Skip to content

fix: prevent alpha role users to delete and edit non owning Dashboards #36750

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
luizotavio32 wants to merge 4 commits into
base: master
Choose a base branch
from
Open

fix: prevent alpha role users to delete and edit non owning Dashboards #36750

luizotavio32 wants to merge 4 commits into from

Conversation

@luizotavio32
Copy link
Contributor

@luizotavio32 luizotavio32 commented Dec 18, 2025
edited
Loading

SUMMARY

Users with the alpha role in Superset can interact with the options edit and delete for dashboards they do not own through the dashboard list, although the action gets blocked later, users shouldn't be able to interact with these buttons.

With this Pull Request, edit and delete options will now be unavailable for dashboards where the user is not the owner.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

BEFORE:

Screen.Recording.2025-12-19.at.16.47.29.mov

AFTER:

Screen.Recording.2025-12-19.at.16.17.35.mov

TESTING INSTRUCTIONS

Try deleting or editing a non owning dashboard with a Alpha role user

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@michael-s-molina

@luizotavio32 luizotavio32 changed the title Refactor: checks for user ownership and role before showing delete an… refactor: checks for user ownership and role before showing delete an… Dec 19, 2025
@luizotavio32 luizotavio32 changed the title refactor: checks for user ownership and role before showing delete an… refactor: prevent alpha role users to delete and edit non owning Dashboards Dec 19, 2025
@pull-request-size pull-request-size bot added size/L and removed size/S labels Dec 19, 2025
@luizotavio32 luizotavio32 marked this pull request as ready for review December 19, 2025 19:50
@dosubot dosubot bot added the dashboard:security:access Related to the security access of the Dashboard label Dec 19, 2025
@michael-s-molina michael-s-molina changed the title refactor: prevent alpha role users to delete and edit non owning Dashboards fix: prevent alpha role users to delete and edit non owning Dashboards Dec 22, 2025
@michael-s-molina
Copy link
Member

michael-s-molina commented Dec 22, 2025

@luizotavio32 Thanks for the PR. The description is misleading because even though the edit and delete options appear on the list, its actual execution is blocked later. Also, the fix should be to hide unavailable actions instead of adding a tooltip as this is the pattern used in other places.

@luizotavio32
Copy link
Contributor Author

luizotavio32 commented Dec 22, 2025

@kasiazjc how should we output these options to the users? Datasets page implements the same tooltip as shown in the AFTER video, blocking the edit button. @michael-s-molina is suggesting to not show the buttons at all for the users that aren't the owner of the dashboard, like in the video below

Screen.Recording.2025-12-22.at.10.58.06.mov

@sadpandajoe
Copy link
Member

sadpandajoe commented Jan 7, 2026

Superset uses Git pre-commit hooks courtesy of pre-commit. To install run the following:

pip3 install -r requirements/development.txt
pre-commit install

A series of checks will now run when you make a git commit.

Alternatively it is possible to run pre-commit by running pre-commit manually:

pre-commit run --all-files

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michael-s-molina michael-s-molina Awaiting requested review from michael-s-molina

@msyavuz msyavuz Awaiting requested review from msyavuz

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dashboard:security:access Related to the security access of the Dashboard size/L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@luizotavio32 @michael-s-molina @sadpandajoe