fix(sql-lab): apply access check in SqlExecutionResultsCommand (#38952)

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-18 15:44:57 +00:00 · 2026-04-09 21:47:15 +01:00
parent c7955a38ef
commit f49310b8ff
2 changed files with 48 additions and 3 deletions
--- a/tests/integration_tests/sql_lab/commands_tests.py
+++ b/tests/integration_tests/sql_lab/commands_tests.py
@@ -37,6 +37,7 @@ from superset.models.sql_lab import Query
 from superset.sqllab.limiting_factor import LimitingFactor
 from superset.sqllab.schemas import EstimateQueryCostSchema
 from superset.utils import core as utils
+from superset.utils.core import override_user
 from superset.utils.database import get_example_database
 from tests.integration_tests.base_tests import SupersetTestCase

@@ -251,6 +252,7 @@ class TestSqlExecutionResultsCommand(SupersetTestCase):
    def create_database_and_query(self):
        with self.create_app().app_context():
            database = get_example_database()
+            admin = self.get_user("admin")
            query_obj = Query(
                client_id="test",
                database=database,
@@ -264,6 +266,7 @@ class TestSqlExecutionResultsCommand(SupersetTestCase):
                rows=104,
                error_message="none",
                results_key="abc_query",
+                user_id=admin.id,
            )

            db.session.add(query_obj)
@@ -344,6 +347,29 @@ class TestSqlExecutionResultsCommand(SupersetTestCase):
                == SupersetErrorType.RESULTS_BACKEND_ERROR
            )

+    @pytest.mark.usefixtures("create_database_and_query")
+    @patch("superset.commands.sql_lab.results.results_backend_use_msgpack", False)
+    def test_validation_unauthorized_access(self) -> None:
+        command = results.SqlExecutionResultsCommand("abc_query", 1000)
+
+        with mock.patch(
+            "superset.models.sql_lab.Query.raise_for_access",
+            side_effect=SupersetSecurityException(
+                SupersetError(
+                    "dummy",
+                    SupersetErrorType.DATASOURCE_SECURITY_ACCESS_ERROR,
+                    ErrorLevel.ERROR,
+                )
+            ),
+        ):
+            with pytest.raises(SupersetErrorException) as ex_info:
+                command.run()
+            assert (
+                ex_info.value.error.error_type
+                == SupersetErrorType.QUERY_SECURITY_ACCESS_ERROR
+            )
+            assert ex_info.value.status == 403
+
    @pytest.mark.usefixtures("create_database_and_query")
    @patch("superset.commands.sql_lab.results.results_backend_use_msgpack", False)
    def test_run_succeeds(self) -> None:
@@ -359,8 +385,11 @@ class TestSqlExecutionResultsCommand(SupersetTestCase):
        results.results_backend = mock.Mock()
        results.results_backend.get.return_value = compressed

-        command = results.SqlExecutionResultsCommand("abc_query", 1000)
-        result = command.run()
+        admin = self.get_user("admin")
+        with current_app.test_request_context():
+            with override_user(admin):
+                command = results.SqlExecutionResultsCommand("abc_query", 1000)
+                result = command.run()

        assert result.get("status") == "success"
        assert result["query"].get("rows") == 104