Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Databases with no permission are still shown as search results #22695

Closed
jeff303 opened this issue May 13, 2022 · 1 comment
Closed

Databases with no permission are still shown as search results #22695

jeff303 opened this issue May 13, 2022 · 1 comment
Assignees
@calherries
Labels
Administration/Permissions Collection or Data permissions .Backend Organization/Search Priority:P2 Average run of the mill bug .Regression Bugs that were previously fixed and/or bugs unintentionally shipped with new features. .Reproduced Issues reproduced in test (usually Cypress) Type:Bug Product defects
Milestone
0.44

Comments

@jeff303
Copy link
Contributor

jeff303 commented May 13, 2022

Describe the bug
Even if the user does not have access to a database, it is still shown in the search results from the main screen search widget.

Logs
N/A

To Reproduce
Steps to reproduce the behavior:

  1. Go to the home screen
  2. Search for a database that you known you don't have permission for
  3. Notice it in the results (screenshot 1)
  4. Click the result
  5. Notice the URL is like /browse/N-database-name
  6. Observe permission error is shown (screenshot 2)

Expected behavior
This database shouldn't be shown as a search result since there are no permissions for it

Screenshots

1-search_result

2-click_result

Information about your Metabase Installation:

You can get this information by going to Admin -> Troubleshooting.

  • Your browser and the version: Chrome 101.0.4951.54
  • Your operating system: OS X 12.3.1
  • Your databases: N/A
  • Metabase version: v1.41.7
  • Metabase hosting environment: self-hosted (I believe)
  • Metabase internal database: Unknown

Severity

Low - no permission escalation, but even names might be sensitive?

Additional context
@jeff303 jeff303 added .Needs Triage Type:Bug Product defects labels May 13, 2022
@flamber flamber added Priority:P2 Average run of the mill bug Administration/Permissions Collection or Data permissions .Backend Organization/Search .Regression Bugs that were previously fixed and/or bugs unintentionally shipped with new features. and removed .Needs Triage labels May 13, 2022
@flamber
Copy link
Contributor

flamber commented May 13, 2022
edited

Regression since 0.40.0 - 👋 @jeff303

@calherries calherries mentioned this issue Jul 4, 2022
Merged
@calherries calherries self-assigned this Jul 5, 2022
@flamber flamber closed this as completed Jul 7, 2022
@flamber flamber added this to the 0.44 milestone Jul 7, 2022
nemanjaglumac added a commit that referenced this issue Jul 7, 2022
@nemanjaglumac
Add repro for #22695
e9744e3
@nemanjaglumac nemanjaglumac mentioned this issue Jul 7, 2022
Merged
nemanjaglumac added a commit that referenced this issue Jul 7, 2022
@nemanjaglumac
Repro #22695: Databases with no permission are still shown as search …
4ca26ab 
…results (#23772)
@nemanjaglumac nemanjaglumac added the .Reproduced Issues reproduced in test (usually Cypress) label Jul 7, 2022
nemanjaglumac added a commit that referenced this issue Jul 8, 2022
@nemanjaglumac
Run repro #22695 only against EE version (#23782)
04feff0
This was referenced Dec 13, 2022
Merged
Closed
Merged
@deploysentinel deploysentinel bot mentioned this issue Dec 20, 2022
Merged
@deploysentinel deploysentinel bot mentioned this issue Jan 5, 2023
Merged
@deploysentinel deploysentinel bot mentioned this issue Feb 3, 2023
Merged
@deploysentinel deploysentinel bot mentioned this issue May 24, 2023
Merged
This was referenced Oct 27, 2023
Merged
Closed
This was referenced Jan 11, 2024
Merged
Merged
Merged
This was referenced Feb 5, 2024
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Closed
Merged
Merged
Merged
Merged
Merged
Merged
Open
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@calherries calherries

Labels
Administration/Permissions Collection or Data permissions .Backend Organization/Search Priority:P2 Average run of the mill bug .Regression Bugs that were previously fixed and/or bugs unintentionally shipped with new features. .Reproduced Issues reproduced in test (usually Cypress) Type:Bug Product defects
Projects
None yet
Milestone
0.44
Development

No branches or pull requests
4 participants
@flamber @jeff303 @nemanjaglumac @calherries