rusackas opened a new pull request, #40650: URL: https://github.com/apache/superset/pull/40650
### SUMMARY The `CreateRLSRuleCommand` and `UpdateRLSRuleCommand` validated that the referenced table IDs existed, but they did not verify that the caller is actually allowed to access those datasources. Any user able to reach the RLS REST API could therefore attach (or move) a row-level-security rule onto datasources they otherwise cannot see. This change hardens both commands so that, in `validate()`, every referenced table is run through `security_manager.can_access_datasource(datasource=table)`. If the caller lacks access to any referenced datasource, a `RLSDatasourceForbiddenError` is raised and the REST API maps it to a `403`. Notes: - Users with `all_datasource_access` (e.g. admins) still pass — that allowance is already handled inside the security manager check, so there is no special-casing in the command. - The existing "datasource does not exist" (`422`) behavior is unchanged; the access check runs only after existence is confirmed. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF N/A (backend authorization change). ### TESTING INSTRUCTIONS - As a user who can reach the RLS API but lacks access to a given dataset, POST/PUT an RLS rule referencing that dataset → expect `403`. - As an admin (or a user with `all_datasource_access`), the same request still succeeds. - New unit tests: `pytest tests/unit_tests/commands/security/rls_test.py`. ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351)) - [ ] Migration is atomic, supports rollback & is backwards-compatible - [ ] Confirm DB migration upgrade and downgrade tested - [ ] Runtime estimates and downtime expectations provided - [ ] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
