Re: [PR] fix(rls): preserve tables/roles on partial RLS rule updates [superset]

Mon, 22 Jun 2026 17:09:31 -0700 


bito-code-review[bot] commented on PR #41294:
URL: https://github.com/apache/superset/pull/41294#issuecomment-4774285466

   <!-- Bito Reply -->
   The flagged security issue is correct. When performing a partial update that 
omits the `tables` field, the current implementation skips the datasource 
access check entirely, potentially allowing unauthorized modifications to RLS 
rules tied to restricted datasources. 
   
   To resolve this, you should ensure that even if `tables` is omitted from the 
request, the command validates the existing tables associated with the rule 
(`self._model.tables`) against the user's permissions. 
   
   Here is a concise fix for `superset/commands/security/update.py`:
   
   ```python
           if "tables" in self._properties:
               tables = (
                   db.session.query(SqlaTable)
                   .filter(SqlaTable.id.in_(self._tables))  # type: 
ignore[attr-defined]
                   .all()
               )
               if len(tables) != len(self._tables):
                   raise DatasourceNotFoundValidationError()
               raise_for_datasource_access(tables)
               self._properties["tables"] = tables
           else:
               # Always validate access to existing tables if not updating them
               raise_for_datasource_access(self._model.tables)
   ```
   
   There are no other comments in the provided PR review data to address.
   
   **superset/commands/security/update.py**
   ```
   if "tables" in self._properties:
               tables = (
                   db.session.query(SqlaTable)
                   .filter(SqlaTable.id.in_(self._tables))  # type: 
ignore[attr-defined]
                   .all()
               )
               if len(tables) != len(self._tables):
                   raise DatasourceNotFoundValidationError()
               raise_for_datasource_access(tables)
               self._properties["tables"] = tables
           else:
               # Always validate access to existing tables if not updating them
               raise_for_datasource_access(self._model.tables)
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to