Datasource permissions are (largely) respected when attempting to run a query via SQL Lab, but once a query has been run and a dataset saved from that query, the user can then go to the explore view, edit the query within that dataset to access any desired tables, and build a table chart from that query in order to access the forbidden tables.
How to reproduce the bug
- Go to SQL Lab
- Run any query, save it as a virtual dataset
- Go to explore to start building a chart from that dataset
- Next to the chart source in the top left, click the three dots and then "Edit dataset"
- Click the lock to make changes
- Swap out the SQL for a query which should be forbidden to the user, e.g. select from a table which the current user does not have datasource permissions to access
- Save the dataset
- Select some dimensions and continue to create a table chart from the modified dataset
- See the contents of a table the user is forbidden to access
Expected results
The user should be forbidden from updating the query to something which they should not be permitted to run, according to their datasource access permissions and other relevant permissions.
Actual results
No such check happens and the user is able to view forbidden data.
Environment
(please complete the following information):
- browser type and version: N/A
- superset version:
2.1
- python version:
python --version
- node.js version: N/A
- any feature flags active:
FEATURE_FLAGS = {
"ENABLE_TEMPLATE_PROCESSING": True,
"ENABLE_TEMPLATE_REMOVE_FILTERS": True,
"DASHBOARD_RBAC": False,
"ENABLE_REACT_CRUD_VIEWS": True,
"DASHBOARD_NATIVE_FILTERS": True,
"ROW_LEVEL_SECURITY": True,
"PRESTO_EXPAND_DATA": True,
"SQLLAB_BACKEND_PERSISTENCE": True,
"GLOBAL_ASYNC_QUERIES": True,
"DATAPANEL_CLOSED_BY_DEFAULT": True
}
Checklist
Make sure to follow these steps before submitting your issue - thank you!
Datasource permissions are (largely) respected when attempting to run a query via SQL Lab, but once a query has been run and a dataset saved from that query, the user can then go to the explore view, edit the query within that dataset to access any desired tables, and build a table chart from that query in order to access the forbidden tables.
How to reproduce the bug
Expected results
The user should be forbidden from updating the query to something which they should not be permitted to run, according to their datasource access permissions and other relevant permissions.
Actual results
No such check happens and the user is able to view forbidden data.
Environment
(please complete the following information):
2.1python --versionChecklist
Make sure to follow these steps before submitting your issue - thank you!