bito-code-review[bot] commented on code in PR #40329:
URL: https://github.com/apache/superset/pull/40329#discussion_r3319529593
##########
superset/commands/tag/create.py:
##########
@@ -60,9 +60,35 @@ def validate(self) -> None:
exceptions.append(
TagCreateFailedError(f"invalid object type
{self._object_type}")
)
+
+ # Validate user has access to the target object
+ if object_type:
+ self._validate_object_access(object_type, self._object_id,
exceptions)
Review Comment:
<!-- Bito Reply -->
The suggestion highlights a security inconsistency between two code paths in
the implementation. The bulk path uses `raise_for_ownership` (stricter,
edit-level) with soft-skip semantics for partial bulk success, while the
single-object path now dispatches per object type via
`raise_for_object_access`. This change fixes a bypass issue where
`hasattr(target, raise_for_access)` was silently False for charts and saved
queries. The suggestion recommends applying the same `_validate_object_access`
pattern to `CreateCustomTagWithRelationshipsCommand` (lines 93-146) for
consistency in security enforcement. This is a valid and important suggestion
to ensure uniform access validation across the codebase.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
