sha174n opened a new pull request, #39996:
URL: https://github.com/apache/superset/pull/39996
### SUMMARY
`QueryDAO.stop_query()` previously looked up a query by `client_id` alone,
without verifying that the query belongs to the requesting user. This allowed
any authenticated user to cancel any other user's running query by providing
its `client_id`.
This PR adds a `user_id` filter to the query lookup so that only the owner
of a query can cancel it. Requests from other users return a
`QueryNotFoundException` (404).
The `get_user_id` utility is already imported in the module; no new imports
are needed.
### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
N/A — backend-only change.
### TESTING INSTRUCTIONS
1. Run the unit tests:
```bash
pytest tests/unit_tests/dao/queries_test.py -v
```
All 7 tests should pass, including the new
`test_query_dao_stop_query_wrong_user` case.
2. Start a long-running query as user A, then attempt to cancel it via
`DELETE /api/v1/query/stop` as user B — should return 404 instead of succeeding.
### ADDITIONAL INFORMATION
- [ ] Has associated issue:
- [ ] Required feature flags:
- [ ] Changes UI
- [ ] Includes DB Migration
- [ ] Introduces new feature or API
- [ ] Removes existing feature or API
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
