bito-code-review[bot] commented on code in PR #40329:
URL: https://github.com/apache/superset/pull/40329#discussion_r3328148523
##########
superset/commands/tag/delete.py:
##########
@@ -85,6 +95,30 @@ def validate(self) -> None:
if exceptions:
raise TagInvalidError(exceptions=exceptions)
+ def _validate_object_access(
+ self, object_type: ObjectType, object_id: int, exceptions: list[Any]
+ ) -> None:
+ """Validate that the current user has access to the target object."""
+ if object_type not in OBJECT_TYPE_MODEL_MAP:
+ exceptions.append(
+ TaggedObjectDeleteFailedError(
+ f"Access denied for {object_type} {object_id}"
+ )
+ )
+ return
Review Comment:
<!-- Bito Reply -->
The suggestion in the inline thread is valid and important for security
consistency. The current implementation skips permission checks when
`to_object_model` returns `None`, which can lead to authorization bypasses for
datasets. The proposed fix adds a check to ensure access validation is applied
uniformly across all object types, including datasets. This improves security
by preventing unauthorized tag deletions.
**superset/commands/tag/delete.py**
```
def _validate_object_access(
self, object_type: ObjectType, object_id: int, exceptions: list[Any]
) -> None:
"""Validate that the current user has access to the target object."""
if object_type not in OBJECT_TYPE_MODEL_MAP:
exceptions.append(
TaggedObjectDeleteFailedError(
f"Access denied for {object_type} {object_id}"
)
)
return
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
