1) is better because it's less error-prone; 2 should work but it's too > complicated. > > Would that check go as a datastore pre-hook? yep! jessimb 2017/01/12 02:10:30 I have put this in the new CreateTableConfig() whi Show quoted text On 2017/01/11 at 21:38:03, sullivan wrote: > On 2017/01/11 21:31:21, jessimb wrote: > > On 2017/01/11 at 20:59:15, sullivan wrote: > > > It's poor security to rely on the user to supply whether or not this should be > > internal only. We should either: > > > > > > 1 Make the report internal_only if any of the bots are internal_only > > > 2 Make each report public but not display data from internal_only bots to > > external users. This would be secure because our hooks prevent us from > > displaying this data accidentally. > > > > > > I think 1) is better because it's less error-prone; 2 should work but it's too > > complicated. > > > > Would that check go as a datastore pre-hook? > > yep! I have put this in the new CreateTableConfig() which also checks validity of master/bots
	24 tests = self.request.get('tests').splitlines()

	25 table_layout = self.request.get('tableLayout')

	26

	27 table_config.TableConfig(name=name, bots=master_bot, tests=tests,

	28 table_layout=table_layout,

	29 internal_only=internal_only).put()

	30

	31 self.RenderHtml('create_health_report.html',

	32 {'msg': 'Health Report Created. View here: [TODO jessimb]'})
	sullivan 2017/01/11 20:59:15 We're trying to get away from jinja templates, bec We're trying to get away from jinja templates, because it's really hard to have both jinja templates and polymer templates together. We want to get to a point where we only have polymer templates. This endpoint should be called from the client with simple_xhr and return JSON that is used to populate a polymer template. The JSON should probably return the URL, or an error message, and the polymer template should update based on that. jessimb 2017/01/11 21:31:21 Making this a polymer element. Show quoted text On 2017/01/11 at 20:59:15, sullivan wrote: > We're trying to get away from jinja templates, because it's really hard to have both jinja templates and polymer templates together. We want to get to a point where we only have polymer templates. > > This endpoint should be called from the client with simple_xhr and return JSON that is used to populate a polymer template. The JSON should probably return the URL, or an error message, and the polymer template should update based on that. Making this a polymer element.
OLD	NEW

« dashboard/app.yaml ('K') | « dashboard/app.yaml ('k') | dashboard/dashboard/dispatcher.py » ('j') | dashboard/dashboard/elements/nav-bar.html » ('J')