fix: skip perms on query context update (#16250)

apache · Aug 13, 2021 · 2611681 · 2611681
1 parent 6cd15d5
commit 2611681
Showing 1 changed file with 14 additions and 5 deletions.
diff --git a/superset/charts/commands/update.py b/superset/charts/commands/update.py
@@ -42,6 +42,12 @@
 logger = logging.getLogger(__name__)
 
 
+def is_query_context_update(properties: Dict[str, Any]) -> bool:
+    return set(properties) == {"query_context", "query_context_generation"} and bool(
+        properties.get("query_context_generation")
+    )
+
+
 class UpdateChartCommand(UpdateMixin, BaseCommand):
     def __init__(self, user: User, model_id: int, data: Dict[str, Any]):
         self._actor = user
@@ -77,11 +83,14 @@ def validate(self) -> None:
         self._model = ChartDAO.find_by_id(self._model_id)
         if not self._model:
             raise ChartNotFoundError()
-        # Check ownership
-        try:
-            check_ownership(self._model)
-        except SupersetSecurityException:
-            raise ChartForbiddenError()
+
+        # Check ownership; when only updating query context we ignore
+        # ownership so the update can be performed by report workers
+        if not is_query_context_update(self._properties):
+            try:
+                check_ownership(self._model)
+            except SupersetSecurityException:
+                raise ChartForbiddenError()
 
         # Validate/Populate datasource
         if datasource_id is not None: