Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DashboardFilter and SliceFilter classes ignore database_access and schema_access #4737

Closed
3 tasks done
john-bodley opened this issue Apr 2, 2018 · 2 comments
Closed
3 tasks done

DashboardFilter and SliceFilter classes ignore database_access and schema_access #4737

john-bodley opened this issue Apr 2, 2018 · 2 comments
Labels
inactive Inactive for >= 30 days

Comments

@john-bodley
Copy link
Member

john-bodley commented Apr 2, 2018
edited

Make sure these boxes are checked before submitting your issue - thank you!

  • I have checked the superset logs for python stacktraces and included it here as text if any
  • I have reproduced the issue with at least the latest released version of superset
  • I have checked the issue tracker for the same issue and I haven't found one similar

Superset version

0.23.0dev

Expected results

Per the embedded TODO comments DashboardFilter and SliceFilter filters should support roles which specify either database_access or schema_access.

Actual results

The SliceFilter and DashboardFilter classes ensure that the user only sees dashboards and slices which they're sanctioned to see per the security manager for the /slicemodelview/list and /dashboardmodelview/list endpoints respectively. Additionally the DashboardFilter class is used to filter which dashboards one may save a slice to.

Currently this logic works if one either has a role with all_datasource_access or where the role enumerates specific datasources, however roles which specify either a database_access or schema_access permission don't include the corresponding datasources and thus the filter evaluates to False when validating the slice permissions.

Note I'm uncertain how best to resolve this issue. Simply enumerating all the datasources for a given schema or database is extremely inefficient for validating whether a user is able to see a slice based on its permissions. @timifasubaa and @fabianmenges this may complicate the delegated access work.

Steps to reproduce

  1. Create a role which only includes either database_access or schema_access
  2. Create a users and assign them only said role.
  3. Create a slice and/or dashboard.
  4. Observe that neither the slice or dashboard is visible in the model view. Note however the entities are listed under the Created Content tab on the user's profile page.
@fabianmenges
Copy link
Contributor

fabianmenges commented Apr 2, 2018
edited

#4004 This has been working for us since december.

@john-bodley john-bodley mentioned this issue Apr 2, 2018
Closed
@john-bodley john-bodley mentioned this issue Apr 11, 2018
Merged
@stale
Copy link

stale bot commented Apr 11, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. For admin, please label this issue .pinned to prevent stale bot from closing the issue.

@stale stale bot added the inactive Inactive for >= 30 days label Apr 11, 2019
@stale stale bot closed this as completed Apr 18, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
inactive Inactive for >= 30 days
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fabianmenges @john-bodley