lindenh opened a new issue, #26201:
URL: https://github.com/apache/superset/issues/26201
When creating a guest token with resources to allow access to (namely
dashboards), access to charts should be limited to those on that dashboard.
#### How to reproduce the bug
1. Create a guest token using the /api/v1/security/guest_token endpoint,
giving it some dashboard:
```
{
"user": {},
"resources": [
{
"type": "dashboard",
"id": "user-dash"
}
],
"rls": []
}
```
2. Use this guest token with the header X-Guesttoken (or whatever the config
is set to for guest token headers) to grab a chart at /api/v1/chart/{pk}/data
with a chart NOT on the above given dashboard
3. See data is pulled back
### Expected results
Some unauthorized error.
### Actual results
Data is correctly pulled back from any chart.
#### Screenshots
If applicable, add screenshots to help explain your problem.
### Environment
(please complete the following information):
- browser type and version:
- superset version: `superset version`
- python version: `python --version`
- node.js version: `node -v`
- any feature flags active: EMBEDDED_SUPERSET
### Checklist
Make sure to follow these steps before submitting your issue - thank you!
- [x] I have checked the superset logs for python stacktraces and included
it here as text if there are any.
- [x] I have reproduced the issue with at least the latest released version
of superset.
- [x] I have checked the issue tracker for the same issue and I haven't
found one similar.
### Additional context
This could also be considered a security issue, since RLS is also applied to
guest tokens. In our case, we have some dashboards that do not need RLS and
some that absolutely need them. The only way (without changing the dataset) to
disable RLS for embedded dashboards is by creating a guest token without them,
there are no settings on dashboards/charts to ignore it.
The workaround we're doing is to add `false as rls_required` to our
datasets, and either having RLS clauses per user or having the clause
"rls_required=false" which will error out charts without that column. This
isn't a desirable workaround.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
