dosubot[bot] commented on issue #36589: URL: https://github.com/apache/superset/issues/36589#issuecomment-3645729266
<!-- Greeting --> Hi @BearCat77! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the superset team. <!-- Answer --> You’re right—Superset’s backend and API use permission names with underscores (like `can_list`), and the frontend’s `findPermission` utility expects the exact same string for checks. If the frontend checks for `'can list'` (with a space), it won’t match the backend’s `'can_list'`, so the menu items won’t render for authorized users. The correct fix is to use `'can_list'` (with an underscore) in your frontend checks, as you proposed. This matches the backend and resolves the issue with the Security menu not appearing for users who should see it ([findPermission implementation](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset-frontend/src/utils/findPermission.ts#L22-L28), [backend permission definition](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/manager.py#L241-L2816)). Note: Some documentation (like `RESOURCES/STANDARD_ROLES.md`) still lists permissions with spaces (e.g., `can list`), which can be misleading, but the code and API always use underscores. Always use the underscore format in code and permission checks for correct behavior ([example](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/docs/docs/security/security.mdx#L111-L117)). <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/5d94e2a1-a4b5-41c5-92ba-3925eb619dde?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/5d94e2a1-a4b5-41c5-92ba-3925eb619dde?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/5d94e2a1-a4b5-41c5-92ba-3925eb619dde?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/5d94e2a1-a4b5-41c5-92ba-3925eb619dde?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/5d94e2a1-a4b5-41c5-92ba-3925eb619dde?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/5d94e2a1-a4b5-41c5-92ba-3925eb619dde?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/5d94e2a1-a4b5-41c5-92ba-3925eb619dde?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=You%E2%80%99re%20right%E2%80%94Superset%E2%80%99s%20backend%20and%20API%20use%20permission%20names%20with%20underscores%20%28like%20%60can_list%60%29%2C%20and%20the%20frontend%E2%80%99s%20%60findPermission%60%20utility%20expects%20the%20exact%20same%20string%20for%20checks.%20If%20the%20frontend%20checks%20for%20%60%27can%20list%27%60%20%28with%20a%20space%29%2C%20it%20won%E2%80%99t%20match%20the%20backend%E2%80%99s%20%60%27can_list%27%60%2C%20so%20the%20menu%20items%20won%E2%80%99t%20render%20for%20authorized%20users.%20The%20correct%20fix%20is%20to%20use%20%60%27can_list%27%60%20%28with%20an%20underscore%29%20in%20your%20frontend%20checks%2C%20as%20you%20proposed.%20This%20matches%20the%20backend%20and%20resolves%20the%20issue%20with%20the%20Secu rity%20menu%20not%20appearing%20for%20users%20who%20should%20see%20it%C2%A0%28%5BfindPermission%20implementation%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset-frontend/src/utils/findPermission.ts%23L22-L28%29%2C%20%5Bbackend%20permission%20definition%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/manager.py%23L241-L2816%29%29.%0A%0ANote%3A%20Some%20documentation%20%28like%20%60RESOURCES/STANDARD_ROLES.md%60%29%20still%20lists%20permissions%20with%20spaces%20%28e.g.%2C%20%60can%20list%60%29%2C%20which%20can%20be%20misleading%2C%20but%20the%20code%20and%20API%20always%20use%20underscores.%20Always%20use%20the%20underscore%20format%20in%20code%20and%20permission%20checks%20for%20correct%20behavior%C2%A0%28%5Bexample%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/docs/docs/security/security.mdx%23L111-L117%29%29.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/36589) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
