[PR] fix(sqllab): enforce can_export_csv permission on streaming CSV expor… [superset]

Mon, 09 Mar 2026 11:48:11 -0700 


Vallabh-1504 opened a new pull request, #38526:
URL: https://github.com/apache/superset/pull/38526

   ### SUMMARY
   
   The `POST /api/v1/sqllab/export_streaming/` endpoint was decorated with
   `@permission_name("read")`, which meant any user with `can_read on SQLLab`
   (i.e. every SQL Lab user) could download CSV exports — bypassing the intended
   `can_export_csv on SQLLab` permission gate.
   
   **Fix:** Change `@permission_name("read")` to 
`@permission_name("export_csv")`
   on `export_streaming_csv`, making endpoint consistently enforce
   the intended permission.
   
   **No frontend changes required:** ` The bug was purely
   a backend misconfiguration. API endpoint itself wasn't enforcing the check.
   
   ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
   
   ### TESTING INSTRUCTIONS
   
   **To reproduce the bug (before fix):**
   1. Create a role without `can_export_csv on SQLLab`
   2. Assign it to a user
   3. `POST /api/v1/sqllab/export_streaming/` with a valid `client_id` → 
returns **200** (should be 403)
   
   **To verify the fix:**
   1. Apply the change
   2. Repeat above → returns **403**
   3. A user with `can_export_csv on SQLLab` (e.g. `sql_lab` role) → still 
returns the expected CSV
   
   **Automated:**
   ```bash
   docker-compose -f docker-compose-light.yml run --rm pytest-runner pytest 
tests/integration_tests/sql_lab/api_tests.py -v
   ```
   
   
   ### ADDITIONAL INFORMATION
   - [x] Has associated issue: #38195 
   - [ ] Required feature flags:
   - [ ] Changes UI
   - [ ] Includes DB Migration (follow approval process in 
[SIP-59](https://github.com/apache/superset/issues/13351))
     - [ ] Migration is atomic, supports rollback & is backwards-compatible
     - [ ] Confirm DB migration upgrade and downgrade tested
     - [ ] Runtime estimates and downtime expectations provided
   - [ ] Introduces new feature or API
   - [ ] Removes existing feature or API
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to