Summary
SqlExecutionResultsCommand.validate() does not call raise_for_access() before returning results, making it inconsistent with its two sibling commands:
SqlResultExportCommand (export.py:72) — calls raise_for_access()StreamingSqlResultExportCommand (streaming_export_command.py:78) — calls raise_for_access()
Proposed fix
Add the same raise_for_access() check in SqlExecutionResultsCommand.validate() after the query is resolved, mirroring the pattern already established in the sibling commands.
try:
self._query.raise_for_access()
except SupersetSecurityException as ex:
raise SupersetErrorException(
SupersetError(
message=__("Cannot access the query"),
error_type=SupersetErrorType.QUERY_SECURITY_ACCESS_ERROR,
level=ErrorLevel.ERROR,
),
status=403,
) from ex
Summary
SqlExecutionResultsCommand.validate()does not callraise_for_access()before returning results, making it inconsistent with its two sibling commands:SqlResultExportCommand(export.py:72) — callsraise_for_access()StreamingSqlResultExportCommand(streaming_export_command.py:78) — callsraise_for_access()Proposed fix
Add the same
raise_for_access()check inSqlExecutionResultsCommand.validate()after the query is resolved, mirroring the pattern already established in the sibling commands.