Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revision History shows Revert button when user only has view-only permissions #13229

Closed
flamber opened this issue Sep 10, 2020 · 4 comments
Closed

Revision History shows Revert button when user only has view-only permissions #13229

flamber opened this issue Sep 10, 2020 · 4 comments
Assignees
@kulyk
Labels
Priority:P2 Average run of the mill bug Querying/ .Reproduced Issues reproduced in test (usually Cypress) Type:Bug Product defects
Projects
Cypress Testing
Milestone
0.39

Comments

@flamber
Copy link
Contributor

flamber commented Sep 10, 2020

Describe the bug
Revert button is shown even when the user doesn't have permissions to modify question.

To Reproduce

  1. Create a question, save as "Q1" to "Our Analytics", make a modification and save again
  2. Admin > Permissions > Collections > set "Our Analytics" to view-only
  3. Admin > People > create new user "U1"
  4. Login as "U1" > Our Analytics > Q1 > click pencil-icon next to question title > View revision history > clicking Revert button will make the button show Revert failed:
    image

Expected behavior
Revert button shouldn't be shown, when user doesn't have permissions to modify question.

Information about your Metabase Installation:
Metabase 0.36.4
@flamber flamber added Type:Bug Product defects Priority:P3 Cosmetic bugs, minor bugs with a clear workaround Querying/ labels Sep 10, 2020
@nemanjaglumac nemanjaglumac added this to Backlog in Cypress Testing Mar 17, 2021
@nemanjaglumac nemanjaglumac mentioned this issue Mar 17, 2021
Closed
@nemanjaglumac nemanjaglumac mentioned this issue Mar 18, 2021
Merged
@mazameli
Copy link
Contributor

mazameli commented Mar 18, 2021
edited

Yikes, this feels higher than a P3 to me. This effectively means that someone without edit access can edit a dashboard, though in a limited way. I see now that they can't actually revert, and that they get an error.

@mazameli mazameli added Priority:P2 Average run of the mill bug and removed Priority:P3 Cosmetic bugs, minor bugs with a clear workaround labels Mar 18, 2021
@brunobergher
Copy link
Contributor

It's annoying indeed, but it seems to me that the action actually fails, right?

@mazameli
Copy link
Contributor

Mea culpa — I'm guilty of not reading that carefully. I'm inclined to leave it as a P2, though — if I'm an admin and I log in as a more restricted user account to check things out and make sure people have the correct access and then I see this, maybe I get the mistaken impression that View-only users could revert things. Even if I click and see the failure, I still am not clear what Metabase's intention is here — are View-only users supposed to be able to revert, and would they be able to if the revert had not failed?

nemanjaglumac added a commit that referenced this issue Mar 19, 2021
@nemanjaglumac
Add repro for #13229
51e59f4
nemanjaglumac added a commit that referenced this issue Mar 19, 2021
@nemanjaglumac
Add repro for #13229
4f821f8
nemanjaglumac added a commit that referenced this issue Mar 19, 2021
@nemanjaglumac
#13229 Repro: User without permissions can see "Revert" buttons (#15202)
2310b73
@nemanjaglumac nemanjaglumac added the .Reproduced Issues reproduced in test (usually Cypress) label Mar 19, 2021
@kulyk kulyk self-assigned this Apr 16, 2021
kulyk added a commit that referenced this issue Apr 16, 2021
@kulyk
Enable #13229 repro test
f0820ec
@kulyk kulyk mentioned this issue Apr 16, 2021
Merged
kulyk added a commit that referenced this issue Apr 19, 2021
@kulyk
Fix dashboard and question actions visibility depending on user's per…
3131131 
…missions (#15654)

* Fix dashboard edit action visibility

Hiding "Change title and description" from users with read-only access to dashboard

* Fix dashboard archive action visibility

Hiding "Archive" action from users with read-only permission to dashboard

* Enable #13229 repro test

* Test user with read permissions can't revert question history

* Fix user with read-only permissions sees revert buttons
@kulyk
Copy link
Member

kulyk commented Apr 27, 2021

Fixed by #15654

@kulyk kulyk closed this as completed Apr 27, 2021
@flamber flamber added this to the 0.39 milestone Apr 27, 2021
@deploysentinel deploysentinel bot mentioned this issue Feb 14, 2023
Merged
@deploysentinel deploysentinel bot mentioned this issue Jun 6, 2023
Merged
1 task
@deploysentinel deploysentinel bot mentioned this issue Oct 16, 2023
Merged
@deploysentinel deploysentinel bot mentioned this issue Nov 22, 2023
Merged
@replay-io replay-io bot mentioned this issue Jan 11, 2024
Merged
This was referenced Feb 5, 2024
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Open
Merged
Merged
Merged
Merged
Merged
Merged
Merged
@replay-io replay-io bot mentioned this issue Apr 4, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kulyk kulyk

Labels
Priority:P2 Average run of the mill bug Querying/ .Reproduced Issues reproduced in test (usually Cypress) Type:Bug Product defects
Projects
Cypress Testing
Backlog
Milestone
0.39
Development

No branches or pull requests
5 participants
@brunobergher @flamber @mazameli @kulyk @nemanjaglumac