sha174n opened a new pull request, #38497: URL: https://github.com/apache/superset/pull/38497
<!--- Please write the PR title following the conventions at https://www.conventionalcommits.org/en/v1.0.0/ Example: fix(dashboard): load charts correctly --> ### SUMMARY <!--- Describe the change below, including rationale and design decisions --> This PR improves the consistency and robustness of access control enforcement across Superset by centralizing object-level validation within the Data Access Object (DAO) layer. Previously, some API endpoints and commands relied on shallow object retrieval without enforcing context-aware ownership checks, leading to inconsistent authorization behaviors. **Key Changes:** - **Centralized Validation:** Introduced a new get_with_check() classmethod in BaseDAO. This ensures that entities retrieved by ID automatically undergo strict, context-aware authorization checks via security_manager.raise_for_access(). -**API Standardization:** Refactored legacy API endpoints across Databases, Datasources, Queries, and Users to utilize the new get_with_check() method, ensuring consistent 403/404 handling when users attempt to retrieve resources outside their provisioned roles. -**MCP Tool Robustness:** Added missing command.validate() lifecycle calls to Model Context Protocol (MCP) commands (e.g., ChartDataCommand, UpdateChartCommand, CreateDashboardCommand) to guarantee that authorization rules are strictly evaluated prior to execution. - **Test Suite Expansion:** Added comprehensive unit tests targeting DAO access validation logic to prevent future regressions. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF <!--- Skip this if not applicable --> ### TESTING INSTRUCTIONS <!--- Required! What steps can be taken to manually verify the changes? --> 1. Log in with a restricted role (e.g., Gamma) that only has access to a specific subset of datasets/databases. 2. Manually construct an API request to fetch metadata for a database or datasource ID that belongs to a different role (e.g., /api/v1/database/{id}/schemas/). 3. Verify the API safely rejects the request with a 404 Not Found or 403 Forbidden rather than returning the object metadata. 4. Attempt to access a SavedQuery or cancel a query (stop_query) that was executed by a different user. Verify the action is gracefully blocked. 5. Execute the updated DAO test suite: pytest tests/unit_tests/daos/dao_access_control_test.py ### ADDITIONAL INFORMATION <!--- Check any relevant boxes with "x" --> <!--- HINT: Include "Fixes #nnn" if you are fixing an existing issue --> - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351)) - [ ] Migration is atomic, supports rollback & is backwards-compatible - [ ] Confirm DB migration upgrade and downgrade tested - [ ] Runtime estimates and downtime expectations provided - [ ] Introduces new feature or API - [ ] Removes existing feature or API -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
