rusackas commented on PR #36548: URL: https://github.com/apache/superset/pull/36548#issuecomment-3672684587
Thanks for the thorough review @sfirke! Your feedback was incredibly valuable. I've pushed updates that address your concerns: ## Changes Made ### 1. Config Logic Fix (Critical) You were right to flag this! The original logic `if not public_role_like or public_role_like == "Public"` would have enabled the built-in Public role for ALL deployments by default (when `PUBLIC_ROLE_LIKE` is `None`). **Fixed:** Now the built-in Public role only activates when explicitly set to `PUBLIC_ROLE_LIKE = "Public"`. If unset (`None`), the Public role remains empty (preserving existing/legacy behavior). ### 2. Additional Permissions Added - `can_read` on `Annotation` - For annotations on charts to render - `can_read` on `AnnotationLayerRestApi` - For annotation layer metadata - `can_read` on `ExplorePermalinkRestApi` - For chart permalinks (we already had Dashboard permalinks) ### 3. Documentation Updates Added important notes covering: - **DASHBOARD_RBAC interaction:** When enabled, anonymous users only see dashboards where "Public" role is explicitly added as owner - **Role synchronization:** Clarified that permissions sync on startup and manual edits may be overwritten - **Data access requirement:** Emphasized that dataset access must still be granted separately ### Permissions NOT Added (and why) - SQL-related permissions (`can_queries`, `can_sql_json`, etc.) - Public shouldn't have SQL Lab access - Write permissions (`can_write` on permalinks, etc.) - Public should be read-only - `can_favstar` - Anonymous users don't need favorites (and the error sfirke mentioned may have been fixed in newer versions) Let me know if there's anything else you'd like me to adjust! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
