Skip to content

test(security): prove Drill By access does not require can_explore (#27900)#41967

Open
rusackas wants to merge 1 commit into
masterfrom
tdd/issue-27900-drill-permission
Open

test(security): prove Drill By access does not require can_explore (#27900)#41967
rusackas wants to merge 1 commit into
masterfrom
tdd/issue-27900-drill-permission

Conversation

@rusackas

Copy link
Copy Markdown
Member

SUMMARY

Test-only PR for #27900 ("Cannot use drill-by/drill-to without can explore on Superset permission").

The issue reports that Drill By / Drill to Detail appears to require the broad can explore on Superset permission, which also grants the ability to view the underlying query and edit charts. This PR adds regression coverage that pins the actual backend behavior of the Drill By access gate.

superset/explore/utils.py::check_access is the access check invoked by CreateFormDataCommand when the client stores drill form_data through ExploreFormDataRestApi — the endpoint issue commenters specifically identified as required "for drill-by". The new tests assert:

  • test_drill_by_access_without_can_explore — with can read on Chart granted and can explore on Superset explicitly denied, access is still granted. Drill By does not require can explore.
  • test_drill_by_access_can_explore_is_not_the_gate — with only can explore on Superset granted (and can read on Chart denied, not owner/admin), access is refused. can explore is neither necessary nor sufficient; the granular chart-read permission is the real gate.

No production code is changed.

How to interpret CI

  • Green (expected on current master): the backend Drill By gate is already decoupled from can explore — access is governed by the granular can read on Chart permission. This documents/guards the current contract and matches recent maintainer reports that drilling works with granular permissions (can drill on Dashboard, can samples on Datasource, can write on ExploreFormDataRestApi) and no can explore.
  • Red: the gate would still be coupled to can explore, meaning the reported bug is live at the backend layer.

Note: this covers the backend permission path. Any residual can explore coupling in the frontend menu/UI (e.g. the "Edit chart" affordance inside the drill modal) is out of scope for this backend test.

TESTING INSTRUCTIONS

pytest tests/unit_tests/explore/utils_test.py::test_drill_by_access_without_can_explore \
       tests/unit_tests/explore/utils_test.py::test_drill_by_access_can_explore_is_not_the_gate -v

ADDITIONAL INFORMATION

🤖 Generated with Claude Code

…27900)

Add regression coverage for the Drill By backend access gate
(superset/explore/utils.py::check_access, invoked by CreateFormDataCommand
via ExploreFormDataRestApi) asserting that the granular "can read on Chart"
permission is what governs access, and that the broad "can explore on
Superset" permission is neither required nor sufficient.

Closes #27900

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@dosubot dosubot Bot added authentication:RBAC Related to RBAC dashboard:drill-by explore Namespace | Anything related to Explore labels Jul 11, 2026
@bito-code-review

bito-code-review Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Code Review Agent Run #4e3eff

Actionable Suggestions - 0
Review Details
  • Files reviewed - 1 · Commit Range: 42ee658..42ee658
    • tests/unit_tests/explore/utils_test.py
  • Files skipped - 0
  • Tools
    • MyPy (Static Code Analysis) - ✔︎ Successful
    • Astral Ruff (Static Code Analysis) - ✔︎ Successful
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

@codecov

codecov Bot commented Jul 11, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.77%. Comparing base (df209ce) to head (42ee658).

Additional details and impacted files
@@            Coverage Diff             @@
##           master   #41967      +/-   ##
==========================================
- Coverage   64.77%   64.77%   -0.01%     
==========================================
  Files        2742     2742              
  Lines      153316   153316              
  Branches    35143    35143              
==========================================
- Hits        99311    99304       -7     
- Misses      52107    52111       +4     
- Partials     1898     1901       +3     
Flag Coverage Δ
hive 39.07% <ø> (ø)
mysql 57.98% <ø> (ø)
postgres 58.04% <ø> (-0.01%) ⬇️
presto 41.06% <ø> (ø)
python 59.42% <ø> (-0.01%) ⬇️
sqlite 57.65% <ø> (ø)
unit 100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@rusackas rusackas requested a review from rebenitez1802 July 12, 2026 00:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

authentication:RBAC Related to RBAC dashboard:drill-by explore Namespace | Anything related to Explore size/M

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Cannot use drill-by/drill-to without can explore on Superset permission

2 participants