sha174n opened a new pull request, #39998:
URL: https://github.com/apache/superset/pull/39998
### SUMMARY
`import_dataset()` in the V1 importer had an ownership gate that prevented
unauthorized overwrites of existing datasets, but lacked a call to
`security_manager.raise_for_access(datasource=dataset)` after the dataset was
created or updated.
Without this check, a user with `can_write` on the Dataset resource could
import a YAML bundle that creates or overwrites a dataset pointing to a
database/schema they do not have access to under the normal access rules.
This PR adds `raise_for_access(datasource=dataset)` after the dataset is
persisted, mirroring the pattern used by `UpdateDatasetCommand`. The check is
skipped when `ignore_permissions=True` (used by admin bulk-import flows).
### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
N/A — backend-only change.
### TESTING INSTRUCTIONS
1. Run the unit tests:
```bash
pytest tests/unit_tests/datasets/commands/importers/v1/import_test.py -v
```
All 17 tests should pass, including the new
`test_import_dataset_access_check`.
2. Attempt to import a dataset YAML for a table in a schema the importing
user does not have access to (e.g., a Gamma user importing a dataset on a
restricted database) — should return a 422 error.
### ADDITIONAL INFORMATION
- [ ] Has associated issue:
- [ ] Required feature flags:
- [ ] Changes UI
- [ ] Includes DB Migration
- [ ] Introduces new feature or API
- [ ] Removes existing feature or API
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
