You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2020/04/19 20:57:35 UTC

[GitHub] [incubator-superset] mistercrunch commented on issue #9576: [DISCUSS] chart and dashboard ownership

mistercrunch commented on issue #9576: [DISCUSS] chart and dashboard ownership
URL: https://github.com/apache/incubator-superset/issues/9576#issuecomment-616224064
 
 
   Some answers:
   - Only owners of the dashboard can add charts to them. The behavior I wanted to describe: say if both you and I are the owner of a dashboard, and I create a brand new chart and add it to this dashboard, you'd become the owner of it. Currently this would only happen once I go in the dashboard and save it (it cascades ownership to charts). It's very likely I would go and position that new chart in the dash and save it, so the gap here is pretty small. Also you saving that dashboard for whatever reasons would cascade ownership too.
   - Currently ownership is part of the models ifself (many-to-many) while other non-resource-specific perms like can-read, can-modify, can-delete are part of RBAC. Business logic applies all required checks on actions. Seems ok to me. Ownership and ownership checks are [mostly] consistent across object types (charts, query, dashboard) and the same model / logic applies.
   - sounds tricky / complicated, users own chart seem better than dashboard owns chart
   - more tests around RBAC / ownerships would be great, I think we do make sure that non-owners cannot update / delete things, but not sure how well that's covered in tests
   
   I think the current model that is "if you own the dashboard, we make you also own all of the charts in it" is good. We need to make it clear that this is the case (at least when adding owners to a dashboard).
   
   I have yet to hear a user say "I really want to make this user an owner of my dashboard, but only want to allow that person to modify a subset of the charts in my dashboard". Personally I don't think we need to support that for now, and that it leads to confusing situations / more complex UI to enable that.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org