From 8fab3dbff419165dbd55b197c6e9ed04fe227296 Mon Sep 17 00:00:00 2001
From: Daniel Vaz Gaspar <danielvazgaspar@gmail.com>
Date: Mon, 5 Jun 2023 13:06:00 +0100
Subject: [PATCH] fix: db validate parameters permission (#24185)

---
 UPDATING.md           | 2 ++
 superset/constants.py | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/UPDATING.md b/UPDATING.md
index cd4cdf92e6d34..2112fe60d2bbc 100644
--- a/UPDATING.md
+++ b/UPDATING.md
@@ -23,6 +23,8 @@ This file documents any backwards-incompatible changes in Superset and
 assists people when migrating to a new version.
 
 ## Next
+
+- [24185](https://github.com/apache/superset/pull/24185): `/api/v1/database/test_connection` and `api/v1/database/validate_parameters` permissions changed from `can_read` to `can_write`. Only Admin user's have access.
 - [24256](https://github.com/apache/superset/pull/24256): `Flask-Login` session validation is now set to `strong` by default. Previous setting was `basic`.
 - [24232](https://github.com/apache/superset/pull/24232): Enables ENABLE_TEMPLATE_REMOVE_FILTERS, DRILL_TO_DETAIL, DASHBOARD_CROSS_FILTERS by default, marks VERSIONED_EXPORT and ENABLE_TEMPLATE_REMOVE_FILTERS as deprecated.
 - [23652](https://github.com/apache/superset/pull/23652): Enables GENERIC_CHART_AXES feature flag by default.
diff --git a/superset/constants.py b/superset/constants.py
index e4bad9f8aa728..063cd5f22e268 100644
--- a/superset/constants.py
+++ b/superset/constants.py
@@ -125,8 +125,8 @@ class RouteMethod:  # pylint: disable=too-few-public-methods
     "select_star": "read",
     "table_metadata": "read",
     "table_extra_metadata": "read",
-    "test_connection": "read",
-    "validate_parameters": "read",
+    "test_connection": "write",
+    "validate_parameters": "write",
     "favorite_status": "read",
     "add_favorite": "read",
     "remove_favorite": "read",