Skip to content

fix(import): enforce write permission for objects created by legacy import paths#42205

Open
sha174n wants to merge 4 commits into
apache:masterfrom
sha174n:fix/legacy-import-write-permission
Open

fix(import): enforce write permission for objects created by legacy import paths#42205
sha174n wants to merge 4 commits into
apache:masterfrom
sha174n:fix/legacy-import-write-permission

Conversation

@sha174n

@sha174n sha174n commented Jul 18, 2026

Copy link
Copy Markdown
Contributor

SUMMARY

The unversioned ("v0") dashboard and dataset import paths create or update nested objects without checking that the caller may write those object types:

  • the legacy dashboard import upserts the datasets embedded in the export, and
  • the legacy dataset import upserts the database connections embedded in the export,

relying only on the top-level import permission.

This aligns those paths with the versioned (v1) import commands by requiring the nested object type's own write permission before creating or updating it: dataset write permission for the datasets embedded in a dashboard export, and database write permission for the database connections embedded in a dataset export. The check is only enforced when a request user is present, so the command-line import paths (which run without a request user) keep working unchanged.

TESTING INSTRUCTIONS

pytest tests/unit_tests/dashboards/commands/importers/v0/import_test.py \
       tests/unit_tests/datasets/commands/importers/v0/import_test.py

They cover: a user without the relevant write permission is refused and the nested upsert is not called; a permitted user proceeds; and the no-request-user (CLI) path skips the check and proceeds.

ADDITIONAL INFORMATION

  • Has associated issue:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
  • Introduces new feature or API
  • Removes existing feature or API

…mport paths

The unversioned (v0) dashboard and dataset import paths create or update
nested objects without checking that the caller may write those object
types. The legacy dashboard import upserts the embedded datasets, and the
legacy dataset import upserts the embedded database connections, in both
cases relying only on the top-level import permission.

Align these paths with the versioned (v1) import commands by requiring the
nested object type's own write permission before creating or updating it:
dataset write permission for the datasets embedded in a dashboard export,
and database write permission for the database connections embedded in a
dataset export. The check is only enforced when a request user is present,
so the command-line import paths (which run without a request user) keep
working unchanged.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@sha174n
sha174n marked this pull request as ready for review July 18, 2026 18:26
@dosubot dosubot Bot added authentication:access-control Rlated to access control dashboard:import Related to importing dashboards data:dataset Related to dataset configurations labels Jul 18, 2026
@codecov

codecov Bot commented Jul 18, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 69.23077% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 65.18%. Comparing base (751f5eb) to head (06dcfe1).
⚠️ Report is 2 commits behind head on master.

Files with missing lines Patch % Lines
superset/commands/dashboard/importers/v0.py 60.00% 1 Missing and 1 partial ⚠️
superset/commands/dataset/importers/v0.py 75.00% 1 Missing and 1 partial ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##           master   #42205      +/-   ##
==========================================
- Coverage   65.19%   65.18%   -0.01%     
==========================================
  Files        2767     2767              
  Lines      156062   156064       +2     
  Branches    35717    35716       -1     
==========================================
- Hits       101741   101735       -6     
- Misses      52361    52366       +5     
- Partials     1960     1963       +3     
Flag Coverage Δ
hive 38.61% <46.15%> (+<0.01%) ⬆️
mysql 57.86% <69.23%> (-0.01%) ⬇️
postgres 57.92% <69.23%> (-0.01%) ⬇️
presto 40.54% <46.15%> (+<0.01%) ⬆️
python 59.32% <69.23%> (-0.01%) ⬇️
sqlite 57.53% <69.23%> (-0.01%) ⬇️
unit 100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@bito-code-review bito-code-review Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review Agent Run #708587

Actionable Suggestions - 1
  • superset/commands/dataset/importers/v0.py - 1
Review Details
  • Files reviewed - 6 · Commit Range: 872c07c..96547ef
    • superset/commands/dashboard/importers/v0.py
    • superset/commands/dataset/importers/v0.py
    • tests/unit_tests/dashboards/commands/importers/v0/__init__.py
    • tests/unit_tests/dashboards/commands/importers/v0/import_test.py
    • tests/unit_tests/datasets/commands/importers/v0/__init__.py
    • tests/unit_tests/datasets/commands/importers/v0/import_test.py
  • Files skipped - 0
  • Tools
    • MyPy (Static Code Analysis) - ✔︎ Successful
    • Astral Ruff (Static Code Analysis) - ✔︎ Successful
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

Comment on lines +227 to +228
raise ImportFailedError(
"User doesn't have permission to create or update databases"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wrong exception for permission error

Permission denial returns HTTP 500 via ImportFailedError instead of 403. The related dashboard import at v0.py:320 uses the same wrong exception type, but correct patterns exist in database/importers/v1/utils.py:56 which use contextually appropriate exceptions. Use ForbiddenError (status=403) since this is an authorization failure, not an import failure.

Code Review Run #708587


Should Bito avoid suggestions like this for future reviews? (Manage Rules)

  • Yes, avoid them

@rusackas
rusackas self-requested a review July 18, 2026 22:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

authentication:access-control Rlated to access control dashboard:import Related to importing dashboards data:dataset Related to dataset configurations size/L

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant