You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@superset.apache.org by gi...@git.apache.org on 2017/09/20 12:29:54 UTC

[GitHub] jaylindquist commented on issue #3498: No permission check for save_or_overwrite_slice allows users to manipulate dashboards

jaylindquist commented on issue #3498: No permission check for save_or_overwrite_slice allows users to manipulate dashboards
URL: https://github.com/apache/incubator-superset/issues/3498#issuecomment-330836327
 
 
   @xmrx Yes, as explained here: https://superset.incubator.apache.org/security.html#permissions
   
   The roles given to the test user:
   * `can explore on Superset` - gives the user access to see the `explore` view (basically, see details on a slice)
   * `all datasource access on all_datasource_access` - give the user access to see slices for any data source
   
   Neither of these permissions allow a user to create or edit slices and dashboards. 
   
   The problem comes from the `Save` button when exploring. 
   * The code executed starts at `def explore(self, datasource_type, datasource_id)` in `core.py` https://github.com/apache/incubator-superset/blob/c988080990691eceb7a78e6448400a519ba4bb0b/superset/views/core.py#L1033
   * The only permission check is that the user has [access to the `explore` view](https://github.com/apache/incubator-superset/blob/c988080990691eceb7a78e6448400a519ba4bb0b/superset/views/core.py#L1032) (`can explore on Superset`) and [can access the datasource](https://github.com/apache/incubator-superset/blob/c988080990691eceb7a78e6448400a519ba4bb0b/superset/views/core.py#L1052) (`all datasource access on all_datasource_access`)
   * If the query includes an `action` parameter set to `saveas` or `overwrite` then the `save_or_overwrite_slice` function is called https://github.com/apache/incubator-superset/blob/c988080990691eceb7a78e6448400a519ba4bb0b/superset/views/core.py#L1135
   * In this function, the user can create a dashboard or add a slice to a dashboard without needing any additional permissions https://github.com/apache/incubator-superset/blob/c988080990691eceb7a78e6448400a519ba4bb0b/superset/views/core.py#L1160-L1186
   
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services