Re: [PR] fix: apply dashboard access check in related_objects endpoints [superset]

Sat, 23 May 2026 15:06:36 -0700 


bito-code-review[bot] commented on code in PR #40333:
URL: https://github.com/apache/superset/pull/40333#discussion_r3293544159


##########
superset/commands/tag/create.py:
##########
@@ -60,9 +60,27 @@ def validate(self) -> None:
             exceptions.append(
                 TagCreateFailedError(f"invalid object type 
{self._object_type}")
             )
+
+        # Validate user has access to the target object
+        if object_type:
+            self._validate_object_access(object_type, self._object_id, 
exceptions)
+
         if exceptions:
             raise TagInvalidError(exceptions=exceptions)
 
+    def _validate_object_access(
+        self, object_type: ObjectType, object_id: int, exceptions: list[Any]
+    ) -> None:
+        """Validate that the current user has access to the target object."""
+        try:
+            target_object = to_object_model(object_type, object_id)
+            if target_object and hasattr(target_object, "raise_for_access"):

Review Comment:
   <!-- Bito Reply -->
   The suggestion addresses a critical security issue where the access check 
for chart objects is bypassed due to the use of `hasattr` to determine if 
`raise_for_access` is implemented. This allows unauthorized users to add or 
delete tags on chart objects. The proposed fix involves replacing the dynamic 
`hasattr` check with explicit permission checks using 
`security_manager.raise_for_access` for each object type, ensuring that 
unsupported or missing objects are treated as validation failures.
   
   **superset/commands/tag/create.py**
   ```
   +    def _validate_object_access(
   +        self, object_type: ObjectType, object_id: int, exceptions: list[Any]
   +    ) -> None:
   +        """Validate that the current user has access to the target 
object."""
   +        try:
   +            target_object = to_object_model(object_type, object_id)
   +            if target_object and hasattr(target_object, "raise_for_access"):
   +                target_object.raise_for_access()
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to