Re: [D] Restrict charts [superset]

via GitHub Tue, 25 Nov 2025 00:45:39 -0800


GitHub user dosubot[bot] added a comment to the discussion: Restrict charts


<!-- Answer -->
To enforce "users only see charts they own or that are owned by admin," you’ll 
need to customize both backend and (optionally) frontend logic:

**Backend:**  
Create a custom filter in `superset/charts/filters.py` that restricts chart 
queries to those where the current user is an owner or the owner is an admin. 
For example:

```python
from superset.charts.filters import BaseFilter
from superset.models.slice import Slice
from superset.security import get_user_id, security_manager
from sqlalchemy import or_

class ChartOwnedByMeOrAdminFilter(BaseFilter):
    name = "Owned by me or admin"
    arg_name = "chart_owned_by_me_or_admin"

    def apply(self, query, value):
        admin_user = security_manager.find_user(username="admin")
        admin_id = admin_user.id if admin_user else None
        user_id = get_user_id()
        return query.filter(
            or_(
                Slice.owners.any(id=user_id),
                Slice.owners.any(id=admin_id),
            )
        )
```

Then, register this filter in `superset/charts/api.py` by adding it to 
`base_filters` or `search_filters` in the `ChartRestApi` class so it’s always 
applied or available as a filter option:

```python
base_filters = [
    ["id", ChartOwnedByMeOrAdminFilter, lambda: []],
]
```
or add it to `search_filters` if you want it as a selectable filter.

**Frontend:**  
No major changes are needed. The chart list UI (see 
`superset-frontend/src/pages/ChartList/index.tsx`) fetches filtered data from 
the backend and displays it. If you want to expose this filter as a selectable 
option, add it to the filters array in the ChartList component. Otherwise, if 
you enforce it as a backend `base_filter`, the frontend will only receive 
charts matching your rule ([ChartList 
code](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset-frontend/src/pages/ChartList/index.tsx#L119-L899)).

**Testing:**  
Log in as a regular user and as admin, and verify that only the correct charts 
appear in the chart list and API responses.

Let me know if you want a more detailed code example or guidance for a specific 
Superset version!


<!-- Dosu Comment Footer -->
*To reply, just mention [@dosu](https://go.dosu.dev/dosubot).*

---
<sup>How did I do? 
[Good](https://app.dosu.dev/response-feedback/fc6cfaf0-4886-49f3-92b6-d2211789b39b?feedback_type=great_response)
 | 
[Irrelevant](https://app.dosu.dev/response-feedback/fc6cfaf0-4886-49f3-92b6-d2211789b39b?feedback_type=irrelevant_answer)
 | 
[Incorrect](https://app.dosu.dev/response-feedback/fc6cfaf0-4886-49f3-92b6-d2211789b39b?feedback_type=incorrect_sources)
 | 
[Verbose](https://app.dosu.dev/response-feedback/fc6cfaf0-4886-49f3-92b6-d2211789b39b?feedback_type=too_verbose)
 | 
[Hallucination](https://app.dosu.dev/response-feedback/fc6cfaf0-4886-49f3-92b6-d2211789b39b?feedback_type=hallucination)
 | [Report 
🐛](https://app.dosu.dev/response-feedback/fc6cfaf0-4886-49f3-92b6-d2211789b39b?feedback_type=bug_report)
 | 
[Other](https://app.dosu.dev/response-feedback/fc6cfaf0-4886-49f3-92b6-d2211789b39b?feedback_type=other)</sup>

