john-bodley commented on issue #5256: [slice] Adding slice owners to SliceFilter URL: https://github.com/apache/incubator-superset/pull/5256#issuecomment-399158094 The right solutuon is to fix the permission logic for slices and datasources. This is quite involved as it would require deprecating the slice/datasource perm field and instead use the datasource’s db, schema, and table name for permission checking. In the case of custom SQL it should probably pass the SQL (not unlike SQL Lab) to determine the phsycial underlying tables/views and then check their permissions. The one caveat with this is the physical datasource may be inaccessible to the user but the custom SQL is ok, i.e.,it contains only aggregations, excludes rows etc. On the otherhand one could argue that’s easy to mutate the SQL and thus one should never access a custom view based on any datasource they can’t access.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
