willbarrett commented on a change in pull request #9046: [query] deprecate
can_only_access_owned_queries
URL:
https://github.com/apache/incubator-superset/pull/9046#discussion_r372656785
##########
File path: superset/views/core.py
##########
@@ -2597,7 +2597,7 @@ def search_queries(self) -> Response:
:returns: Response with list of sql query dicts
"""
query = db.session.query(Query)
- if security_manager.can_only_access_owned_queries():
+ if not security_manager.can_access_all_queries():
Review comment:
You could avoid the negated `if` by reversing the order of the conditions:
```python
if security_manager.can_access_all_queries():
search_user_id = request.args.get("user_id")
else:
search_user_id = g.user.get_user_id()
```
Additionally, I would recommend returning a 403 if the requestor asks for a
user ID other than their own but does not have permissions to see other users'
queries. Otherwise it would be possible for the end user to ask for a list of
another users' queries but get back a list of their own queries. This would be
an incorrect result.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
