Skip to content

Commit

Permalink
fix: skip perms on query context update (apache#16250)
Browse files Browse the repository at this point in the history
betodealmeida authored Aug 13, 2021

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
1 parent 6cd15d5 commit 2611681
Showing 1 changed file with 14 additions and 5 deletions.
19 changes: 14 additions & 5 deletions superset/charts/commands/update.py
Original file line number Diff line number Diff line change
@@ -42,6 +42,12 @@
logger = logging.getLogger(__name__)


def is_query_context_update(properties: Dict[str, Any]) -> bool:
return set(properties) == {"query_context", "query_context_generation"} and bool(
properties.get("query_context_generation")
)


class UpdateChartCommand(UpdateMixin, BaseCommand):
def __init__(self, user: User, model_id: int, data: Dict[str, Any]):
self._actor = user
@@ -77,11 +83,14 @@ def validate(self) -> None:
self._model = ChartDAO.find_by_id(self._model_id)
if not self._model:
raise ChartNotFoundError()
# Check ownership
try:
check_ownership(self._model)
except SupersetSecurityException:
raise ChartForbiddenError()

# Check ownership; when only updating query context we ignore
# ownership so the update can be performed by report workers
if not is_query_context_update(self._properties):
try:
check_ownership(self._model)
except SupersetSecurityException:
raise ChartForbiddenError()

# Validate/Populate datasource
if datasource_id is not None:

0 comments on commit 2611681

Please sign in to comment.