From 41572dbf9dfd2f73f27f8aa8a22c58372359545f Mon Sep 17 00:00:00 2001 From: Shaitan <105581038+sha174n@users.noreply.github.com> Date: Wed, 3 Jun 2026 23:00:31 +0100 Subject: [PATCH] fix(chart): restrict owner lookup to users with write access (#39304) Co-authored-by: Claude Sonnet 4.6 --- superset/charts/api.py | 9 +++++++++ tests/integration_tests/charts/api_tests.py | 8 ++++++++ 2 files changed, 17 insertions(+) diff --git a/superset/charts/api.py b/superset/charts/api.py index e8f44f3239f..3534d6dfa52 100644 --- a/superset/charts/api.py +++ b/superset/charts/api.py @@ -1026,6 +1026,15 @@ class ChartRestApi(BaseSupersetModelRestApi): return self.response(200, result="OK") + def _pre_related_check(self, column_name: str) -> Optional[Response]: + """Restrict the owners related field to users with write access.""" + if ( + column_name == "owners" + and not security_manager.can_access_all_datasources() + ): + return self.response_403() + return None + @expose("/warm_up_cache", methods=("PUT",)) @protect() @safe diff --git a/tests/integration_tests/charts/api_tests.py b/tests/integration_tests/charts/api_tests.py index 47fc2712625..512b6f682c0 100644 --- a/tests/integration_tests/charts/api_tests.py +++ b/tests/integration_tests/charts/api_tests.py @@ -2436,3 +2436,11 @@ class TestChartApi(ApiOwnersTestCaseMixin, InsertChartMixin, SupersetTestCase): security_manager.add_permission_role(alpha_role, write_tags_perm) security_manager.add_permission_role(alpha_role, tag_charts_perm) + + def test_related_owners_allowed_for_write_user(self): + """ + Chart API: GET /api/v1/chart/related/owners returns 200 for Admin. + """ + self.login(ADMIN_USERNAME) + rv = self.client.get("api/v1/chart/related/owners") + assert rv.status_code == 200