giovannipapini-agilelab commented on PR #22642: URL: https://github.com/apache/superset/pull/22642#issuecomment-1460452540
> @giovannipapini-agilelab With your changes in this PR, Can you please test that if dashboard is published and no role is assigned to dashboard, is it accessible by a user with Public or Gamma Role ? Hi, we verified this case and in indeed the behaviour is this: - If the dashboard is **draft** it is not listed in dashboard menu and only owners and admins can open it. - If the dashboard **is published** has some rbac role assigned, then the it is listed in dashboard menu (d.m.) and visible **to and only to** those roles (with the exception of dashboard owners and admins). Other roles do not see it listed in d.m. and when they open it via permalink they get a "You cannot access this dashboard!" error page. Imo this is the correct behaviour (and note that it is not the same as before this PR). - If the dashboard **is published** and has no rbac role assigned, then it is visible in d.m. only to those who have dataset-level permissions, **but** it is accessible and visible *via permalink* also to everyone else (Gamma or Public roles). This could be seen as a security issue, even more if combined with the `PUBLIC_ROLE_LIKE = "Gamma"` setting. Probably we should fix the fallback behaviour, in this or in some other PR, what do you think @mdeshmu? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
