etr2460 commented on a change in pull request #13859:
URL: https://github.com/apache/superset/pull/13859#discussion_r604537516
##########
File path: superset/viz.py
##########
@@ -2050,6 +2059,10 @@ def run_extra_queries(self) -> None:
qry["groupby"] = [col]
metric = flt.get("metric")
qry["metrics"] = [metric] if metric else []
+ QueryContext(
+ datasource={"id": self.datasource.id, "type":
self.datasource.type},
+ queries=[qry],
+ ).raise_for_access()
Review comment:
`raise_for_access` is a public API though, and anyone with a custom
SecurityManager may overwrite it. In our case, we have metric level permissions
in some databases, and without this check, the query goes through to the
database and fails there. Even worse, if the chart was already cached, we still
load it for the user without permission because we don't call
`raise_for_access` on it. does that make sense?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
