fix(chart): restrict owner lookup to users with write access (#39304)

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Shaitan
2026-06-03 23:00:31 +01:00
committed by GitHub
parent 5ba60d51fd
commit 41572dbf9d
2 changed files with 17 additions and 0 deletions

View File

@@ -1026,6 +1026,15 @@ class ChartRestApi(BaseSupersetModelRestApi):
return self.response(200, result="OK")
def _pre_related_check(self, column_name: str) -> Optional[Response]:
"""Restrict the owners related field to users with write access."""
if (
column_name == "owners"
and not security_manager.can_access_all_datasources()
):
return self.response_403()
return None
@expose("/warm_up_cache", methods=("PUT",))
@protect()
@safe

View File

@@ -2436,3 +2436,11 @@ class TestChartApi(ApiOwnersTestCaseMixin, InsertChartMixin, SupersetTestCase):
security_manager.add_permission_role(alpha_role, write_tags_perm)
security_manager.add_permission_role(alpha_role, tag_charts_perm)
def test_related_owners_allowed_for_write_user(self):
"""
Chart API: GET /api/v1/chart/related/owners returns 200 for Admin.
"""
self.login(ADMIN_USERNAME)
rv = self.client.get("api/v1/chart/related/owners")
assert rv.status_code == 200