rusackas commented on code in PR #40648:
URL: https://github.com/apache/superset/pull/40648#discussion_r3385186587
##########
superset/commands/chart/update.py:
##########
@@ -126,6 +131,11 @@ def validate(self) -> None: # noqa: C901
raise ChartForbiddenError() from ex
except ValidationError as ex:
exceptions.append(ex)
+ else:
+ try:
+ security_manager.raise_for_access(chart=self._model)
+ except SupersetSecurityException as ex:
+ raise ChartForbiddenError() from ex
Review Comment:
Added a positive test after all:
`test_update_chart_query_context_non_owner_with_access_allowed` in
`tests/unit_tests/commands/chart/update_test.py`. It asserts that a non-owner
whose `raise_for_access` check passes (e.g. an alpha user with datasource
access, or a report worker) can complete the query_context-only backfill —
ownership is relaxed and the access gate permits it. This guards the Explore
lazy-backfill / report executor path against regression without needing the
integration-level datasource ACL setup.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
