You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@superset.apache.org by GitBox <gi...@apache.org> on 2018/04/02 16:59:42 UTC

[GitHub] john-bodley opened a new issue #4737: DashboardFilter and SliceFilter classes ignore database_access and schema_access

john-bodley opened a new issue #4737: DashboardFilter and SliceFilter classes ignore database_access and schema_access
URL: https://github.com/apache/incubator-superset/issues/4737
 
 
   Make sure these boxes are checked before submitting your issue - thank you!
   
   - [x] I have checked the superset logs for python stacktraces and included it here as text if any
   - [x] I have reproduced the issue with at least the latest released version of superset
   - [x] I have checked the issue tracker for the same issue and I haven't found one similar
   
   ### Superset version
   0.23.0dev
   
   ### Expected results
   Per the embedded `TODO` comments [DashboardFilter](https://github.com/apache/incubator-superset/blob/e25535c693c99f6f58e6193dcbf9b96d0aa7e0a1/superset/views/core.py#L158) and [SliceFilter](https://github.com/apache/incubator-superset/blob/e25535c693c99f6f58e6193dcbf9b96d0aa7e0a1/superset/views/core.py#L149) filters should support roles which specify either `database_access` or `schema_access`. 
   
   ### Actual results
   The SliceFilter and DashboardFilter classes ensure that the user only sees dashboards and slices which they're sanctioned to see per the security manager for the `/slicemodelview/list` and `/dashboardmodelview/list` endpoints respectively. Additionally the DashboardFilter class is used to filter which dashboards one may save a slice to. 
   
   Currently this logic works if one either has a role with `all_datasource_access` or where the role enumerates specific datasources, however roles which specify either a `database_access` or `schema_access` permission don't include the corresponding datasources and thus the filter evaluates to `False` when validating the slice permissions.
   
   Note I'm uncertain how best to resolve this issue. Simply enumerating all the datasources for a given schema or database is extremely inefficient for validating whether a user is able to see a slice based on its permissions.
   
   ### Steps to reproduce
   1. Create a role which only includes either `database_access` or `schema_access`
   2. Create a users and assign them only said role.
   3. Create a slice and/or dashboard.'
   4. Observe that neither the slice or dashboard is visible in the model view. Note however the entities are listed under the `Created Content` tab on the user's profile page.
   
   
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services