michael-s-molina commented on a change in pull request #17882: URL: https://github.com/apache/superset/pull/17882#discussion_r787830377
########## File path: superset/charts/form_data/utils.py ########## @@ -0,0 +1,65 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +from typing import Optional + +from superset import security_manager +from superset.charts.commands.exceptions import ( + ChartAccessDeniedError, + ChartNotFoundError, +) +from superset.charts.dao import ChartDAO +from superset.datasets.commands.exceptions import ( + DatasetAccessDeniedError, + DatasetNotFoundError, +) +from superset.datasets.dao import DatasetDAO +from superset.key_value.commands.parameters import CommandParameters +from superset.views.base import is_user_admin +from superset.views.utils import is_owner + + +def get_dataset_id(cmd_params: CommandParameters) -> Optional[str]: + query_params = cmd_params.query_params + if query_params: + return query_params.get("dataset_id") + return None + + +def check_access(cmd_params: CommandParameters) -> Optional[bool]: + resource_id = cmd_params.resource_id + actor = cmd_params.actor + if resource_id == 0: + dataset_id = get_dataset_id(cmd_params) + if dataset_id: + dataset = DatasetDAO.find_by_id(int(dataset_id)) + if dataset: + can_access_datasource = security_manager.can_access_datasource(dataset) + if can_access_datasource: + return True + raise DatasetAccessDeniedError() + raise DatasetNotFoundError() + chart = ChartDAO.find_by_id(resource_id) + if chart: + can_access_chart = ( + is_user_admin() + or is_owner(chart, actor) + or security_manager.can_access("can_write", "Chart") + ) + if can_access_chart: Review comment: > What I meant is your access control when chart id is present doesn't seem to check dataset access, then why would it be necessary when chart id is not? When the chart ID is present, the dataset access is indirectly checked because if the user has access to the chart it means they can see the content that is coming from the dataset, so if a user has access to a chart it means they also have access to the underlying dataset. If the chart ID is not present, it's necessary to check for dataset access so we can store dataset-related information. > The only information leaked would be the chart configuration, maybe some axis label names and metrics/columns used, which is different than accessing the dataset itself. Do we consider these sensitive--for those with global read access to charts? We can store sensitive information that directly correlates to the data such as selected filter values, emitted filters, color properties associated with values, etc. We can also store information about the underlying database like schemas, tables, columns, etc. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For additional commands, e-mail: notifications-h...@superset.apache.org
