fix(dashboard): do not add importer as owner when overwriting existing dashboard

[nitishagar]

User description

SUMMARY

When a user with can_write on Dashboard imports an existing dashboard (matching UUID), they were unconditionally added to the dashboard's owners list. This is a privilege escalation: User B could gain ownership of any dashboard they didn't originally own simply by importing it.

Root cause — superset/commands/dashboard/importers/v1/utils.py:

# Before (bug): always appends current user as owner
if (user := get_user()) and user not in dashboard.owners:
    dashboard.owners.append(user)

# After (fix): only for new dashboards
if not existing and (user := get_user()) and user not in dashboard.owners:
    dashboard.owners.append(user)

The variable existing is already in scope earlier in the same function (existing = db.session.query(Dashboard).filter_by(uuid=config["uuid"]).first()). Guarding on not existing restricts owner auto-assignment to brand-new dashboards only.

Fixes #36244

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

N/A — backend-only change.

TESTING INSTRUCTIONS

1. Create Dashboard A owned by User A.
2. Export Dashboard A as User A.
3. Log in as User B (has can_write on Dashboard, but is not an owner of Dashboard A).
4. Import the exported zip as User B with overwrite=True.
5. Before fix: User B is now listed as an owner of Dashboard A. ❌
6. After fix: User B is NOT added as an owner. ✅

Unit tests added:

• test_import_existing_dashboard_does_not_add_importer_as_owner — proves the bug and verifies the fix
• test_import_new_dashboard_adds_importer_as_owner — regression guard (new dashboards still get the importer as owner)

pytest tests/unit_tests/dashboards/commands/importers/v1/import_test.py -x -q

ADDITIONAL INFORMATION

• Has associated issue: Fixes User importing a dashboard is incorrectly added as an owner, leading to unauthorized privilege escalation #36244
• Required feature flags:
• Changes UI
• Includes DB Migration
• Introduces new feature or API
• Removes existing feature or API

---

CodeAnt-AI Description

Do not add importer as owner when overwriting existing dashboard

What Changed

• When importing a dashboard that already exists (overwrite=True), the importing user is no longer added to the dashboard's owners list.
• Importing a brand-new dashboard still adds the importer as an owner.
• Added unit tests that verify existing dashboards keep their original owners and new dashboards assign the importer as owner.

Impact

✅ Prevents accidental escalation to dashboard owner during overwrite import
✅ Fewer unauthorized owner assignments when importing dashboards
✅ Clearer, more predictable import ownership behavior

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[bito-code-review]

Code Review Agent Run #70873f

Actionable Suggestions - 0

Review Details

• Files reviewed - 2 · Commit Range: 45617c7..45617c7

  • superset/commands/dashboard/importers/v1/utils.py
  • tests/unit_tests/dashboards/commands/importers/v1/import_test.py
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[codeant-ai-for-open-source]

Sequence Diagram

This PR changes dashboard import behavior to prevent ownership escalation during overwrite. The importer is now added as an owner only when creating a new dashboard, not when updating an existing one by UUID.

sequenceDiagram
    participant User
    participant ImportService
    participant Database

    User->>ImportService: Import dashboard with overwrite option
    ImportService->>Database: Check dashboard by UUID
    Database-->>ImportService: Existing dashboard or none

    alt Existing dashboard found
        ImportService->>Database: Update existing dashboard
        ImportService-->>User: Return dashboard without adding importer to owners
    else No existing dashboard
        ImportService->>Database: Create new dashboard
        ImportService->>ImportService: Add importer to owners
        ImportService-->>User: Return new dashboard with importer as owner
    end

Loading

---

Generated by CodeAnt AI

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.39%. Comparing base (4a9db24) to head (7f7447f).

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #38615      +/-   ##
==========================================
- Coverage   65.01%   64.39%   -0.62%     
==========================================
  Files        1817     2529     +712     
  Lines       72318   128953   +56635     
  Branches    23032    29719    +6687     
==========================================
+ Hits        47016    83042   +36026     
- Misses      25302    44466   +19164     
- Partials        0     1445    +1445     

Flag	Coverage Δ
hive	40.75% <0.00%> (?)
mysql	61.89% <100.00%> (?)
postgres	61.96% <100.00%> (?)
presto	40.77% <0.00%> (?)
python	63.58% <100.00%> (?)
sqlite	61.59% <100.00%> (?)
unit	100.00% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[bito-code-review]

Code Review Agent Run #7b8dc3

Actionable Suggestions - 0

Review Details

• Files reviewed - 2 · Commit Range: 7f7447f..7f7447f

  • superset/commands/dashboard/importers/v1/utils.py
  • tests/unit_tests/dashboards/commands/importers/v1/import_test.py
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by