Skip to content
32 changes: 31 additions & 1 deletion plugins/ui/src/deephaven/ui/object_types/ElementType.py
Original file line number Diff line number Diff line change
@@ -1,9 +1,15 @@
from typing import Any
from typing import Any, Literal

from deephaven.plugin.object_type import BidirectionalObjectType, MessageStream
from ..elements import Element
from .ElementMessageStream import ElementMessageStream

# Escape-hatch configuration property. When set to true, deephaven.ui declares no authorization export behavior
# ("unset"), deferring to the server's default policy instead of enforcing the transform.
_DISABLE_AUTHORIZATION_EXPORT_TRANSFORM_PROPERTY = (
"deephaven.ui.disableAuthorizationExportTransform"
)


class ElementType(BidirectionalObjectType):
"""
Expand All @@ -14,6 +20,30 @@ class ElementType(BidirectionalObjectType):
def name(self) -> str:
return "deephaven.ui.Element"

@property
Comment thread
mofojed marked this conversation as resolved.
def authorization_export_behavior(self) -> Literal["transform", "unset"]:
"""Declares that deephaven.ui must export its references through the authorization transform.

Server objects (tables, etc.) handed to the client via a deephaven.ui component are run through the
authorization transform in the viewer's context, so they carry the viewer's ACLs rather than the query
owner's. Setting the configuration property ``deephaven.ui.disableAuthorizationExportTransform`` to true
reverts to the server's default ("unset") behavior. If the configuration cannot be read, the transform is
enforced (fail secure).
"""
try:
# deephaven.configuration only exists in the 42.x server package; the import is conditional to
# maintain compatibility with 41.x, where ImportError is caught and the transform is enforced.
from deephaven.configuration import get_configuration # type: ignore[import-untyped,import-not-found]

if get_configuration().get_bool(
_DISABLE_AUTHORIZATION_EXPORT_TRANSFORM_PROPERTY, False
):
return "unset"
except Exception:
# Fail secure: if the escape hatch cannot be evaluated, enforce the transform.
pass
return "transform"

def is_type(self, obj: Any) -> bool:
return isinstance(obj, Element)

Expand Down
Loading