[![Chat with 
Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)&nbsp;[![Open
 in 
Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=To%20enforce%20%22users%20only%20see%20charts%20they%20own%20or%20that%20are%20owned%20by%20admin%2C%22%20you%E2%80%99ll%20need%20to%20customize%20both%20backend%20and%20%28optionally%29%20frontend%20logic%3A%0A%0A%2A%2ABackend%3A%2A%2A%20%20%0ACreate%20a%20custom%20filter%20in%20%60superset/charts/filters.py%60%20that%20restricts%20chart%20queries%20to%20those%20where%20the%20current%20user%20is%20an%20owner%20or%20the%20owner%20is%20an%20admin.%20For%20example%3A%0A%0A%60%60%60python%0Afrom%20superset.charts.filters%20import%20BaseFilter%0Afrom%20superset.models.slice%20import%20Slice%0Afrom%20superset.security%20import%20get_user_id%2C%20security_manager%0Afrom%20sqlalchemy%20import%20or_%0A%0Aclass%20ChartOwnedByMeOrAdminFilter%28BaseFilter%29%3A%
 
0A%20%20%20%20name%20%3D%20%22Owned%20by%20me%20or%20admin%22%0A%20%20%20%20arg_name%20%3D%20%22chart_owned_by_me_or_admin%22%0A%0A%20%20%20%20def%20apply%28self%2C%20query%2C%20value%29%3A%0A%20%20%20%20%20%20%20%20admin_user%20%3D%20security_manager.find_user%28username%3D%22admin%22%29%0A%20%20%20%20%20%20%20%20admin_id%20%3D%20admin_user.id%20if%20admin_user%20else%20None%0A%20%20%20%20%20%20%20%20user_id%20%3D%20get_user_id%28%29%0A%20%20%20%20%20%20%20%20return%20query.filter%28%0A%20%20%20%20%20%20%20%20%20%20%20%20or_%28%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20Slice.owners.any%28id%3Duser_id%29%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20Slice.owners.any%28id%3Dadmin_id%29%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%29%0A%20%20%20%20%20%20%20%20%29%0A%60%60%60%0A%0AThen%2C%20register%20this%20filter%20in%20%60superset/charts/api.py%60%20by%20adding%20it%20to%20%60base_filters%60%20or%20%60search_filters%60%20in%20the%20%60ChartRestApi%60%20class%20so%20it%E2
 
%80%99s%20always%20applied%20or%20available%20as%20a%20filter%20option%3A%0A%0A%60%60%60python%0Abase_filters%20%3D%20%5B%0A%20%20%20%20%5B%22id%22%2C%20ChartOwnedByMeOrAdminFilter%2C%20lambda%3A%20%5B%5D%5D%2C%0A%5D%0A%60%60%60%0Aor%20add%20it%20to%20%60search_filters%60%20if%20you%20want%20it%20as%20a%20selectable%20filter.%0A%0A%2A%2AFrontend%3A%2A%2A%20%20%0ANo%20major%20changes%20are%20needed.%20The%20chart%20list%20UI%20%28see%20%60superset-frontend/src/pages/ChartList/index.tsx%60%29%20fetches%20filtered%20data%20from%20the%20backend%20and%20displays%20it.%20If%20you%20want%20to%20expose%20this%20filter%20as%20a%20selectable%20option%2C%20add%20it%20to%20the%20filters%20array%20in%20the%20ChartList%20component.%20Otherwise%2C%20if%20you%20enforce%20it%20as%20a%20backend%20%60base_filter%60%2C%20the%20frontend%20will%20only%20receive%20charts%20matching%20your%20rule%C2%A0%28%5BChartList%20code%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377
 
799c/superset-frontend/src/pages/ChartList/index.tsx%23L119-L899%29%29.%0A%0A%2A%2ATesting%3A%2A%2A%20%20%0ALog%20in%20as%20a%20regular%20user%20and%20as%20admin%2C%20and%20verify%20that%20only%20the%20correct%20charts%20appear%20in%20the%20chart%20list%20and%20API%20responses.%0A%0ALet%20me%20know%20if%20you%20want%20a%20more%20detailed%20code%20example%20or%20guidance%20for%20a%20specific%20Superset%20version%21)&nbsp;[![Join
 
Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share
 on 
X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/36259)

GitHub link: 
https://github.com/apache/superset/discussions/36259#discussioncomment-15071994

----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to: 
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [D] Restrict charts [superset]

Reply via email to