Re: [PR] fix(views): enforce per-chart access check in legacy form_data endpoint [superset]

Thu, 28 May 2026 17:53:35 -0700 


sha174n commented on code in PR #40497:
URL: https://github.com/apache/superset/pull/40497#discussion_r3321464858


##########
superset/views/api.py:
##########
@@ -89,6 +90,14 @@ def query_form_data(self) -> FlaskResponse:
         if slice_id := request.args.get("slice_id"):
             slc = db.session.query(Slice).filter_by(id=slice_id).one_or_none()
             if slc:
+                # Normalise unauthorised access to the same 404 the modern
+                # ChartRestApi.get returns, so callers cannot distinguish
+                # "chart does not exist" from "chart exists but is denied"
+                # by status code.
+                try:
+                    security_manager.raise_for_access(chart=slc)
+                except SupersetSecurityException:
+                    return self.json_response({}, 404)

Review Comment:
   Addressed in 003fbd6cfb: both branches (missing chart and access-denied) now 
raise `ChartNotFoundError` and return 404, and an integration test pins the 
non-existent slice_id case.



##########
superset/views/api.py:
##########
@@ -89,6 +90,14 @@ def query_form_data(self) -> FlaskResponse:
         if slice_id := request.args.get("slice_id"):
             slc = db.session.query(Slice).filter_by(id=slice_id).one_or_none()
             if slc:
+                # Normalise unauthorised access to the same 404 the modern
+                # ChartRestApi.get returns, so callers cannot distinguish
+                # "chart does not exist" from "chart exists but is denied"
+                # by status code.
+                try:
+                    security_manager.raise_for_access(chart=slc)

Review Comment:
   Addressed in 003fbd6cfb: the endpoint now goes through 
`ChartDAO.get_by_id_or_uuid`, which applies the same `ChartFilter` 
(dataset-scoped) as `ChartRestApi.get`, so chart owners without dataset 
permission no longer bypass authorization.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to