[GitHub] [incubator-superset] thunter009 opened a new issue #7706: Gamma user able to access data they do not have explicit permission for via Change Datasource menu item

[GitBox]

thunter009 opened a new issue #7706: Gamma user able to access data they do not 
have explicit permission for via Change Datasource menu item
URL: https://github.com/apache/incubator-superset/issues/7706
 
 
   When exploring a chart as a Gamma user with explicit permissions to only 
specific datasources, I am able to see and select datasources I should not have 
access to via the Change Datasource menu item/modal.
   
   ### Expected results
   
   I expect to only see the datasources I have been explicitly granted access 
permissions for.
   
   ### Actual results
   
   I can see all datasources connected to the application, including those I do 
not have any permissions on.
   
   #### Screenshots
   
   
![image](https://user-images.githubusercontent.com/7088252/59436248-3f30aa00-8dbd-11e9-9ce5-50a4751887f1.png)
   
![image](https://user-images.githubusercontent.com/7088252/59436255-435cc780-8dbd-11e9-858f-d70ac6f8c652.png)
   
![image](https://user-images.githubusercontent.com/7088252/59447965-372f3500-8dd2-11e9-8a03-691354a5f4b7.png)
   
![image](https://user-images.githubusercontent.com/7088252/59448024-54640380-8dd2-11e9-8880-d109436fa028.png)
   
![image](https://user-images.githubusercontent.com/7088252/59447916-1c5cc080-8dd2-11e9-8daa-4a5d1d5c89b4.png)
   
   
   #### How to reproduce the bug
   
   1. Add a test user and grant them the Gamma role + datasource access on a 
single table
   2. Login as the test user and confirm that you can access charts built on 
top of the datasource you granted access to
   3. Select "Change Datasource" from the chart explore page
   4. See all the datasources available to the instance, regardless of the 
roles granted
   
   ### Environment
   
   - superset version: Superset 0.999.0dev
   - python version: Python 3.7.2
   - node.js version: v10.14.2
   - npm version: 6.9.0
   
   ### Checklist
   
   Make sure these boxes are checked before submitting your issue - thank you!
   
   - [x] I have checked the superset logs for python stacktraces and included 
it here as text if there are any.
   - [x] I have reproduced the issue with at least the latest released version 
of superset.
   - [x] I have checked the issue tracker for the same issue and I haven't 
found one similar.
   
   ### Additional context
   
   Looking through the code base it seems this list of datasources is generated 
via the `superset/datasources` endpoint.
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org