fix: set default permissions for SqlLabPermalinkRestApi for sqllabrole

apache · Feb 17, 2025 · b341919 · b341919
1 parent e77d647
commit b341919
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 7 deletions.
diff --git a/superset/queries/saved_queries/api.py b/superset/queries/saved_queries/api.py
@@ -17,10 +17,10 @@
 import logging
 from datetime import datetime
 from io import BytesIO
-from typing import Any, List, Tuple
+from typing import Any
 from zipfile import is_zipfile, ZipFile
 
-from flask import request, Response, send_file
+from flask import g, request, Response, send_file
 from flask_appbuilder.api import expose, protect, rison, safe
 from flask_appbuilder.models.sqla.interface import SQLAInterface
 from flask_babel import ngettext
@@ -44,6 +44,7 @@
 from superset.queries.saved_queries.filters import (
     SavedQueryAllTextFilter,
     SavedQueryFavoriteFilter,
+    SavedQueryFilter,
     SavedQueryTagIdFilter,
     SavedQueryTagNameFilter,
 )
@@ -80,7 +81,7 @@ class SavedQueryRestApi(BaseSupersetModelRestApi):
     resource_name = "saved_query"
     allow_browser_login = True
 
-    base_filters: List[Tuple[Any, ...]] = []
+    base_filters = [["id", SavedQueryFilter, lambda: []]]
 
     show_columns = [
         "changed_on",
@@ -190,10 +191,10 @@ class SavedQueryRestApi(BaseSupersetModelRestApi):
     allowed_distinct_fields = {"catalog", "schema"}
 
     def pre_add(self, item: SavedQuery) -> None:
-        pass
+        item.user = g.user
 
     def pre_update(self, item: SavedQuery) -> None:
-        pass
+        self.pre_add(item)
 
     @expose("/", methods=("DELETE",))
     @protect()

diff --git a/superset/queries/saved_queries/filters.py b/superset/queries/saved_queries/filters.py
@@ -16,6 +16,7 @@
 # under the License.
 from typing import Any
 
+from flask import g
 from flask_babel import lazy_gettext as _
 from flask_sqlalchemy import BaseQuery
 from sqlalchemy import or_
@@ -81,8 +82,10 @@ class SavedQueryTagIdFilter(BaseTagIdFilter):  # pylint: disable=too-few-public-
 class SavedQueryFilter(BaseFilter):  # pylint: disable=too-few-public-methods
     def apply(self, query: BaseQuery, value: Any) -> BaseQuery:
         """
-        Allow access to all saved queries.
+        Filter saved queries to only those created by current user.
 
         :returns: flask-sqlalchemy query
         """
-        return query
+        return query.filter(
+            SavedQuery.created_by == g.user  # pylint: disable=comparison-with-callable
+        )