fix: Make g.user attribute access safe for public users

[robdiciuccio]

SUMMARY

Make g.user attribute access safe for public users by:

1. Using the abstract get_id method
2. Checking for presence of g.user.username before using (this property is not set for public users)

TEST PLAN

Automated tests should pass.

ADDITIONAL INFORMATION

• Has associated issue: fixes How to enable query execution in sqllab for Anonymous user(public role) ? #12618
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[dpgaspar]

nice! but we probably should check if the user is authenticated instead of checking if certain attrs are present, seems cleaner

[dpgaspar]

it probably makes more sense to just check if the user is authenticated, using g.user.is_authenticated

[robdiciuccio]

I originally was checking g.user.is_anonymous in these use cases, but opted for the explicit check for username, as this is the value that is being fetched. There may be use cases where username is not present in other states down the road, so thought explicit hasattr would be more future-proof.

[dpgaspar]

ok

[dpgaspar]

for reference: https://github.com/maxcountryman/flask-login/blob/89ce0167a8603d2c53fa2d0d604a20bfe03c0eaf/flask_login/mixins.py#L75

[robdiciuccio]

/testenv up

[github-actions]

@robdiciuccio Ephemeral environment spinning up at http://54.201.39.228:8080. Credentials are admin/admin. Please allow several minutes for bootstrapping and startup.

[github-actions]

Ephemeral environment shutdown and build artifacts deleted.