eschutho commented on code in PR #20499:
URL: https://github.com/apache/superset/pull/20499#discussion_r907869295
##########
superset/security/manager.py:
##########
@@ -1469,3 +1467,63 @@ def has_guest_access(self, dashboard: "Dashboard") ->
bool:
if str(resource["id"]) == str(dashboard.embedded[0].uuid):
return True
return False
+
+ def raise_for_ownership(self, resource: Model) -> None:
+ """
+ Raise an exception if the user does not own the resource.
+
+ Note admins are deemed owners of all resources.
+
+ :param resource: The dashboard, dataste, chart, etc. resource
+ :raises SupersetSecurityException: If the current user is not an owner
+ """
+
+ if self.is_admin():
+ return
+
+ # Set of wners that works across ORM models.
+ owners: List[User] = []
+
+ if hasattr(resource, "owners"):
+ owners += resource.owners
+
+ if hasattr(resource, "owner"):
+ owners.append(resource.owner)
+
+ if hasattr(resource, "created_by"):
+ owners.append(resource.created_by)
Review Comment:
I was comparing this method to the old one which pulled out the original
object from the db rather than use the one that was passed in. Could the
resource here come from user input rather than the db? I'm thinking of the
scenario where a non-owner might try to grant themselves ownership by adding
themselves to the list of owners on a resource. Since it's not making a db call
to the original resource could we be allowing them to define their own set of
owners? One example perhaps is the `pre_update` hook for the `SliceModelView`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
