From eb1fe876d768129483ef122d6794e31467c49fa8 Mon Sep 17 00:00:00 2001
From: Beto Dealmeida <roberto@dealmeida.net>
Date: Fri, 13 Aug 2021 08:15:55 -0700
Subject: [PATCH] fix: skip perms on query context update

---
 superset/charts/commands/update.py | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/superset/charts/commands/update.py b/superset/charts/commands/update.py
index e5fe64384feb5..449c67da24ccd 100644
--- a/superset/charts/commands/update.py
+++ b/superset/charts/commands/update.py
@@ -42,6 +42,12 @@
 logger = logging.getLogger(__name__)
 
 
+def is_query_context_update(properties: Dict[str, Any]) -> bool:
+    return set(properties) == {"query_context", "query_context_generation"} and bool(
+        properties.get("query_context_generation")
+    )
+
+
 class UpdateChartCommand(UpdateMixin, BaseCommand):
     def __init__(self, user: User, model_id: int, data: Dict[str, Any]):
         self._actor = user
@@ -77,11 +83,14 @@ def validate(self) -> None:
         self._model = ChartDAO.find_by_id(self._model_id)
         if not self._model:
             raise ChartNotFoundError()
-        # Check ownership
-        try:
-            check_ownership(self._model)
-        except SupersetSecurityException:
-            raise ChartForbiddenError()
+
+        # Check ownership; when only updating query context we ignore
+        # ownership so the update can be performed by report workers
+        if not is_query_context_update(self._properties):
+            try:
+                check_ownership(self._model)
+            except SupersetSecurityException:
+                raise ChartForbiddenError()
 
         # Validate/Populate datasource
         if datasource_id is not None: