sha174n opened a new pull request, #39997:
URL: https://github.com/apache/superset/pull/39997
### SUMMARY
`UpdateChartCommand.validate()` contained an ownership check inside a
conditional that was skipped when the request payload consisted only of
`query_context` and `query_context_generation`. This allowed any authenticated
user to modify a chart's `query_context` field without being an owner or admin.
This PR moves `raise_for_ownership()` outside the `is_query_context_update`
conditional so ownership is always verified. The owner-list computation
(`compute_owners`) remains conditional because it has no meaning for
query-context-only updates.
Report workers updating `query_context` run with appropriate user context
and will continue to pass the ownership check.
### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
N/A — backend-only change.
### TESTING INSTRUCTIONS
1. Run the new unit test:
```bash
pytest tests/unit_tests/commands/chart/update_test.py -v
```
2. As a non-owner, send a `PUT /api/v1/chart/{id}` request with body
`{"query_context": "{}", "query_context_generation": true}` — should now return
403 instead of 200.
### ADDITIONAL INFORMATION
- [ ] Has associated issue:
- [ ] Required feature flags:
- [ ] Changes UI
- [ ] Includes DB Migration
- [ ] Introduces new feature or API
- [ ] Removes existing feature or API
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
