Remove workaround from check_csrf()

[eradman]

What type of PR is this?

• Bug Fix

Description

This code was supposed to be temporary, and raises an exception if REDASH_MULTI_ORG=true is set.

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 2213, in __call__
    return self.wsgi_app(environ, start_response)
  File "/usr/local/lib/python3.8/site-packages/werkzeug/middleware/proxy_fix.py", line 182, in __call__
    return self.app(environ, start_response)
  File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 2193, in wsgi_app
    response = self.handle_exception(e)
  File "/usr/local/lib/python3.8/site-packages/flask_restful/__init__.py", line 298, in error_router
    return original_handler(e)
  File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 2190, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1486, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/usr/local/lib/python3.8/site-packages/flask_restful/__init__.py", line 298, in error_router
    return original_handler(e)
  File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1482, in full_dispatch_request
    rv = self.preprocess_request()
  File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1974, in preprocess_request
    rv = self.ensure_sync(before_func)()
  File "/app/redash/security.py", line 43, in check_csrf
    dest = f"{view.__module__}.{view.__name__}"
AttributeError: 'NoneType' object has no attribute '__module__'

How is this tested?

• Unit tests (pytest, jest)
• E2E Tests (Cypress)
• Manually
• N/A

1. Add REDASH_MULTI_ORG=true to .env
2. Start the server
3. Create an organization and a user

docker compose run server manage org create redash
docker compose run server manage users create_root [email protected] Redash --password ******

4. Log into http://localhost:5001/redash/

[justinclift]

From the comment in that code, it looks like this was waiting upon PR 419 in the external wtforms/flask-wtf repo to be merged, but it never was, and no-one followed up on it.

k, lets merge this as there's no obvious better way for now. 😄

[mjgp2]

@justinclift this seems to have broken SAML login for our organization when trying to upgrade to the latest version though unfortunately

[eradman]

@mjgp2 were you able to confirm that SAML works if you revert this change?

We should find an easy method of configuring a SAML provider so that we can test for this kind of regression.

[mjgp2]

@mjgp2 were you able to confirm that SAML works if you revert this change?

Yes, confirmed. We're having to run a manually patched version - 25.1.0 tag + revert this

[eradman]

I proposed a change that reverts this change and fixes the exception that motivated this to begin with in
#7327