diff --git a/superset/charts/api.py b/superset/charts/api.py index e8f44f3239f..3534d6dfa52 100644 --- a/superset/charts/api.py +++ b/superset/charts/api.py @@ -1026,6 +1026,15 @@ class ChartRestApi(BaseSupersetModelRestApi): return self.response(200, result="OK") + def _pre_related_check(self, column_name: str) -> Optional[Response]: + """Restrict the owners related field to users with write access.""" + if ( + column_name == "owners" + and not security_manager.can_access_all_datasources() + ): + return self.response_403() + return None + @expose("/warm_up_cache", methods=("PUT",)) @protect() @safe diff --git a/tests/integration_tests/charts/api_tests.py b/tests/integration_tests/charts/api_tests.py index 47fc2712625..512b6f682c0 100644 --- a/tests/integration_tests/charts/api_tests.py +++ b/tests/integration_tests/charts/api_tests.py @@ -2436,3 +2436,11 @@ class TestChartApi(ApiOwnersTestCaseMixin, InsertChartMixin, SupersetTestCase): security_manager.add_permission_role(alpha_role, write_tags_perm) security_manager.add_permission_role(alpha_role, tag_charts_perm) + + def test_related_owners_allowed_for_write_user(self): + """ + Chart API: GET /api/v1/chart/related/owners returns 200 for Admin. + """ + self.login(ADMIN_USERNAME) + rv = self.client.get("api/v1/chart/related/owners") + assert rv.status_code == 200