rafalpas opened a new issue #18959:
URL: https://github.com/apache/superset/issues/18959
The Dashboard RBAC functionality provides implicit access to datasources
used for all charts on a dashboard, so that charts can retrieve underlying data
even if user does not have explicit access to datasources. This does not cover
Dashboard Native Filters correctly - in case native filter uses a datasource
**which is not used by any chart on the dashboard**, the implicit access is not
granted and the filter fails to load data.
#### How to reproduce the bug
1. Create two datasources (A and B) that share a column name ("x") and type,
so that it is possible to use filter created on A to filter the B
2. Create a chart using datasource B
3. Create a dashboard and add the chart to it
4. Add a native filter using datasource A and column "x"
5. Save the dashboard and make it public
6. Create a role with access rights enough to view dashboards, but with
**NO** explicit access to datasources A and B, e.g.
7. Assign this role to the dashboard:
8. Create a new user account and grant the role to it
9. Log in using this user account and access the dashboard
### Expected results
The native filter is filled with data from datasource A.
### Actual results
The native filter is stuck at "No data / Loading..."
#### Screenshots
Included in reproduction procedure
### Environment
- browser type and version: Microsoft Edge 97.0.1072.69
- superset version: 1.4.1
- python version: `python --version`
- node.js version: `node -v`
- any feature flags active: DASHBOARD_RBAC, DASHBOARD_NATIVE_FILTERS (both
are important for this bug)
### Checklist
Make sure to follow these steps before submitting your issue - thank you!
- [ ] I have checked the superset logs for python stacktraces and included
it here as text if there are any.
- [x] I have reproduced the issue with at least the latest released version
of superset.
- [x] I have checked the issue tracker for the same issue and I haven't
found one similar.
### Additional context
A HTTP403 response to "/api/v1/chart/data" is visible in network logs with
the following content
`{"errors": [{"message": "This endpoint requires the datasource ...,
database or\n `all_datasource_access` permission", "error_type":
"DATASOURCE_SECURITY_ACCESS_ERROR", "level": "error", "extra": {"link": "",
"datasource": "..."}}]}`
There is no problem if datasource A is used by any chart on dashboard, only
if it is not used by any chart (used solely by the filter).
There is no problem when using legacy filterboxes (because they are "charts"
and thus the implicit access is granted?)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
