dosubot[bot] commented on issue #38884: URL: https://github.com/apache/superset/issues/38884#issuecomment-4135688298
<!-- Answer --> This is a **known frontend/backend permission inconsistency**. The root cause is: 1. **Frontend allows modal access** - The ["Edit chart properties" menu item](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset-frontend/src/explore/components/useExploreAdditionalActionsMenu/index.jsx#L305-L308) is shown based on whether the chart exists, without checking ownership. 2. **Backend enforces ownership** - The [`UpdateChartCommand`](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/commands/chart/update.py#L94-L103) correctly checks that only admins and chart owners can save changes, rejecting non-owners with a 403 Forbidden. The Alpha role includes `can write on Chart` permission by default, which is enough to display the modal—but write permission alone doesn't grant the ability to overwrite another user's chart. There's an [unmerged PR #32995](https://github.com/apache/superset/pull/32995) that documents this exact bug and proposes a fix. Interestingly, a proper pattern already exists elsewhere in the codebase: [`ExploreChartHeader` checks both `canOverwrite` and ownership](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset-frontend/src/explore/components/ExploreChartHeader/index.jsx#L241-L244) before allowing chart title edits. This same pattern should be applied to the Properties modal. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot?utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=brand-link).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/84d157e4-6baa-4a19-b14c-f99e9ed70580?feedback_type=great_response&utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=feedback-great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/84d157e4-6baa-4a19-b14c-f99e9ed70580?feedback_type=irrelevant_answer&utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=feedback-irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/84d157e4-6baa-4a19-b14c-f99e9ed70580?feedback_type=incorrect_sources&utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=feedback-incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/84d157e4-6baa-4a19-b14c-f99e9ed70580?feedback_type=too_verbose&utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=feedback-too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/84d157e4-6baa -4a19-b14c-f99e9ed70580?feedback_type=hallucination&utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=feedback-hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/84d157e4-6baa-4a19-b14c-f99e9ed70580?feedback_type=bug_report&utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=feedback-bug_report) | [Other](https://app.dosu.dev/response-feedback/84d157e4-6baa-4a19-b14c-f99e9ed70580?feedback_type=other&utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=feedback-other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=chat-badge) [](https://cursor.com/link/prompt?text=This%20is%20a%20%2A%2Aknown%20frontend/backend%20permission%20inconsistency%2A%2A.%20The%20root%20cause%20is%3A%0A%0A1.%20%2A%2AFrontend%20allows%20modal%20access%2A%2A%20-%20The%20%5B%22Edit%20chart%20properties%22%20menu%20item%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset-frontend/src/explore/components/useExploreAdditionalActionsMenu/index.jsx%23L305-L308%29%20is%20shown%20based%20on%20whether%20the%20chart%20exists%2C%20without%20checking%20ownership.%0A%0A2.%20%2A%2ABackend%20enforces%20ownership%2A%2A%20-%20The%20%5B%60UpdateChartCommand%60%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ff e45377799c/superset/commands/chart/update.py%23L94-L103%29%20correctly%20checks%20that%20only%20admins%20and%20chart%20owners%20can%20save%20changes%2C%20rejecting%20non-owners%20with%20a%20403%20Forbidden.%0A%0AThe%20Alpha%20role%20includes%20%60can%20write%20on%20Chart%60%20permission%20by%20default%2C%20which%20is%20enough%20to%20display%20the%20modal%E2%80%94but%20write%20permission%20alone%20doesn%27t%20grant%20the%20ability%20to%20overwrite%20another%20user%27s%20chart.%0A%0AThere%27s%20an%20%5Bunmerged%20PR%20%2332995%5D%28https%3A//github.com/apache/superset/pull/32995%29%20that%20documents%20this%20exact%20bug%20and%20proposes%20a%20fix.%20Interestingly%2C%20a%20proper%20pattern%20already%20exists%20elsewhere%20in%20the%20codebase%3A%20%5B%60ExploreChartHeader%60%20checks%20both%20%60canOverwrite%60%20and%20ownership%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset-frontend/src/explore/components/ExploreChartHeader/index.jsx%2 3L241-L244%29%20before%20allowing%20chart%20title%20edits.%20This%20same%20pattern%20should%20be%20applied%20to%20the%20Properties%20modal.) [](https://go.dosu.dev/discord-bot?utm_source=github&utm_medium=bot-comment&utm_campaign=github-assistant&utm_content=join-discord) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/38884) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
