Re: [PR] fix(security): bind SavedQueryView list permission to read permission [superset]

Tue, 12 Aug 2025 20:36:03 -0700 


codenamelxl commented on PR #32422:
URL: https://github.com/apache/superset/pull/32422#issuecomment-3182065268

   > Some concerns from our friend Claude. Thoughts?
   > 
   > **Breaking change**: This appears to be removing saved query access from 
Alpha and Gamma users, which could break existing workflows for these users who 
currently rely on this functionality.
   > 
   > **Inconsistency**: The code change adds a @permission_name("read") 
decorator, but the documentation changes remove read permissions from 
Alpha/Gamma roles. This seems contradictory.
   > 
   > **Missing context**: The PR doesn't include:
   > 
   > * A description explaining why these permissions are being removed
   > * Any migration plan for existing users
   > * Tests to verify the permission changes work correctly
   > * Discussion of the security implications
   > 
   > **Documentation accuracy**: If Alpha and Gamma users can no longer read 
saved queries, the general role descriptions at the top of the document may 
need updating, as they currently state Alpha users "have access to all data 
sources."
   
   Thanks for the comment
   
   - Alpha and Gamma roles do not have read/write permission on SavedQuery 
currently. So this is to correct the doc.
   - As mentioned in the migration 
[superset/migrations/versions/2020-11-20_14-24_e38177dbf641_security_converge_saved_queries.py](https://github.com/apache/superset/blob/master/superset/migrations/versions/2020-11-20_14-24_e38177dbf641_security_converge_saved_queries.py)
 , legacy SavedQuery permissions were simplified to only `read/write` 
permissions. But the `list` endpoint was not update to `read` but still `list` 
permission. This MR correct that.
   - There should be no migration needed as the permission has been already 
granted to the user, this change only correct the permission check to the 
correct one.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org

Reply via email to