mirror of
https://github.com/apache/superset.git
synced 2026-07-16 11:46:09 +00:00
fix(chart): restrict owner lookup to users with write access (#39304)
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -1026,6 +1026,15 @@ class ChartRestApi(BaseSupersetModelRestApi):
|
||||
|
||||
return self.response(200, result="OK")
|
||||
|
||||
def _pre_related_check(self, column_name: str) -> Optional[Response]:
|
||||
"""Restrict the owners related field to users with write access."""
|
||||
if (
|
||||
column_name == "owners"
|
||||
and not security_manager.can_access_all_datasources()
|
||||
):
|
||||
return self.response_403()
|
||||
return None
|
||||
|
||||
@expose("/warm_up_cache", methods=("PUT",))
|
||||
@protect()
|
||||
@safe
|
||||
|
||||
@@ -2436,3 +2436,11 @@ class TestChartApi(ApiOwnersTestCaseMixin, InsertChartMixin, SupersetTestCase):
|
||||
|
||||
security_manager.add_permission_role(alpha_role, write_tags_perm)
|
||||
security_manager.add_permission_role(alpha_role, tag_charts_perm)
|
||||
|
||||
def test_related_owners_allowed_for_write_user(self):
|
||||
"""
|
||||
Chart API: GET /api/v1/chart/related/owners returns 200 for Admin.
|
||||
"""
|
||||
self.login(ADMIN_USERNAME)
|
||||
rv = self.client.get("api/v1/chart/related/owners")
|
||||
assert rv.status_code == 200
|
||||
|
||||
Reference in New Issue
Block a user