QT/superset2
1
0
Fork 0
mirror of https://github.com/apache/superset.git synced 2026-06-13 03:29:17 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
3dbfbbdefa338d40407dbd7c94b3d199fb0529eb
superset2/superset/commands/security/delete.py
Evan Rusackas 004101a752 fix(rls): apply standard datasource access checks in RLS rule commands (#40650) 
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-09 11:24:12 -07:00

53 lines
2.1 KiB
Python
Raw Blame History

# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
import logging
from functools import partial
from superset.commands.base import BaseCommand
from superset.commands.security.exceptions import (
RLSRuleNotFoundError,
RuleDeleteFailedError,
)
from superset.commands.security.utils import raise_for_datasource_access
from superset.connectors.sqla.models import RowLevelSecurityFilter
from superset.daos.security import RLSDAO
from superset.utils.decorators import on_error, transaction
logger = logging.getLogger(__name__)
class DeleteRLSRuleCommand(BaseCommand):
def __init__(self, model_ids: list[int]):
self._model_ids = model_ids
self._models: list[RowLevelSecurityFilter] = []
@transaction(on_error=partial(on_error, reraise=RuleDeleteFailedError))
def run(self) -> None:
self.validate()
RLSDAO.delete(self._models)
def validate(self) -> None:
# Validate/populate model exists
self._models = RLSDAO.find_by_ids(self._model_ids)
if not self._models or len(self._models) != len(self._model_ids):
raise RLSRuleNotFoundError()
# Apply the same datasource access check as create/update: a caller may
# only delete a rule if they can access every datasource it references.
for rule in self._models:
raise_for_datasource_access(rule.tables)
Reference in New Issue View Git Blame Copy Permalink