partizaans commented on issue #19525:
URL: https://github.com/apache/superset/issues/19525#issuecomment-1566791040
After a couple of hours doing debugging it seems that I could resolve the
problem with a temporary solution.
In my case, I was requesting `POST:api/v1/chart/data` using the JWT
authentication method. For this endpoint we have `permission_str=can_read` and
the `class_permission_name=Chart`.
somewhere in `flask_appbuilder/security/decorators.py:84` we have:
```python
if current_app.appbuilder.sm.is_item_public(
permission_str, class_permission_name
):
```
In my running superset instance, reading a chart was a public action but
only some of the charts were actually public. So the decorator prevents
execution of `verify_jwt_in_request()` before processing the request, because
of `can read on Chart` is in permissions of the `Public` role.
## Temporary Solution
On the superset UI I edited the role of public and removed `can read on
Chart` from its permissions.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
