dosubot[bot] commented on issue #33698: URL: https://github.com/apache/superset/issues/33698#issuecomment-2945757855
<!-- Answer --> What you're describing—where a user with access to only one dataset can see data from charts using unauthorized datasets in an embedded dashboard—is not expected behavior. Superset is supposed to enforce dataset-level permissions even in embedded mode: when a guest token is used, the backend checks that the user has access to the dashboard and that each chart's dataset is associated with that dashboard. If the user doesn't have access, the chart should show an "Access Denied" overlay, not the actual data. This is enforced by the backend's security manager, which cross-checks dashboard, chart, and dataset associations before returning data ([see code logic](https://github.com/apache/superset/blob/b00660acf13e8bb99ba22d61636a793eae0867a9/superset/security/manager.py)). If you're seeing actual data from unauthorized datasets, it could indicate a misconfiguration or a regression. Common causes include: the guest token role having broader permissions than intended (check your `GUEST_ROLE_NAME` config and role permissions), stale or incorrect associations between charts and dashboards in the metadata DB, or a frontend bug where the `dashboardId` is missing from chart requests (which can bypass some permission checks—see [this issue](https://github.com/apache/superset/issues/32552)). Double-check that: - The guest token is only scoped to the dashboard, not datasets. - The guest role does not have `all_datasource_access` or explicit access to the unauthorized dataset. - The frontend is sending the correct `dashboardId` in chart requests. If all of these are correct and you still see unauthorized data, it may be a regression and worth escalating. Data-level protection should absolutely apply in this scenario ([reference](https://github.com/apache/superset/issues/26201)). <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/7bf5e4a4-106c-4bd4-bf28-5422bdda75a0?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/7bf5e4a4-106c-4bd4-bf28-5422bdda75a0?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/7bf5e4a4-106c-4bd4-bf28-5422bdda75a0?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/7bf5e4a4-106c-4bd4-bf28-5422bdda75a0?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/7bf5e4a4-106c-4bd4-bf28-5422bdda75a0?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/7bf5e4a4-106c-4bd4-bf28-5422bdda75a0?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/7bf5e4a4-106c-4bd4-bf28-5422bdda75a0?feedback_type=other)</sup> [](https://go.dosu.dev/discord-bot) [! [Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/33698) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
