Re: [PR] fix(tag): validate object access in tag create/delete commands [superset]

Fri, 29 May 2026 17:02:23 -0700 


sha174n commented on code in PR #40329:
URL: https://github.com/apache/superset/pull/40329#discussion_r3327502999


##########
superset/commands/tag/delete.py:
##########
@@ -85,6 +94,23 @@ def validate(self) -> None:
         if exceptions:
             raise TagInvalidError(exceptions=exceptions)
 
+    def _validate_object_access(
+        self, object_type: ObjectType, object_id: int, exceptions: list[Any]
+    ) -> None:
+        """Validate that the current user has access to the target object."""
+        try:
+            target_object = to_object_model(object_type, object_id)
+            if target_object is None:
+                # Object may have been deleted; allow tag cleanup
+                return

Review Comment:
   Added a defensive guard so unsupported object types in the lookup map are 
treated as an access failure, not a silent cleanup pass. Pushed in 4fd6783c61.



##########
superset/commands/tag/utils.py:
##########
@@ -38,10 +38,49 @@ def to_object_type(object_type: Union[ObjectType, int, 
str]) -> Optional[ObjectT
 def to_object_model(
     object_type: ObjectType, object_id: int
 ) -> Optional[Union[Dashboard, SavedQuery, Slice]]:
-    if ObjectType.dashboard == object_type:
-        return DashboardDAO.find_by_id(object_id)
-    if ObjectType.query == object_type:
-        return SavedQueryDAO.find_by_id(object_id)
-    if ObjectType.chart == object_type:
-        return ChartDAO.find_by_id(object_id)
-    return None
+    """Load a model instance by type and id.
+
+    Uses db.session.get() instead of DAO.find_by_id() to avoid DAO base
+    filters that require request context. Authorization is enforced by the
+    caller via raise_for_object_access() on the returned object.
+    """
+    model_map: dict[ObjectType, type] = {
+        ObjectType.dashboard: Dashboard,
+        ObjectType.query: SavedQuery,
+        ObjectType.chart: Slice,
+    }

Review Comment:
   Added dataset (SqlaTable) to the object-type model map and dispatched access 
via security_manager.raise_for_access(datasource=...). Pushed in 4fd6783c61.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to