GitHub user dosubot[bot] added a comment to the discussion: Restrict charts
<!-- Answer -->
Yes, you can make the filter apply only to non-admin users by checking the
admin role in your custom filter. In your filter’s apply() method, use
`security_manager.is_admin()`. If it returns True, just return the unfiltered
query (so admins see everything); otherwise, apply your restriction for
non-admins.
Here’s a code example for superset/charts/filters.py:
```python
from superset.charts.filters import BaseFilter
from superset.models.slice import Slice
from superset.security import get_user_id, security_manager
from sqlalchemy import or_
class ChartOwnedByMeOrAdminFilter(BaseFilter):
name = "Owned by me or admin"
arg_name = "chart_owned_by_me_or_admin"
def apply(self, query, value):
if security_manager.is_admin():
return query # Admins see all charts
admin_role_name = security_manager.config["AUTH_ROLE_ADMIN"]
admin_users = security_manager.find_users_with_role(admin_role_name)
admin_ids = [user.id for user in admin_users]
user_id = get_user_id()
return query.filter(
or_(
Slice.owners.any(id=user_id),
Slice.owners.any(Slice.owners.property.mapper.class_.id.in_(admin_ids)),
)
)
```
Then, in superset/charts/api.py, register your filter in ChartRestApi:
```python
base_filters = [
["id", ChartOwnedByMeOrAdminFilter, lambda: []],
]
```
This way, only non-admins are restricted, and admins retain full visibility.
This pattern is used elsewhere in Superset for conditional access control based
on roles ([see
example](https://github.com/apache/superset/blob/master/superset/dashboards/filters.py)).
Test by logging in as both admin and non-admin users to confirm the behavior.
<!-- Dosu Comment Footer -->
*To reply, just mention [@dosu](https://go.dosu.dev/dosubot).*
---
<sup>How did I do?
[Good](https://app.dosu.dev/response-feedback/ed1fb9a5-2529-41e6-896a-1bc2d2e9627f?feedback_type=great_response)
|
[Irrelevant](https://app.dosu.dev/response-feedback/ed1fb9a5-2529-41e6-896a-1bc2d2e9627f?feedback_type=irrelevant_answer)
|
[Incorrect](https://app.dosu.dev/response-feedback/ed1fb9a5-2529-41e6-896a-1bc2d2e9627f?feedback_type=incorrect_sources)
|
[Verbose](https://app.dosu.dev/response-feedback/ed1fb9a5-2529-41e6-896a-1bc2d2e9627f?feedback_type=too_verbose)
|
[Hallucination](https://app.dosu.dev/response-feedback/ed1fb9a5-2529-41e6-896a-1bc2d2e9627f?feedback_type=hallucination)
| [Report
🐛](https://app.dosu.dev/response-feedback/ed1fb9a5-2529-41e6-896a-1bc2d2e9627f?feedback_type=bug_report)
|
[Other](https://app.dosu.dev/response-feedback/ed1fb9a5-2529-41e6-896a-1bc2d2e9627f?feedback_type=other)</sup>
[](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=Yes%2C%20you%20can%20make%20the%20filter%20apply%20only%20to%20non-admin%20users%20by%20checking%20the%20admin%20role%20in%20your%20custom%20filter.%20In%20your%20filter%E2%80%99s%20apply%28%29%20method%2C%20use%20%60security_manager.is_admin%28%29%60.%20If%20it%20returns%20True%2C%20just%20return%20the%20unfiltered%20query%20%28so%20admins%20see%20everything%29%3B%20otherwise%2C%20apply%20your%20restriction%20for%20non-admins.%0A%0AHere%E2%80%99s%20a%20code%20example%20for%20superset/charts/filters.py%3A%0A%0A%60%60%60python%0Afrom%20superset.charts.filters%20import%20BaseFilter%0Afrom%20superset.models.slice%20import%20Slice%0Afrom%20superset.security%20import%20get_user_id%2C%20security_manager%0Afrom%20sqlalchemy%20import%20or_%0A%0Aclass%20ChartO
wnedByMeOrAdminFilter%28BaseFilter%29%3A%0A%20%20%20%20name%20%3D%20%22Owned%20by%20me%20or%20admin%22%0A%20%20%20%20arg_name%20%3D%20%22chart_owned_by_me_or_admin%22%0A%0A%20%20%20%20def%20apply%28self%2C%20query%2C%20value%29%3A%0A%20%20%20%20%20%20%20%20if%20security_manager.is_admin%28%29%3A%0A%20%20%20%20%20%20%20%20%20%20%20%20return%20query%20%20%23%20Admins%20see%20all%20charts%0A%0A%20%20%20%20%20%20%20%20admin_role_name%20%3D%20security_manager.config%5B%22AUTH_ROLE_ADMIN%22%5D%0A%20%20%20%20%20%20%20%20admin_users%20%3D%20security_manager.find_users_with_role%28admin_role_name%29%0A%20%20%20%20%20%20%20%20admin_ids%20%3D%20%5Buser.id%20for%20user%20in%20admin_users%5D%0A%20%20%20%20%20%20%20%20user_id%20%3D%20get_user_id%28%29%0A%20%20%20%20%20%20%20%20return%20query.filter%28%0A%20%20%20%20%20%20%20%20%20%20%20%20or_%28%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20Slice.owners.any%28id%3Duser_id%29%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20Slice.owners.an
y%28Slice.owners.property.mapper.class_.id.in_%28admin_ids%29%29%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%29%0A%20%20%20%20%20%20%20%20%29%0A%60%60%60%0A%0AThen%2C%20in%20superset/charts/api.py%2C%20register%20your%20filter%20in%20ChartRestApi%3A%0A%0A%60%60%60python%0Abase_filters%20%3D%20%5B%0A%20%20%20%20%5B%22id%22%2C%20ChartOwnedByMeOrAdminFilter%2C%20lambda%3A%20%5B%5D%5D%2C%0A%5D%0A%60%60%60%0A%0AThis%20way%2C%20only%20non-admins%20are%20restricted%2C%20and%20admins%20retain%20full%20visibility.%20This%20pattern%20is%20used%20elsewhere%20in%20Superset%20for%20conditional%20access%20control%20based%20on%20roles%C2%A0%28%5Bsee%20example%5D%28https%3A//github.com/apache/superset/blob/master/superset/dashboards/filters.py%29%29.%0A%0ATest%20by%20logging%20in%20as%20both%20admin%20and%20non-admin%20users%20to%20confirm%20the%20behavior.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/36259)
GitHub link:
https://github.com/apache/superset/discussions/36259#discussioncomment-15072215
----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
