Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: skip perms on query context update #16250

Merged
merged 1 commit into from
Aug 13, 2021
Merged

fix: skip perms on query context update #16250

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 14 additions & 5 deletions superset/charts/commands/update.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,12 @@
logger = logging.getLogger(__name__)


def is_query_context_update(properties: Dict[str, Any]) -> bool:
return set(properties) == {"query_context", "query_context_generation"} and bool(
properties.get("query_context_generation")
)


class UpdateChartCommand(UpdateMixin, BaseCommand):
def __init__(self, user: User, model_id: int, data: Dict[str, Any]):
self._actor = user
Expand Down Expand Up @@ -77,11 +83,14 @@ def validate(self) -> None:
self._model = ChartDAO.find_by_id(self._model_id)
if not self._model:
raise ChartNotFoundError()
# Check ownership
try:
check_ownership(self._model)
except SupersetSecurityException:
raise ChartForbiddenError()

# Check ownership; when only updating query context we ignore
# ownership so the update can be performed by report workers
if not is_query_context_update(self._properties):
try:
check_ownership(self._model)
except SupersetSecurityException:
raise ChartForbiddenError()

# Validate/Populate datasource
if datasource_id is not None:
Expand Down