fix(query): restrict query cancellation to the query owner

[sha174n]

SUMMARY

QueryDAO.stop_query() previously looked up a query by client_id alone, without verifying that the query belongs to the requesting user. This allowed any authenticated user to cancel any other user's running query by providing its client_id.

This PR adds a user_id filter to the query lookup so that only the owner of a query can cancel it. Requests from other users return a QueryNotFoundException (404).

The get_user_id utility is already imported in the module; no new imports are needed.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

N/A — backend-only change.

TESTING INSTRUCTIONS

1. Run the unit tests:

   pytest tests/unit_tests/dao/queries_test.py -v

   All 7 tests should pass, including the new test_query_dao_stop_query_wrong_user case.

2. Start a long-running query as user A, then attempt to cancel it via DELETE /api/v1/query/stop as user B — should return 404 instead of succeeding.

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration
• Introduces new feature or API
• Removes existing feature or API

[bito-code-review]

Code Review Agent Run #3b02f4

Actionable Suggestions - 0

Review Details

• Files reviewed - 2 · Commit Range: 3548d44..3548d44

  • superset/daos/query.py
  • tests/unit_tests/dao/queries_test.py
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 63.83%. Comparing base (f67dd4a) to head (3548d44).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #39996   +/-   ##
=======================================
  Coverage   63.83%   63.83%           
=======================================
  Files        2589     2589           
  Lines      137821   137821           
  Branches    31928    31928           
=======================================
  Hits        87978    87978           
  Misses      48327    48327           
  Partials     1516     1516           

Flag	Coverage Δ
hive	39.36% <0.00%> (ø)
mysql	59.01% <100.00%> (ø)
postgres	59.09% <100.00%> (ø)
presto	41.06% <0.00%> (ø)
python	60.53% <100.00%> (ø)
sqlite	58.73% <100.00%> (ø)
unit	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.