Re: [D] Restrict charts [superset]

via GitHub Wed, 26 Nov 2025 00:40:27 -0800


GitHub user dosubot[bot] added a comment to the discussion: Restrict charts


<!-- Answer -->
Yes, you can use emails instead of usernames as your initial list. Just resolve 
each email to a user ID before filtering, since chart ownership is always 
linked to user IDs—not emails or usernames.

Here’s how you can adapt your filter:

```python
from superset.charts.filters import BaseFilter
from superset.models.slice import Slice
from superset.security import get_username, security_manager
from sqlalchemy.orm import Query

class ChartOwnedByUserOrAdminFilter(BaseFilter):
    name = "Owned by user or admin"
    arg_name = "chart_owned_by_user_or_admin"

    def apply(self, query: Query, value) -> Query:
        if security_manager.is_admin():
            return query  # Admins see all charts

        # Collect emails you want to include (e.g., ["[email protected]", 
current_user_email])
        current_user = 
security_manager.get_session.query(security_manager.user_model).filter(
            security_manager.user_model.username == get_username()
        ).one_or_none()
        emails = ["[email protected]"]
        if current_user and current_user.email:
            emails.append(current_user.email)
        emails = list(set(emails))  # Remove duplicates

        # Resolve emails to user IDs
        user_ids = []
        for email in emails:
            user = 
security_manager.get_session.query(security_manager.user_model).filter(
                security_manager.user_model.email == email
            ).one_or_none()
            if user:
                user_ids.append(user.id)
        if not user_ids:
            return query.filter(False)

        return 
query.filter(Slice.owners.any(security_manager.user_model.id.in_(user_ids)))
```

You can extend the `emails` list with any other emails you want to include. If 
an email doesn’t match a user, it’s ignored. This pattern matches how Superset 
expects user lookups for ownership filters—always by user ID, resolved from 
your chosen identifier 
([reference](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/manager.py#L153-L2470)).


<!-- Dosu Comment Footer -->
*To reply, just mention [@dosu](https://go.dosu.dev/dosubot).*

---
<sup>How did I do? 
[Good](https://app.dosu.dev/response-feedback/bd71fed8-21ed-4c68-b763-4477b9c5fdd5?feedback_type=great_response)
 | 
[Irrelevant](https://app.dosu.dev/response-feedback/bd71fed8-21ed-4c68-b763-4477b9c5fdd5?feedback_type=irrelevant_answer)
 | 
[Incorrect](https://app.dosu.dev/response-feedback/bd71fed8-21ed-4c68-b763-4477b9c5fdd5?feedback_type=incorrect_sources)
 | 
[Verbose](https://app.dosu.dev/response-feedback/bd71fed8-21ed-4c68-b763-4477b9c5fdd5?feedback_type=too_verbose)
 | 
[Hallucination](https://app.dosu.dev/response-feedback/bd71fed8-21ed-4c68-b763-4477b9c5fdd5?feedback_type=hallucination)
 | [Report 
🐛](https://app.dosu.dev/response-feedback/bd71fed8-21ed-4c68-b763-4477b9c5fdd5?feedback_type=bug_report)
 | 
[Other](https://app.dosu.dev/response-feedback/bd71fed8-21ed-4c68-b763-4477b9c5fdd5?feedback_type=other)</sup>

[![Chat with 
Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)&nbsp;[![Open
 in 
Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=Yes%2C%20you%20can%20use%20emails%20instead%20of%20usernames%20as%20your%20initial%20list.%20Just%20resolve%20each%20email%20to%20a%20user%20ID%20before%20filtering%2C%20since%20chart%20ownership%20is%20always%20linked%20to%20user%20IDs%E2%80%94not%20emails%20or%20usernames.%0A%0AHere%E2%80%99s%20how%20you%20can%20adapt%20your%20filter%3A%0A%0A%60%60%60python%0Afrom%20superset.charts.filters%20import%20BaseFilter%0Afrom%20superset.models.slice%20import%20Slice%0Afrom%20superset.security%20import%20get_username%2C%20security_manager%0Afrom%20sqlalchemy.orm%20import%20Query%0A%0Aclass%20ChartOwnedByUserOrAdminFilter%28BaseFilter%29%3A%0A%20%20%20%20name%20%3D%20%22Owned%20by%20user%20or%20admin%22%0A%20%20%20%20arg_name%20%3D%20%22chart_owned_by_user_or
 
_admin%22%0A%0A%20%20%20%20def%20apply%28self%2C%20query%3A%20Query%2C%20value%29%20-%3E%20Query%3A%0A%20%20%20%20%20%20%20%20if%20security_manager.is_admin%28%29%3A%0A%20%20%20%20%20%20%20%20%20%20%20%20return%20query%20%20%23%20Admins%20see%20all%20charts%0A%0A%20%20%20%20%20%20%20%20%23%20Collect%20emails%20you%20want%20to%20include%20%28e.g.%2C%20%5B%22admin%40example.com%22%2C%20current_user_email%5D%29%0A%20%20%20%20%20%20%20%20current_user%20%3D%20security_manager.get_session.query%28security_manager.user_model%29.filter%28%0A%20%20%20%20%20%20%20%20%20%20%20%20security_manager.user_model.username%20%3D%3D%20get_username%28%29%0A%20%20%20%20%20%20%20%20%29.one_or_none%28%29%0A%20%20%20%20%20%20%20%20emails%20%3D%20%5B%22admin%40example.com%22%5D%0A%20%20%20%20%20%20%20%20if%20current_user%20and%20current_user.email%3A%0A%20%20%20%20%20%20%20%20%20%20%20%20emails.append%28current_user.email%29%0A%20%20%20%20%20%20%20%20emails%20%3D%20list%28set%28emails%29%29%20%20%23%20Remove
 
%20duplicates%0A%0A%20%20%20%20%20%20%20%20%23%20Resolve%20emails%20to%20user%20IDs%0A%20%20%20%20%20%20%20%20user_ids%20%3D%20%5B%5D%0A%20%20%20%20%20%20%20%20for%20email%20in%20emails%3A%0A%20%20%20%20%20%20%20%20%20%20%20%20user%20%3D%20security_manager.get_session.query%28security_manager.user_model%29.filter%28%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20security_manager.user_model.email%20%3D%3D%20email%0A%20%20%20%20%20%20%20%20%20%20%20%20%29.one_or_none%28%29%0A%20%20%20%20%20%20%20%20%20%20%20%20if%20user%3A%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20user_ids.append%28user.id%29%0A%20%20%20%20%20%20%20%20if%20not%20user_ids%3A%0A%20%20%20%20%20%20%20%20%20%20%20%20return%20query.filter%28False%29%0A%0A%20%20%20%20%20%20%20%20return%20query.filter%28Slice.owners.any%28security_manager.user_model.id.in_%28user_ids%29%29%29%0A%60%60%60%0A%0AYou%20can%20extend%20the%20%60emails%60%20list%20with%20any%20other%20emails%20you%20want%20to%20include.%20If%20an%20email%
 
20doesn%E2%80%99t%20match%20a%20user%2C%20it%E2%80%99s%20ignored.%20This%20pattern%20matches%20how%20Superset%20expects%20user%20lookups%20for%20ownership%20filters%E2%80%94always%20by%20user%20ID%2C%20resolved%20from%20your%20chosen%20identifier%20%28%5Breference%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/manager.py%23L153-L2470%29%29.)&nbsp;[![Join
 
Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share
 on 
X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/36259)

GitHub link: 
https://github.com/apache/superset/discussions/36259#discussioncomment-15083843

----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to: 
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [D] Restrict charts [superset]

Reply via email to