Re: [PR] fix(api): enforce per-object ownership validation in chart, dataset, and report commands [superset]

Sat, 23 May 2026 10:19:02 -0700 


sha174n commented on code in PR #39303:
URL: https://github.com/apache/superset/pull/39303#discussion_r3293219368


##########
superset/views/datasource/views.py:
##########
@@ -223,6 +224,25 @@ def samples(self) -> FlaskResponse:
                 dashboard,
             ):
                 return json_error_response(_("Forbidden"), status=403)
+        else:
+            # Pre-fetch and access-check only for table-type datasources.
+            # Non-table types (query, saved_query) use a different access 
model;
+            # passing them to raise_for_access(datasource=...) would check the
+            # wrong attributes. Let get_samples() handle the lookup for those 
types.
+            if params["datasource_type"] == DatasourceType.TABLE:
+                try:
+                    dataset = DatasourceDAO.get_datasource(
+                        params["datasource_type"],
+                        params["datasource_id"],
+                    )
+                except (DatasourceNotFound, DatasourceTypeNotSupportedError):
+                    return self.response_404()
+                try:
+                    security_manager.raise_for_access(datasource=dataset)
+                except SupersetSecurityException:
+                    return json_error_response(_("Forbidden"), status=403)

Review Comment:
   Addressed in bc4c3e020d — now uses keyword arguments for 
`DatasourceDAO.get_datasource(...)`. The string/enum comparison was previously 
addressed by using `DatasourceType.TABLE.value`.



##########
superset/views/users/api.py:
##########
@@ -169,9 +169,11 @@ class UserRestApi(BaseSupersetApi):
 
     resource_name = "user"
     openapi_spec_tag = "User"
+    allow_browser_login = True
     openapi_spec_component_schemas = (UserResponseSchema,)
 
     @expose("/<int:user_id>/avatar.png", methods=("GET",))
+    @protect()

Review Comment:
   Documented in the PR description. `UserRestApi` currently only exposes the 
avatar route; `allow_browser_login` is a class-level FAB attribute (no 
per-endpoint scoping) and is required so `<img>` tags can authenticate via the 
browser session.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to