mirror of
https://github.com/apache/superset.git
synced 2026-04-19 16:14:52 +00:00
fix: skip perms on query context update (#16250)
This commit is contained in:
@@ -42,6 +42,12 @@ from superset.views.base import check_ownership
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
def is_query_context_update(properties: Dict[str, Any]) -> bool:
|
||||
return set(properties) == {"query_context", "query_context_generation"} and bool(
|
||||
properties.get("query_context_generation")
|
||||
)
|
||||
|
||||
|
||||
class UpdateChartCommand(UpdateMixin, BaseCommand):
|
||||
def __init__(self, user: User, model_id: int, data: Dict[str, Any]):
|
||||
self._actor = user
|
||||
@@ -77,11 +83,14 @@ class UpdateChartCommand(UpdateMixin, BaseCommand):
|
||||
self._model = ChartDAO.find_by_id(self._model_id)
|
||||
if not self._model:
|
||||
raise ChartNotFoundError()
|
||||
# Check ownership
|
||||
try:
|
||||
check_ownership(self._model)
|
||||
except SupersetSecurityException:
|
||||
raise ChartForbiddenError()
|
||||
|
||||
# Check ownership; when only updating query context we ignore
|
||||
# ownership so the update can be performed by report workers
|
||||
if not is_query_context_update(self._properties):
|
||||
try:
|
||||
check_ownership(self._model)
|
||||
except SupersetSecurityException:
|
||||
raise ChartForbiddenError()
|
||||
|
||||
# Validate/Populate datasource
|
||||
if datasource_id is not None:
|
||||
|
||||
Reference in New Issue
Block a user