john-bodley commented on code in PR #23586:
URL: https://github.com/apache/superset/pull/23586#discussion_r1194470339
##########
superset/views/core.py:
##########
@@ -1846,25 +1847,33 @@ def dashboard(
if not dashboard:
abort(404)
- if config["ENABLE_ACCESS_REQUEST"]:
- for datasource in dashboard.datasources:
- datasource = DatasourceDAO.get_datasource(
- datasource_type=DatasourceType(datasource.type),
- datasource_id=datasource.id,
- session=db.session(),
+ has_access_ = False
Review Comment:
@villebro can all this logic reside in the security manager? The issue is
having security logic outside of the security manager adds complexity if you
have custom logic in your security manager which grants everyone access to view
the dashboard but block at the chart level if you don't have access to the
underlying dataset.
Should lines 1851–1860-esque be moved to the security manager which means
this function would reduce to something of the form,
```python
try:
security_manager.raise_for_dashboard_access(dashboard)
except DashboardAccessDeniedError:
if config["ENABLE_ACCESS_REQUEST"]:
flash(...)
return
redirect(f"/superset/request_access/?dashboard_id={dashboard.id}")
else:
flash(DashboardAccessDeniedError.message, "danger")
return redirect(DASHBOARD_LIST_URL)
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
