You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@superset.apache.org by gi...@git.apache.org on 2017/09/19 20:50:21 UTC

[GitHub] jaylindquist opened a new issue #3498: No permission check for save_or_overwrite_slice allows users to manipulate dashboards

jaylindquist opened a new issue #3498: No permission check for save_or_overwrite_slice allows users to manipulate dashboards
URL: https://github.com/apache/incubator-superset/issues/3498
 
 
   Make sure these boxes are checked before submitting your issue - thank you!
   
   - [x] I have checked the superset logs for python stacktraces and included it here as text if any
   - [x] I have reproduced the issue with at least the latest released version of superset
   - [x] I have checked the issue tracker for the same issue and I haven't found one similar
   
   ### Superset version
   
   * 0.17.0
   * 0.19.1
   
   ### Expected results
   
   Only users with proper permissions can create or update dashboards or change slices
   
   ### Actual results
   
   A user with the following two permissions can add a slice to a new dashboard, add a slice to an existing dashboard, overwrite the definition of an existing slice.
   * `can explore on Superset`
   * `all datasource access on all_datasource_access`
   
   ### Steps to reproduce
   
   1. Install superset, configure admin, load example data
   1. Create a new Role `ReadOnly` with the following permissions
     * `can explore on Superset`
     * `all datasource access on all_datasource_access`
   1. Create a new User `test` and add the user to the `ReadOnly` role
   1. Login to SuperSet as `test`
   1. Go to the following URL (generated from saving a slice and adding to a new dashboard as an admin): 
   ```
   http://<server>/superset/explore/table/3/?form_data={%22datasource%22:%223__table%22,%22viz_type%22:%22table%22,%22slice_id%22:15,%22granularity_sqla%22:%22ds%22,%22time_grain_sqla%22:null,%22since%22:%22100+years+ago%22,%22until%22:%22now%22,%22groupby%22:[%22name%22],%22metrics%22:[%22sum__num%22],%22include_time%22:false,%22all_columns%22:[],%22order_by_cols%22:[],%22table_timestamp_format%22:%22%Y-%m-%d+%H:%M:%S%22,%22row_limit%22:50,%22page_length%22:0,%22include_search%22:false,%22table_filter%22:false,%22where%22:%22%22,%22having%22:%22%22,%22filters%22:[{%22op%22:%22in%22,%22val%22:[%22girl%22],%22col%22:%22gender%22}]}&action=overwrite&slice_id=15&slice_name=Girls&add_to_dash=new&new_dashboard_name=new-dash&goto_dash=true
   ```
   
   This will create a new dashboard called 'new-dash' owned by the `test` user. 
   
   Simplifying the URL can cause a lot of other issues. For instance if the `test` user goes to
   ```
   http://<server>/superset/explore/table/3/?form_data={%22slice_id%22:22,%22viz_type%22:%22table%22}&action=overwrite&slice_id=22&add_to_dash=new&new_dashboard_name=break
   ```
   
   They can overwrite slice ID 22 while creating the new dashboard
   
   Changing the parameters to `add_to_dash=existing&save_to_dashboard_id=1` will allow them to add slices to existing dashboards as well.
   
   
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services