Cannot Hide Full User List in Saved Queries List View Dropdown

[dflionis]

Superset does not allow users to have access to the Saved Queries "list" functionality without allowing them to see the full list of Superset users.

Expected results

Superset should (IMO) have a permission that allows administrators to hide the full list of users from a given user.

Actual results

When "Saved Queries" are enabled for users, they immediately gain access to the full user list--and administrators don't seem to have the ability to hide this potentially sensitive information.

Screenshots

How to reproduce the bug

1. Grant a role the ability to use Saved Queries (i.e. list, show, add, delete...saved queries permissions).

2. Add a user to that role

3. Attempt to prevent that user from accessing the full list of users when the user navigates to the /savedqueryview/list/ page

Environment

• superset version: 0.32.0rc2
• python version: 3.6
• node.js version: Unknown
• npm version: Unknown

Checklist

Make sure these boxes are checked before submitting your issue - thank you!

• I have checked the superset logs for python stacktraces and included it here as text if there are any.
• I have reproduced the issue with at least the latest released version of superset.
• I have checked the issue tracker for the same issue and I haven't found one similar.

Additional context

N/A

[issue-label-bot]

Issue-Label Bot is automatically applying the label #enhancement to this issue, with a confidence of 0.67. Please mark this comment with 👍 or 👎 to give our bot feedback!

Links: app homepage, dashboard and code for this bot.

[michellethomas]

This sounds like a feature request not a bug, as some groups using superset may want to enable access to all saved queries.

I merged a PR that adds a similar functionality to the query search feature. By default this permission isn't added to any roles, but if you add can_only_access_owned_queries to alpha or gamma roles users will only be able to search their own queries. You can do something similar to add a role for Saved Queries. #7234

[dflionis]

@michellethomas Thanks for the reply. Your PR sounds like its offering just about exactly what I'm looking for. My only two questions follow up questions are:

1.) Can you confirm which release this commit went out in? It looks like it was merged on April 17th and I'm using a release (0.32.0rc2) that is marked April 19th but doesn't seem to include it. I'm assuming its availabe in 0.33.0rc1 and up?

2.) Does can_only_access_owned_queries also block the list saved queries view dropdown (i.e. in the screenshot above) from seeing the full list of users? I was hoping to be able to block users from seeing who has Superset access in addition to preventing cross user saved queries searches.

Assuming the 2nd item was also addressed in #7234, everything I was suggested would be covered and we can close this issue. If not, I will relabel this as a feature request and clarify that half of the request was already addressed in a newer release.

[michellethomas]

1. Correct, this PR is available in 0.33.0rc1, to use it you'd need to create a CUSTOM_SECURITY_MANAGER in your superset_config and add can_only_access_owned_queries in one of the permissions groups (like ALPHA_ONLY_PERMISSIONS).

2. can_only_access_owned_queries only applies to Query Search (superset/sqllab#search) not Saved Queries (sqllab/my_queries/), you'd need to add a feature that adds a similar permission for Saved Queries. We should probably keep them as separate permissions if people want to restrict access to one endpoint but not the other. It also doesn't restrict access to the user dropdown.

[dflionis]

Thanks! I'll update this issue to indicate the revised "ask" and I'll see if this is something I could put together a PR for.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. For admin, please label this issue .pinned to prevent stale bot from closing the issue.