hughhhh commented on pull request #11755: URL: https://github.com/apache/incubator-superset/pull/11755#issuecomment-740369544
> Hi @hughhhh Thanks for making this PR. I have a question: Is there any permission check when one user overwriting an existed dataset? If not, i feel it is a very dangerous feature. It looks like anyone can overwrite my chart without my acknowledge, even they are not owner. On the dataset.update we check for the ownership on every request. We https://github.com/apache/incubator-superset/blob/master/superset/datasets/commands/update.py#L88 I'm also only exposing datasets the user owns via `getByUser` https://github.com/apache/incubator-superset/pull/11755/files#diff-4563e37b508d681c4d3470358bb89edf6a7f0577849e9f0c9dea92ee37fdd544R176 @graceguo-supercat ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
