bito-code-review[bot] commented on PR #40026:
URL: https://github.com/apache/superset/pull/40026#issuecomment-4422042264
<!-- Bito Reply -->
The flagged issue is correct: the authorization check only applies when the
resource ID is an EmbeddedDashboard UUID, bypassing checks for legacy dashboard
IDs. This allows users with can_grant_guest_token to mint tokens for
inaccessible dashboards via IDs. To resolve, modify the loop to resolve the
Dashboard object using dual-path logic: try as UUID for EmbeddedDashboard, else
as ID for Dashboard, then always check can_access_dashboard. Add an integration
test for 403 on unauthorized dashboard ID access.
**superset/security/api.py**
```
# Verify requesting user has access to each specified resource
for resource in body["resources"]:
if resource["type"] ==
GuestTokenResourceType.DASHBOARD.value:
from uuid import UUID
from superset.models.dashboard import Dashboard
from superset.models.embedded_dashboard import
EmbeddedDashboard # noqa: PLC0415
try:
uuid_obj = UUID(resource["id"])
embedded = (
db.session.query(EmbeddedDashboard)
.filter_by(uuid=str(uuid_obj))
.one_or_none()
)
if embedded:
dashboard = embedded.dashboard
else:
raise ForbiddenError()
except ValueError:
dashboard = (
db.session.query(Dashboard)
.filter_by(id=int(resource["id"]))
.one_or_none()
)
if not dashboard:
raise ForbiddenError()
if not
self.appbuilder.sm.can_access_dashboard(dashboard):
raise ForbiddenError()
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
