fix(views): enforce per-chart access check in legacy form_data endpoint

[sha174n]

SUMMARY

The legacy Api.query_form_data (GET /api/v1/form_data/?slice_id=)
returned slc.form_data verbatim with only @has_access_api as the
gate, which is satisfied by any authenticated user (and by Public
role on deployments using PUBLIC_ROLE_LIKE). The sibling
Api.query() already validates via
query_context.raise_for_access(), and the modern ChartRestApi.get
returns 404 to callers without datasource_access. This brings
query_form_data to the same bar.

To avoid introducing a status-code-based existence oracle (where a
non-existent slice_id returns 200 + {} while a forbidden one
returns 403), the SupersetSecurityException is caught and
normalised to the same 404 ChartRestApi.get uses, so callers
cannot distinguish missing from forbidden.

BEFORE/AFTER SCREENSHOTS

N/A (server-side authorisation change).

TESTING INSTRUCTIONS

pytest tests/integration_tests/charts/api_tests.py -k query_form_data -v

The added test_query_form_data_no_data_access mirrors the canonical
test_get_chart_no_data_access pattern (Gamma user, "Girl Name Cloud"
chart, 404 assertion) and adds defence-in-depth body assertions so a
regression that returned a partial form_data dict inside an error
envelope is still caught.

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration
• Introduces new feature or API
• Removes existing feature or API

[netlify]

✅ Deploy Preview for superset-docs-preview ready!

Name	Link
🔨 Latest commit	897061c
🔍 Latest deploy log	https://app.netlify.com/projects/superset-docs-preview/deploys/6a1bf9e937cadc000886e00f
😎 Deploy Preview	https://deploy-preview-40497--superset-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 63.96%. Comparing base (acc8024) to head (417a161).

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #40497      +/-   ##
==========================================
- Coverage   63.97%   63.96%   -0.02%     
==========================================
  Files        2654     2649       -5     
  Lines      142753   142416     -337     
  Branches    32833    32736      -97     
==========================================
- Hits        91325    91094     -231     
+ Misses      49870    49765     -105     
+ Partials     1558     1557       -1     

Flag	Coverage Δ
hive	39.72% <28.57%> (-0.01%)	⬇️
mysql	58.42% <100.00%> (+<0.01%)	⬆️
postgres	58.50% <100.00%> (+<0.01%)	⬆️
presto	41.34% <28.57%> (-0.01%)	⬇️
python	59.99% <100.00%> (+<0.01%)	⬆️
sqlite	58.16% <100.00%> (+<0.01%)	⬆️
unit	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[bito-code-review]

Code Review Agent Run #b8d346

Actionable Suggestions - 0

Review Details

• Files reviewed - 2 · Commit Range: 6fa17cd..6fa17cd

  • superset/views/api.py
  • tests/integration_tests/charts/api_tests.py
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[bito-code-review]

The pr_comments.csv file contains only 1 line of data (header) and no actual review comments. I cannot analyze or count any suggestions or comments without content to work with.

[bito-code-review]

Code Review Agent Run #77ec94

Actionable Suggestions - 0

Review Details

• Files reviewed - 2 · Commit Range: 6fa17cd..003fbd6

  • superset/views/api.py
  • tests/integration_tests/charts/api_tests.py
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by