Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A user able to access chart through explore URL, without access to underlying dataset #25472

Closed
2 tasks
gdevanla opened this issue Sep 30, 2023 · 2 comments
Closed
2 tasks

A user able to access chart through explore URL, without access to underlying dataset #25472

gdevanla opened this issue Sep 30, 2023 · 2 comments

Comments

@gdevanla
Copy link

gdevanla commented Sep 30, 2023
edited
Loading

How to reproduce the bug

  1. As an Admin user, create a chart on a dataset for which another non-admin user does not have access to
  2. Capture the slide_id of the chart.
  3. Login as a non-admin user. Notice that in the 'Charts' list page, the newly created chart is not visible since the dataset accessed by the chart is not visible to this non-admin user.
  4. Use the following URL with the capture slice_id: http://localhost:8088/explore/?slice_id=<slice_id> here
  5. Notice, that the chart gets rendered along with the data

Expected results

The chart should not be rendered, since it clearly violates the permissions.

Actual results

what actually happens.

The chart gets rendered along with the data, and user is able to save the chart.

Environment

(please complete the following information):

  • browser type and version: Chrome
  • superset version: 2.1.0
  • python version: 3.8x
  • any feature flags active: DASHBOARD_RBAC

Checklist

Make sure to follow these steps before submitting your issue - thank you!

  • I have checked the superset logs for python stacktraces and included it here as text if there are any.
  • I have reproduced the issue with at least the latest released version of superset.
  • [ x] I have checked the issue tracker for the same issue and I haven't found one similar.

Additional context

Even in the latest code base, this line here:

superset/superset/views/utils.py

Line 216 in 8553b06

slc = db.session.query(Slice).filter_by(id=slice_id).one_or_none()

does not check any other permissions.
@mdeshmu
Copy link
Contributor

mdeshmu commented Oct 2, 2023

I believe this is fixed in #24789 but didn't make it to 2.1.1
You can ask to include it in 2.1.2 (once its discussion thread starts) or upgrade to 3.0.0

@rusackas
Copy link
Member

I'm not sure if this is still an issue in current versions of Superset (3.x). If it is, we can re-open this, or feel free to open a new issue with updated context and a reproducible case using example data. We're no longer supporting Superset 2.x or prior, and it's been a while since this thread saw any activity, so I'm closing this as stale.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rusackas @gdevanla @mdeshmu