You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2021/10/13 13:47:09 UTC

[GitHub] [superset] DBouwmans opened a new issue #17087: Make users not able to view other users in filters when not allowed to view the user_list according to the rights

DBouwmans opened a new issue #17087:
URL: https://github.com/apache/superset/issues/17087


   **Problem description**
   As a user of superset, with a role that only allows me to view created dashboards and not view the user list ( [menu access on list users] or other related rights), I would expect to not filter on the users in the dashboard overview. This currently enables me to still see all the other users in my superset instance, without me having rights to the user list. 
   
   This could result in **a possible privacy vulnerability**, which is not in compliance with the GDPR if you have multiple users that shouldn’t be able to see each other’s username.
   
   **The current situation**
   ![image](https://user-images.githubusercontent.com/71815117/137144150-a67db02e-5735-4cd0-807e-467c55f26352.png)
   While they aren’t allowed to view the complete user list
   ![image](https://user-images.githubusercontent.com/71815117/137144202-eefc7e17-1fc1-4785-8124-e6294825b866.png)
   
   **The desired solution**
   We would prefer to not be able to see/filter on creators/owners at all if you don’t have these rights. But at least, the other users that aren’t owners/users shouldn’t be shown in this dropdown.
   
   **Describe alternatives you've considered**
   This couldn’t be successfully resolved in css because it only hides the bar and doesn’t remove it, therefore, if one knows css they could still un-hide it when they know how using the developer mode in the browser. Therefore this doesn’t solve the possible privacy issue.
   
   **Additional context**
   If this feature request requires any additional information, please let me know
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org