chandug1991 opened a new issue, #33698:
URL: https://github.com/apache/superset/issues/33698
### Bug description
### Summary
Dataset-level permissions are ignored (or silently bypassed) on an embedded
dashboard.
When a dashboard contains charts that rely on different datasets, a user who
has
access to **only one** of those datasets still sees *all* charts (either
with data
they should not see or with an “Access denied” overlay).
Expectation: the dashboard should render only the charts whose underlying
dataset
the current user/role is permitted to query.
### Superset version / env
* Superset 5.0.0-rc2 (Docker image `apache/superset:5.0.0rc2`)
* `@superset-ui/embedded-sdk` >= 2.0.0
* Python 3.11, Postgres metadata DB
* Feature flags:
`EMBEDDED_SUPERSET = True`, `DASHBOARD_RBAC = True`
* Browser & OS: Chrome 137 / Windows 10
### Steps to reproduce
1. Create two datasets: **dataset1** and **dataset2**
2. Create two charts: **chart1** (dataset1) and **chart2** (dataset2)
3. Create roles **role1** (permission: dataset1) and **role2** (permission:
dataset2)
4. Create users **user1** → role1, **user2** → role2
5. Add *both* charts to one dashboard called **sample** and publish it
6. Embed the dashboard with a guest token generated for the logged-in
Superset user
7. View the dashboard as **user1** (role1) and then as **user2** (role2)
### Expected result
* `user1` should see only *chart1*
* `user2` should see only *chart2*
### Actual result
With `DASHBOARD_RBAC = True` and the dashboard shared with both roles:
* Both users see *both* charts and can query both datasets.
With `DASHBOARD_RBAC = False` or no dashboard-level role mapping:
* Both charts render, but the one whose dataset is not permitted shows
`This endpoint requires the datasource ..., database, or
all_datasource_access permission`.
Either way, unauthorised charts remain on the page.
### Logs / network errors
### Screenshots/recordings
_No response_
### Superset version
master / latest-dev
### Python version
3.9
### Node version
16
### Browser
Chrome
### Additional context
_No response_
### Checklist
- [ ] I have searched Superset docs and Slack and didn't find a solution to
my problem.
- [ ] I have searched the GitHub issue tracker and didn't find a similar bug
report.
- [ ] I have checked Superset's logs for errors and if I found a relevant
Python stacktrace, I included it here as text in the "additional context"
section.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org
