fix: Native filter dashboard RBAC aware dataset permission #25029
Conversation
superset/security/manager.py
Outdated
| slc := self.get_session.query(Slice) | ||
| .filter(Slice.id == slice_id) | ||
| .one_or_none() | ||
| form_data.get("type") == "NATIVE_FILTER" |
There was a problem hiding this comment.
I think this needs a few extra validations here in order to grant access:
- We still need to check that the user has access to the dashboard (I'd suggest moving the
self.can_access_dashboard(dashboard_)check to be right afterand dashboard_.rolessince we want to check dashboard access whether it's via a chart or native filter - That the datasource is actually used as a native filter on the dashboard. We can probably borrow logic from @Vitor-Avila's PR here; performance shouldn't be a concern here since we only need to check one dashboard
There was a problem hiding this comment.
good catch, @jfrag1! I agree it's a valid check and with this improved version that we know the dashboardId shouldn't be too expensive.
There was a problem hiding this comment.
- Oops. Yeah I missed moving
self.can_access_dashboard(dashboard_)outside of theorblock. I've placed it at the end of the logic checks as it's likely the most expensive check. - That is an option. Note in theory we should be including the filter ID in the query-context to check for the specific filter rather than seeing if any filter matches.
|
thank you so much for working on this PR @john-bodley! 🙏 |
john-bodley
force-pushed
the
john-bodley--fix-dashboard-rbac-native-filters
branch
3 times, most recently
from
f15ee5d
to
10a7bc1
Compare
| @@ -94,6 +95,7 @@ export const getFormData = ({ | |||
| viz_type: filterType, | |||
| type, | |||
| dashboardId, | |||
| native_filter_id: id, | |||
There was a problem hiding this comment.
Calling this id seemed a tad terse. I'm not sure if this should be snake or camel case.
john-bodley
force-pushed
the
john-bodley--fix-dashboard-rbac-native-filters
branch
from
10a7bc1
to
ef763bf
Compare
john-bodley
added
the
v3.0
| slc := self.get_session.query(Slice) | ||
| .filter(Slice.id == slice_id) | ||
| .one_or_none() | ||
| ( |
There was a problem hiding this comment.
maybe @Vitor-Avila or @jfrag1 can help add if there's anything else we need to do for embedded with the below logic? Check for a guest user?
There was a problem hiding this comment.
Yes I will add logic for embedded in a separate PR
There was a problem hiding this comment.
@eschutho Black formats the code how it sees fit.
| [], | ||
| ) | ||
| for target in fltr.get("targets", []) | ||
| if native_filter_id == fltr.get("id") |
john-bodley
force-pushed
the
john-bodley--fix-dashboard-rbac-native-filters
branch
from
ef763bf
to
30a2d35
Compare
john-bodley
changed the title
| # Native filter. | ||
| form_data.get("type") == "NATIVE_FILTER" | ||
| and (native_filter_id := form_data.get("native_filter_id")) | ||
| and dashboard_.json_metadata |
There was a problem hiding this comment.
hey @john-bodley I just tested this branch locally and I still see the permission error -- it seems that dashboardId is still not included in the filter's payload data (despite #25025). Curious to know if you are facing a different behavior on your end.
There was a problem hiding this comment.
@Vitor-Avila just to confirm have you rebuilt the frontend assets? If the problem still persists would you mind sharing a URL—leveraging the example dataset—so I can further debug this issue?
There was a problem hiding this comment.
@john-bodley ohh that's true! I didn't have rebuilt the frontend assets 🤦 thanks for the heads up and I just confirmed it works properly after doing so. Filter box are showing an error, but I can take a look to implement a similar approach to fix it. Again apologies for the false alarm.
There was a problem hiding this comment.
Phew! I'm glad to hear that this was a false alarm. Thanks again for testing the change.
john-bodley
force-pushed
the
john-bodley--fix-dashboard-rbac-native-filters
branch
from
30a2d35
to
b843dc1
Compare
| mock_g.user = security_manager.find_user("gamma") | ||
| mock_is_owner.return_value = False | ||
| mock_can_access.return_value = False | ||
| mock_can_access_schema.return_value = False | ||
|
|
||
| for kwarg in ["query_context", "viz"]: | ||
| births.roles = [] | ||
| db.session.flush() |
There was a problem hiding this comment.
No need to flush these updates to the database transaction given the logic in the test is confined to the same Flask-SQLAlchemy session.
(cherry picked from commit 60889d2)
mistercrunch
added
🍒 3.0.1
🍒 3.0.2
🍒 3.0.3
🍒 3.0.4
🏷️ bot
SUMMARY
Somewhat related to #25008, this PR ensures that access is granted to a datasource (in the context of a dashboard native filter) when dashboard RBAC is enabled. Thanks to @michael-s-molina for #25025 which exposed the
dashboardIdin the client form data.BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
BEFORE
AFTER
TESTING INSTRUCTIONS
Added unit tests.
ADDITIONAL INFORMATION
cc: @jfrag1