Apache Superset Dataset update endpoint missing SQL access validation

Bug description

When updating a dataset via the PUT /api/v1/dataset/<id> endpoint, the request does not validate SQL query access permissions. As a result, users can update an existing dataset with a SQL query referencing tables they are not authorized to access. The update request is accepted without any validation errors. Currently, SQL validation and permission checks are performed only during dataset creation (POST /api/v1/dataset/), but not during updates.

We encountered this issue in version 4.1.3, and after testing with the current master branch, we confirmed that the same problem still exists.

We previously contacted the team via email regarding this issue but did not receive a response. We also reported it via Slack. This is a critical security vulnerability for us, so we’re opening this issue here to formally track and discuss the problem.

Expected Behavior

The same access control logic implemented in the dataset creation endpoint using security_manager.raise_for_access() should also be applied to the update endpoint.

Steps to Reproduce

1. Create a dataset that you have permission to query.
2. Send a PUT /api/v1/dataset/<id> request with a new SQL query referencing a table you don’t have permission to access.
3. Observe that the update succeeds without raising any access control errors.

Actual Behavior

The update request is accepted, and the dataset is updated even if the new SQL references unauthorized tables.

Proposed Solution

Apply the same access control logic from the create endpoint (security_manager.raise_for_access()) to the update endpoint. This will enforce SQL query validation during updates and align behavior between the two endpoints.

Screenshots/recordings

No response

Superset version

master / latest-dev

Python version

3.11

Node version

18 or greater

Browser

Chrome

Additional context

No response

Checklist

• [x] I have searched Superset docs and Slack and didn't find a solution to my problem.
• [x] I have searched the GitHub issue tracker and didn't find a similar bug report.
• [x] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

Comment From: ysinghc

I have a patch for this, will finish testing and push asap