fix(chart data): removing query from /chart/data payload when accessi…

…ng as guest user (#30858)

superset/charts/data/api.py

@@ -394,8 +394,13 @@ def _process_data(query_data: Any) -> Any:
             )
 
         if result_format == ChartDataResultFormat.JSON:
+            queries = result["queries"]
+            if security_manager.is_guest_user():
+                for query in queries:
+                    with contextlib.suppress(KeyError):
+                        del query["query"]
             response_data = json.dumps(
-                {"result": result["queries"]},
+                {"result": queries},
                 default=json.json_int_dttm_ser,
                 ignore_nan=True,
             )

tests/integration_tests/charts/api_tests.py

@@ -24,6 +24,7 @@
 import prison
 import pytest
 import yaml
+from flask import g
 from flask_babel import lazy_gettext as _
 from parameterized import parameterized
 from sqlalchemy import and_
@@ -62,6 +63,7 @@
     dataset_config,
     dataset_metadata_config,
 )
+from tests.integration_tests.fixtures.query_context import get_query_context
 from tests.integration_tests.fixtures.tags import (
     create_custom_tags,  # noqa: F401
     get_filter_params,
@@ -2327,3 +2329,57 @@ def test_update_chart_no_tag_changes(self):
 
         security_manager.add_permission_role(alpha_role, write_tags_perm)
         security_manager.add_permission_role(alpha_role, tag_charts_perm)
+
+    @patch("superset.security.manager.SupersetSecurityManager.has_guest_access")
+    @patch("superset.security.manager.SupersetSecurityManager.is_guest_user")
+    @pytest.mark.usefixtures("load_birth_names_dashboard_with_slices")
+    def test_get_chart_data_as_guest_user(
+        self, is_guest_user, has_guest_access
+    ):  # get_guest_rls_filters
+        """
+        Chart API: Test create simple chart
+        """
+        self.login(ADMIN_USERNAME)
+        g.user.rls = []
+        is_guest_user.return_value = True
+        has_guest_access.return_value = True
+
+        with mock.patch.object(Slice, "get_query_context") as mock_get_query_context:
+            mock_get_query_context.return_value = get_query_context("birth_names")
+            rv = self.client.post(
+                "api/v1/chart/data",  # noqa: F541
+                json={
+                    "datasource": {"id": 2, "type": "table"},
+                    "queries": [
+                        {
+                            "extras": {"where": "", "time_grain_sqla": "P1D"},
+                            "columns": ["name"],
+                            "metrics": [{"label": "sum__num"}],
+                            "orderby": [("sum__num", False)],
+                            "row_limit": 100,
+                            "granularity": "ds",
+                            "time_range": "100 years ago : now",
+                            "timeseries_limit": 0,
+                            "timeseries_limit_metric": None,
+                            "order_desc": True,
+                            "filters": [
+                                {"col": "gender", "op": "==", "val": "boy"},
+                                {"col": "num", "op": "IS NOT NULL"},
+                                {
+                                    "col": "name",
+                                    "op": "NOT IN",
+                                    "val": ["<NULL>", '"abc"'],
+                                },
+                            ],
+                            "having": "",
+                            "where": "",
+                        }
+                    ],
+                    "result_format": "json",
+                    "result_type": "full",
+                },
+            )
+            data = json.loads(rv.data.decode("utf-8"))
+            result = data["result"]
+            excluded_key = "query"
+            assert all([excluded_key not in query for query in result])