bito-code-review[bot] commented on PR #39997:
URL: https://github.com/apache/superset/pull/39997#issuecomment-4415525689
<!-- Bito Reply -->
The flagged logic error is correct. The PR change enforces ownership checks
for all chart updates, including query-context-only updates. This breaks report
executions because they run as the report owner (who may not be a chart owner),
causing 403 errors when trying to save query context via the API.
To resolve, keep ownership enforcement for owner-list updates but allow
query-context updates without ownership checks, as they are needed for report
workers. This maintains security for end-user API calls while fixing the report
flow.
Here's the concise fix: revert the ownership check to only apply when not
performing a query-context update.
**superset/commands/chart/update.py**
```
def validate(self) -> None: # noqa: C901
if not self._model:
raise ChartNotFoundError()
if not is_query_context_update(self._properties):
try:
security_manager.raise_for_ownership(self._model)
except SupersetSecurityException as ex:
raise ChartForbiddenError() from ex
owners = self.compute_owners(
self._model.owners,
owner_ids,
)
self._properties["owners"] = owners
except ValidationError as ex:
exceptions.append(ex)
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
