fix: apply dashboard access check in related_objects endpoints#40333
Draft
sha174n wants to merge 11 commits into
Draft
fix: apply dashboard access check in related_objects endpoints#40333sha174n wants to merge 11 commits into
sha174n wants to merge 11 commits into
Conversation
Add object access validation to both CreateCustomTagCommand and DeleteTaggedObjectCommand to prevent unauthorized tag operations on dashboards, charts, and queries that users don't have access to. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Prevents authorization bypass where authenticated users could access dashboard metadata through dataset/database related_objects endpoints even when those dashboards are hidden by DASHBOARD_RBAC controls. Fixes: - superset/datasets/api.py: Filter dashboards before serialization - superset/databases/api.py: Filter dashboards before serialization Both endpoints now use security_manager.can_access_dashboard() to ensure only accessible dashboards are returned in related objects. Reported-by: Mitchell Benjamin <mitchell@revampstudio.com.au> Security-fix-for: CWE-863 Authorization bypass in related_objects
![codeant-ai-for-open-source[bot]](https://avatars.githubusercontent.com/u/151810221?s=60&v=4){kind=small}
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## master #40333 +/- ##
==========================================
- Coverage 64.20% 64.19% -0.02%
==========================================
Files 2592 2592
Lines 139232 139260 +28
Branches 32327 32326 -1
==========================================
+ Hits 89389 89393 +4
- Misses 48308 48328 +20
- Partials 1535 1539 +4
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
![bito-code-review[bot]](https://avatars.githubusercontent.com/in/1061978?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review Agent Run #a54e91
Actionable Suggestions - 3
-
superset/databases/api.py - 1
- CWE-200: Inconsistent Security Filtering · Line 1331-1336
-
superset/commands/tag/create.py - 1
- Missing dataset access check · Line 76-77
-
superset/commands/tag/delete.py - 1
- CWE-285: Missing dataset access check · Line 98-98
Additional Suggestions - 1
-
superset/commands/tag/delete.py - 1
-
SEMANTIC_DUPLICATION: Identical method · Line 93-106The `_validate_object_access` method is semantically duplicated in both `delete.py` (lines 93-106) and `create.py` (lines 71-82). Identical code in multiple locations creates maintenance divergence risk. Extract to a shared utility function.
-
Filtered by Review Rules
Bito filtered these suggestions based on rules created automatically for your feedback. Manage rules.
-
superset/commands/tag/create.py - 1
- Duplicated validation method · Line 71-82
Review Details
-
Files reviewed - 4 · Commit Range:
e08dc2e..16fa073- superset/commands/tag/create.py
- superset/commands/tag/delete.py
- superset/databases/api.py
- superset/datasets/api.py
-
Files skipped - 0
-
Tools
- Whispers (Secret Scanner) - ✔︎ Successful
- Detect-secrets (Secret Scanner) - ✔︎ Successful
- MyPy (Static Code Analysis) - ✔︎ Successful
- Astral Ruff (Static Code Analysis) - ✔︎ Successful
Bito Usage Guide
Commands
Type the following command in the pull request comment and save the comment.
-
/review- Manually triggers a full AI review. -
/pause- Pauses automatic reviews on this pull request. -
/resume- Resumes automatic reviews. -
/resolve- Marks all Bito-posted review comments as resolved. -
/abort- Cancels all in-progress reviews.
Refer to the documentation for additional commands.
Configuration
This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.
Documentation & Help
AI Code Review powered by
…ts-dashboard-access-check
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Update chart filtering to use `can_access_chart()` per-object validation instead of generic permission checks, matching dashboard filtering pattern for consistent security enforcement across related objects. Co-Authored-By: Claude Sonnet 4 <noreply@anthropic.com>
…ts-dashboard-access-check
…d_objects Co-Authored-By: Claude Sonnet 4 <noreply@anthropic.com>
✅ Deploy Preview for superset-docs-preview ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Skip base filter when resolving the target model so we can tell "object missing" from "user lacks access". When the object is gone, allow the tag operation to proceed (preserves prior behavior for orphan references) rather than rejecting with 422. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…ects filters Tests calling CreateCustomTagCommand.run() directly need a Flask user context for the new raise_for_access() checks. Add self.login(ADMIN_USERNAME) in the affected tests. Also collapse the two-pass list comprehensions in databases/datasets related_objects endpoints and move security_manager import to module level in tag/delete.py for consistency with tag/create.py.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security fix for authorization bypass in related_objects endpoints