dosubot[bot] commented on issue #34587: URL: https://github.com/apache/superset/issues/34587#issuecomment-3177725759
<!-- Answer --> Yes, Gamma users are much more privileged—they have write, edit, delete, export, and advanced permissions, which is why they don’t see “Access Denied” toasts. Your readonly role is correctly restricted, but a few things are causing the errors: 1. **Welcome page:** If you still see “Access Denied” toasts, double-check that your readonly role has `can_read`, `can_list`, and `can_show` on Dashboard, Chart, SavedQuery, Dataset, Database, and Log, plus `can dashboard on Superset`, `can explore json on Superset`, and crucially, `datasource access on` for every dataset the user should see. Missing any of these will cause denied toasts, even for read-only actions. Also, UI buttons like "+ CHART" will always show a toast if clicked, since they require write permissions—these can’t be hidden by permissions alone and need frontend tweaks to fully remove [[source](https://github.com/apache/superset/issues/34587)]. 2. **User/role listing pages:** Removing menu access only hides navigation links. To block direct URL access, you must remove `can list` and `can show` permissions on RoleModelView and UserModelView (MyUserOAuthModelView) for the readonly role. Superset enforces backend access using `@has_access` and `@permission_name("read")` on these views, so without those permissions, users get a denied error even if they enter the URL directly [[source](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/views/users_list.py)]. 3. **Dashboard widgets:** “Access Denied” errors here usually mean the user is missing `datasource access on` for the underlying datasets, or lacks `can read` on Chart/Dashboard. RLS only filters data—it doesn’t override missing object-level permissions [[source](https://github.com/apache/superset/issues/34587)]. 4. **Logout/login page:** These errors are session-related, not role-specific. Superset now redirects unauthenticated users to the login screen if they try to access a restricted dashboard, and after login, sends them back to the dashboard. If a logged-in user lacks access, they’re redirected to the dashboard list with an error message [[source](https://github.com/apache/superset/pull/30380)]. **Frontend tweaks:** Superset is starting to hide some UI elements (like “View in SQL Lab”) if the user lacks the right permission, but not all buttons are permission-aware yet. Full suppression of denied actions requires explicit frontend customization [[source](https://github.com/apache/superset/pull/34293)]. **Checklist for readonly roles:** - Grant all necessary read/list/show permissions and `datasource access on` for datasets. - Remove all write/edit/delete permissions. - Remove `can list`/`can show` on sensitive models to block direct URL access. - Use backend logs to identify missing permissions when denied toasts appear. - Consider frontend tweaks to hide or disable buttons that trigger denied actions. Let me know if you want details on how to identify missing dataset access or need help with frontend tweaks. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/e8ed49b9-dbba-419f-8293-8a0e1d140813?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/e8ed49b9-dbba-419f-8293-8a0e1d140813?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/e8ed49b9-dbba-419f-8293-8a0e1d140813?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/e8ed49b9-dbba-419f-8293-8a0e1d140813?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/e8ed49b9-dbba-419f-8293-8a0e1d140813?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/e8ed49b9-dbba-419f-8293-8a0e1d140813?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/e8ed49b9-dbba-419f-8293-8a0e1d140813?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=githu b) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/34587) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For additional commands, e-mail: notifications-h...@superset.apache.org
