xavier-GitHub76 opened a new issue, #29709: URL: https://github.com/apache/superset/issues/29709
### Bug description Hello, to implement the 'public' role, the documentation (https://superset.apache.org/docs/security/#public) indicates that the PUBLIC_ROLE_LIKE variable must be updated and gives the example of using the GAMMA role. It is also specified that the GAMMA role provides access for consultation. By applying these recommendations and defining a “datasource access on” permission, an anonymous user can consult : - a dashboard - diagrams - datasets (by accessing the various main menus) Visible elements are related to the “datasource access on” permission but the gamma permissions used like template are too strong. An anonymous user can start creating a diagram and freely query a dataset via the diagram editing screen. It can also export all diagram data. However, it cannot save the diagram. In order to achieve “read only” behavior, you should set up a role limited to the strict minimum and use it as a reference for the “public” role. Here are the permissions I've identified as mandatory for this role: - can dashboard permalink on Superset - can read on Chart - can read on Dashboard - can dashboard on Superset - can explore json on Superset - can read on DashboardPermalinkRestApi - can write on DashboardPermalinkRestApi - can time range on Api Of course, these permissions must be supplemented with the “datasource access on” permission. With these permissions, an anonymous user will only be able to : - access a dashboard via its permalink - view the dashboard (and its diagrams) - generate permalinks (on tabs, headers, dashboard and diagrams) - filter a dashboard (including time ranges) - export a dashboard (PDF or image) Best regards ### How to reproduce the bug 1. Define a PUBLIC_ROLE_LIKE = GAMMA 2. On the "Public" role, add a “datasource access on” permission on a table 3. Visit superset like anonymous user 4. Click on "Dataset" menu 5. Click on public dataset 6. Edit a chart 7. Export data 8. Save chart (refused) ### Screenshots/recordings _No response_ ### Superset version master / latest-dev ### Python version 3.9 ### Node version 16 ### Browser Chrome ### Additional context _No response_ ### Checklist - [X] I have searched Superset docs and Slack and didn't find a solution to my problem. - [X] I have searched the GitHub issue tracker and didn't find a similar bug report. - [ ] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For additional commands, e-mail: notifications-h...@superset.apache.org
