dpgaspar commented on code in PR #38847:
URL: https://github.com/apache/superset/pull/38847#discussion_r2993993186
##########
superset/commands/report/update.py:
##########
@@ -89,6 +97,26 @@ def validate(self) -> None: # noqa: C901
):
self._properties["last_state"] = ReportState.NOOP
+ # For reports created from charts or dashboards the recipient must
always
+ # be the requesting user's own email address.
+ if (
Review Comment:
The core problem: the same POST /api/v1/report/ endpoint handles both flows,
and the security-relevant branching is based on a client-supplied value:
On creation (superset/commands/report/create.py):
creation_method = self._properties.get("creation_method") # from the
request!
This means the user can still change the POST /api/v1/report/ and send a
report to any email.
Creating a separate endpoint just for this purpose is probably the best
path, permission to this new endpoint can be given to Gamma users. Something
like POST /api/v1/report/my_report (or similar), this way security is enforced
at the server side
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
