SaviorXTanren commented on issue #23969: URL: https://github.com/apache/superset/issues/23969#issuecomment-1542947916
To add to this, the same sort of logic is present in the Datasets list. When a user visits the Datasets list page, it shows all Datasets of the Datasources that the user has access to. So users will be able to see Datasets that they do not have permission and it will fail for them when they attempt to navigate to any of them. Similarly, visiting a Dataset that you don't have access to will expose the names of the columns in the dataset, even though you don't have access to query on it. There should be a trickle down check done on these sorts of pages. For example, if you go to Charts list, it should check first to see what Datasources you have access to, and then individually check the Charts in those Datasources to ensure you have access to each one before it is shown in the list. Same sort of idea for Datasets, Dashboards, etc. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
