Users with collections "edit" permissions and no data access permissions can't edit question metadata #11719
Assignees
Labels
Administration/Permissions
Collection or Data permissions
.Backend
Priority:P2
Average run of the mill bug
.Reproduced
Issues reproduced in test (usually Cypress)
Type:Bug
Product defects
Projects
Milestone
Comments
tlrobinson
added
Type:Bug
nemanjaglumac
added a commit
that referenced
this issue
Mar 19, 2021
nemanjaglumac
added a commit
that referenced
this issue
Mar 19, 2021
|
You actually can edit the metadata right now as long as you don't pass in |
camsaul
added a commit
that referenced
this issue
Mar 31, 2021
camsaul
added a commit
that referenced
this issue
Apr 2, 2021
* Explicitly specify %throwable in Log4j logging pattern so the ex-data gets printed This tweaks means Exceptions get rendered for logging with .toString instead .getMessage. See https://github.com/clojure/tools.logging/tree/31073fe1fbb0533f3c775fa667de70809f24b127#log4j2 and https://logging.apache.org/log4j/2.x/manual/layouts.html#Patterns * Remove ad-hoc query perms check on save logic from metabase.models.card. We already do this in metabase.api.card, so in practice this is redundant code. * Better permissions exceptions when missing ad-hoc perms for creating/updating a Card * Fix #11719 * Return more info with most API exception responses * Add tests for #11719 and #14931 * Fix namespace lint errors * Fix error message grammar (thanks @jeff303)
|
Fixed by #15424 |
tsmacdonald
pushed a commit
that referenced
this issue
Apr 2, 2021
* Explicitly specify %throwable in Log4j logging pattern so the ex-data gets printed This tweaks means Exceptions get rendered for logging with .toString instead .getMessage. See https://github.com/clojure/tools.logging/tree/31073fe1fbb0533f3c775fa667de70809f24b127#log4j2 and https://logging.apache.org/log4j/2.x/manual/layouts.html#Patterns * Remove ad-hoc query perms check on save logic from metabase.models.card. We already do this in metabase.api.card, so in practice this is redundant code. * Better permissions exceptions when missing ad-hoc perms for creating/updating a Card * Fix #11719 * Return more info with most API exception responses * Add tests for #11719 and #14931 * Fix namespace lint errors * Fix error message grammar (thanks @jeff303)
This was referenced Jan 19, 2023
This was referenced Jan 27, 2023
This was referenced Feb 5, 2024
Closed
Merged
Open
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
A user with no "data access" permissions but "edit" collection permissions should be able to view and edit the question metadata (
name,description,collection_id, andarchived) but not the question definition (unless they are allowed to run the resulting ad-hoc question?). Currently they can view the question but not edit anything about the question.Logs
To Reproduce
Steps to reproduce the behavior:
nameordescription(via "Edit this question" entity menu),collection_id(via "Move" entity menu item), orarchived(via "Archive" entity menu item), but you will get a permissions error.Expected behavior
The user should be able to edit the question metadata, but not the question definition (because they have no data permissions)
Screenshots
If applicable, add screenshots to help explain your problem.
Information about your Metabase Installation:
You're on version v0.35.0-snapshot
Built on 2020-01-13
Hash: 2807015
Branch: master
Severity
P2?
The text was updated successfully, but these errors were encountered: