lbuchli commented on issue #24837:
URL: https://github.com/apache/superset/issues/24837#issuecomment-2176018616
I played around a bit with this and found a hacky solution, which could also
be a pointer to implementing better solution:
In superset_config.py:
```python
from superset.security.manager import SupersetSecurityManager
from flask import Flask
from flask_login import login_user
from flask_jwt_extended import JWTManager
class CustomSecurityManager(SupersetSecurityManager):
def create_jwt_manager(self, app: Flask) -> JWTManager:
def _load_user_jwt(_jwt_header, jwt_data):
user = self.load_user_jwt(_jwt_header, jwt_data)
login_user(user) # sets g.user to jwt provided user
return user
jwt_manager = JWTManager()
jwt_manager.init_app(app)
jwt_manager.user_lookup_loader(_load_user_jwt)
return jwt_manager
CUSTOM_SECURITY_MANAGER = CustomSecurityManager
```
I'm by no means an expert with flask permission stuff, so I cannot say
whether this is a good idea from a security point of view. In short, it is a
patch for [this
function](https://github.com/dpgaspar/Flask-AppBuilder/blob/bbf2adb1312ac1f994ef04e5d5e581d1447cb732/flask_appbuilder/security/manager.py#L2166),
which sets g.user, although this has no effect for some reason I haven't
looked into. Instead using flask_logins login_user, it works.
I also have absolutely no clue why this problem only pops up when setting
PUBLIC role perm can read on Dashboard.
I hope this helps somebody and if someone thinks that this solution is a bad
idea, please say so.
This is tested with apache/superset:4.0.1, using the following setup:
<details><summary>Setup</summary>
<p>
```Dockerfile
FROM apache/superset:4.0.1
USER root
RUN pip install psycopg2-binary
COPY ./superset-init.sh /superset-init.sh
COPY superset_config.py /app/
ENV SUPERSET_CONFIG_PATH /app/superset_config.py
USER superset
ENTRYPOINT [ "/superset-init.sh" ]
```
```bash
#!/bin/bash
superset fab create-admin --username "admin" --firstname Superset --lastname
Admin --email "ad...@superset.com" --password "admin"
cat > /tmp/public-role-perms.json <<EOF
[{"name": "Public", "permissions": [
{"permission": {"name": "can_read"}, "view_menu": {"name": "Dashboard"}}
]}]
EOF
superset fab import-roles -p /tmp/public-role-perms.json
superset db upgrade
superset superset init
/bin/sh -c /usr/bin/run-server.sh
```
</p>
</details>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org
