test(security): prove Drill By access does not require can_explore (#27900)#41967
test(security): prove Drill By access does not require can_explore (#27900)#41967rusackas wants to merge 1 commit into
Conversation
…27900) Add regression coverage for the Drill By backend access gate (superset/explore/utils.py::check_access, invoked by CreateFormDataCommand via ExploreFormDataRestApi) asserting that the granular "can read on Chart" permission is what governs access, and that the broad "can explore on Superset" permission is neither required nor sufficient. Closes #27900 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Code Review Agent Run #4e3effActionable Suggestions - 0Review Details
Bito Usage GuideCommands Type the following command in the pull request comment and save the comment.
Refer to the documentation for additional commands. Configuration This repository uses Documentation & Help |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #41967 +/- ##
==========================================
- Coverage 64.77% 64.77% -0.01%
==========================================
Files 2742 2742
Lines 153316 153316
Branches 35143 35143
==========================================
- Hits 99311 99304 -7
- Misses 52107 52111 +4
- Partials 1898 1901 +3
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
SUMMARY
Test-only PR for #27900 ("Cannot use drill-by/drill-to without
can exploreon Superset permission").The issue reports that Drill By / Drill to Detail appears to require the broad
can explore on Supersetpermission, which also grants the ability to view the underlying query and edit charts. This PR adds regression coverage that pins the actual backend behavior of the Drill By access gate.superset/explore/utils.py::check_accessis the access check invoked byCreateFormDataCommandwhen the client stores drillform_datathroughExploreFormDataRestApi— the endpoint issue commenters specifically identified as required "for drill-by". The new tests assert:test_drill_by_access_without_can_explore— withcan read on Chartgranted andcan explore on Supersetexplicitly denied, access is still granted. Drill By does not requirecan explore.test_drill_by_access_can_explore_is_not_the_gate— with onlycan explore on Supersetgranted (andcan read on Chartdenied, not owner/admin), access is refused.can exploreis neither necessary nor sufficient; the granular chart-read permission is the real gate.No production code is changed.
How to interpret CI
can explore— access is governed by the granularcan read on Chartpermission. This documents/guards the current contract and matches recent maintainer reports that drilling works with granular permissions (can drill on Dashboard,can samples on Datasource,can write on ExploreFormDataRestApi) and nocan explore.can explore, meaning the reported bug is live at the backend layer.Note: this covers the backend permission path. Any residual
can explorecoupling in the frontend menu/UI (e.g. the "Edit chart" affordance inside the drill modal) is out of scope for this backend test.TESTING INSTRUCTIONS
pytest tests/unit_tests/explore/utils_test.py::test_drill_by_access_without_can_explore \ tests/unit_tests/explore/utils_test.py::test_drill_by_access_can_explore_is_not_the_gate -vADDITIONAL INFORMATION
🤖 Generated with Claude Code