giovannipapini-agilelab opened a new issue, #22640: URL: https://github.com/apache/superset/issues/22640
`DASHBOARD_RBAC` does not behave as explained in documentation: it says 'Roles is a list which defines access to the dashboard. Granting a role access to a dashboard will bypass dataset level checks. **If no roles are defined, then the dashboard is available to all roles.**', but instead when I do not assign any role to the dashboard only admin and owners can access to it. #### How to reproduce the bug 1. Feature flag `DASHBOARD_RBAC` set to `True` 2. Open a published dashboard that has no role assigned as a Alpha-role-assigned user ### Expected results The dashboard ### Actual results A permission error #### Screenshots  ### Environment (please complete the following information): - browser type and version: both Edge and Firefox - superset version: both `1.5` and `2.0` - python version: `python --version 3.9` ### Checklist Make sure to follow these steps before submitting your issue - thank you! - [x] I have checked the superset logs for python stacktraces and included it here as text if there are any. - [x] I have reproduced the issue with at least the latest released version of superset. - [x] I have checked the issue tracker for the same issue and I haven't found one similar. ### Additional context While investigating in the problem I found out that it is possible to access any dashboard with status DRAFT from any user (when dashboard has no RBAC role assigned). The problem could probably be here: https://github.com/apache/superset/blob/001100ddf02db7be1ea94a1cac16475d00436b78/superset/security/manager.py#L1994 Indeed, I cannot figure out why the condition should be `or (not dashboard.published and not dashboard.roles)` and not `or (dashboard.published and not dashboard.roles)`. Is there a case in which a non-admin and non-owner user should view a (not even menu-listed) draft dashboard? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
