giftig opened a new issue, #24169:
URL: https://github.com/apache/superset/issues/24169
Datasource permissions are (largely) respected when attempting to run a
query via SQL Lab, but once a query has been run and a dataset saved from that
query, the user can then go to the explore view, edit the query within that
dataset to access any desired tables, and build a table chart from that query
in order to access the forbidden tables.
#### How to reproduce the bug
1. Go to SQL Lab
2. Run any query, save it as a virtual dataset
3. Go to explore to start building a chart from that dataset
4. Next to the chart source in the top left, click the three dots and then
"Edit dataset"
5. Click the lock to make changes
6. Swap out the SQL for a query which should be forbidden to the user, e.g.
select from a table which the current user does not have datasource permissions
to access
7. Save the dataset
8. Select some dimensions and continue to create a table chart from the
modified dataset
9. See the contents of a table the user is forbidden to access
### Expected results
The user should be forbidden from updating the query to something which they
should not be permitted to run, according to their datasource access
permissions and other relevant permissions.
### Actual results
No such check happens and the user is able to view forbidden data.
### Environment
(please complete the following information):
- browser type and version: N/A
- superset version: `2.1`
- python version: `python --version`
- node.js version: N/A
- any feature flags active:
```
FEATURE_FLAGS = {
"ENABLE_TEMPLATE_PROCESSING": True,
"ENABLE_TEMPLATE_REMOVE_FILTERS": True,
"DASHBOARD_RBAC": False,
"ENABLE_REACT_CRUD_VIEWS": True,
"DASHBOARD_NATIVE_FILTERS": True,
"ROW_LEVEL_SECURITY": True,
"PRESTO_EXPAND_DATA": True,
"SQLLAB_BACKEND_PERSISTENCE": True,
"GLOBAL_ASYNC_QUERIES": True,
"DATAPANEL_CLOSED_BY_DEFAULT": True
}
```
### Checklist
Make sure to follow these steps before submitting your issue - thank you!
- [x] I have checked the superset logs for python stacktraces and included
it here as text if there are any.
- [x] I have reproduced the issue with at least the latest released version
of superset.
- [x] I have checked the issue tracker for the same issue and I haven't
found one similar.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
