dosubot[bot] commented on issue #33698: URL: https://github.com/apache/superset/issues/33698#issuecomment-2949084914
<!-- Answer --> Here’s what I found: Superset’s backend is designed to enforce dataset-level permissions for embedded dashboards using guest tokens. If a user with access to only one dataset is seeing data from unauthorized datasets in embedded mode, this usually points to a frontend issue—most often, the dashboardId is missing from chart requests, which can bypass permission checks and expose unauthorized data. This is a known pitfall and has been discussed in detail in the community ([see this issue and fix](https://github.com/apache/superset/issues/32552)). Your frontend code uses the official `@superset-ui/embedded-sdk`, which should handle dashboardId correctly, but it’s worth double-checking that the SDK version matches your Superset backend and that no customizations strip out dashboardId from requests. Also, confirm that your guest role (Gamma) does not have `all_datasource_access` or explicit access to restricted datasets. If you’ve confirmed all of the above and still see unauthorized data, it could be a regression or a subtle bug in the SDK or backend. In that case, try updating both Superset and the SDK to the latest compatible versions, and monitor network requests to ensure dashboardId is present in all chart data requests. If the problem persists, it’s likely a bug that needs to be addressed upstream. Let me know if you want help with specific debugging steps or network request inspection! <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/95b82e42-25ad-4883-939e-d0d9fff28d6c?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/95b82e42-25ad-4883-939e-d0d9fff28d6c?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/95b82e42-25ad-4883-939e-d0d9fff28d6c?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/95b82e42-25ad-4883-939e-d0d9fff28d6c?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/95b82e42-25ad-4883-939e-d0d9fff28d6c?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/95b82e42-25ad-4883-939e-d0d9fff28d6c?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/95b82e42-25ad-4883-939e-d0d9fff28d6c?feedback_type=other)</sup> [](https://go.dosu.dev/discord-bot) [! [Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/33698) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
