dosubot[bot] commented on issue #37294:
URL: https://github.com/apache/superset/issues/37294#issuecomment-3774808236
<!-- Answer -->
Yes, adding ("can_read", "Theme") to PUBLIC_ROLE_PERMISSIONS in
superset/security/manager.py is the correct way to grant this permission by
default—it matches the tuple format used for other permissions in that set.
This ensures the Public role can access dashboards with assigned themes without
triggering a login redirect, and is consistent with the approach used in the
built-in Public role PR and recent code changes
[(source)](https://github.com/apache/superset/pull/36548).
For the Gamma role: permissions aren't defined by a static list. Instead,
Gamma gets its permissions dynamically during role sync. The
SupersetSecurityManager uses the _is_gamma_pvm method to filter all available
permissions, granting Gamma any permission that isn't user-defined, admin-only,
alpha-only, or SQL Lab-only, or is accessible to all users. As long as
"can_read" on "Theme" isn't restricted by those categories, Gamma receives it
by default
[(source)](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/manager.py#L1109-L1312).
The Public role is intentionally more restrictive and only gets permissions
explicitly listed in PUBLIC_ROLE_PERMISSIONS, while Gamma gets a broader set
via this dynamic logic. Just a heads up: Public role permissions are synced on
startup and may be overwritten during upgrades, so any manual changes should be
tracked for future updates
[(source)](https://github.com/apache/superset/pull/36548).
<!-- Dosu Comment Footer -->
*To reply, just mention [@dosu](https://go.dosu.dev/dosubot).*
---
<sup>How did I do?
[Good](https://app.dosu.dev/response-feedback/f0227021-fdfd-463a-a622-e8cc9ff3d1ca?feedback_type=great_response)
|
[Irrelevant](https://app.dosu.dev/response-feedback/f0227021-fdfd-463a-a622-e8cc9ff3d1ca?feedback_type=irrelevant_answer)
|
[Incorrect](https://app.dosu.dev/response-feedback/f0227021-fdfd-463a-a622-e8cc9ff3d1ca?feedback_type=incorrect_sources)
|
[Verbose](https://app.dosu.dev/response-feedback/f0227021-fdfd-463a-a622-e8cc9ff3d1ca?feedback_type=too_verbose)
|
[Hallucination](https://app.dosu.dev/response-feedback/f0227021-fdfd-463a-a622-e8cc9ff3d1ca?feedback_type=hallucination)
| [Report
🐛](https://app.dosu.dev/response-feedback/f0227021-fdfd-463a-a622-e8cc9ff3d1ca?feedback_type=bug_report)
|
[Other](https://app.dosu.dev/response-feedback/f0227021-fdfd-463a-a622-e8cc9ff3d1ca?feedback_type=other)</sup>
[](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=Yes%2C%20adding%20%28%22can_read%22%2C%20%22Theme%22%29%20to%20PUBLIC_ROLE_PERMISSIONS%20in%20superset/security/manager.py%20is%20the%20correct%20way%20to%20grant%20this%20permission%20by%20default%E2%80%94it%20matches%20the%20tuple%20format%20used%20for%20other%20permissions%20in%20that%20set.%20This%20ensures%20the%20Public%20role%20can%20access%20dashboards%20with%20assigned%20themes%20without%20triggering%20a%20login%20redirect%2C%20and%20is%20consistent%20with%20the%20approach%20used%20in%20the%20built-in%20Public%20role%20PR%20and%20recent%20code%20changes%20%5B%28source%29%5D%28https%3A//github.com/apache/superset/pull/36548%29.%0A%0AFor%20the%20Gamma%20role%3A%20permissions%20aren%27t%20defined%20by%20a%20static%20list.%20Instead%2C%20Gamma
%20gets%20its%20permissions%20dynamically%20during%20role%20sync.%20The%20SupersetSecurityManager%20uses%20the%20_is_gamma_pvm%20method%20to%20filter%20all%20available%20permissions%2C%20granting%20Gamma%20any%20permission%20that%20isn%27t%20user-defined%2C%20admin-only%2C%20alpha-only%2C%20or%20SQL%20Lab-only%2C%20or%20is%20accessible%20to%20all%20users.%20As%20long%20as%20%22can_read%22%20on%20%22Theme%22%20isn%27t%20restricted%20by%20those%20categories%2C%20Gamma%20receives%20it%20by%20default%20%5B%28source%29%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/manager.py%23L1109-L1312%29.%0A%0AThe%20Public%20role%20is%20intentionally%20more%20restrictive%20and%20only%20gets%20permissions%20explicitly%20listed%20in%20PUBLIC_ROLE_PERMISSIONS%2C%20while%20Gamma%20gets%20a%20broader%20set%20via%20this%20dynamic%20logic.%20Just%20a%20heads%20up%3A%20Public%20role%20permissions%20are%20synced%20on%20startup%20and%20may%20be%20over
written%20during%20upgrades%2C%20so%20any%20manual%20changes%20should%20be%20tracked%20for%20future%20updates%20%5B%28source%29%5D%28https%3A//github.com/apache/superset/pull/36548%29.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/37294)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
