GitHub user Vansh5632 added a comment to the discussion: Superset 6.0 Embedded
Dashboard: /api/v1/me/roles/ API returns 403 Forbidden
Hi, I attempted to reproduce this issue on the 6.0 branch but got different
results.
I logged in as a user with the Gamma role and accessed /api/v1/me/roles/. In my
environment, I received a 200 OK response with the expected role data, rather
than a 403 Forbidden.
Could you please check your configuration, specifically the exact permissions
assigned to your restricted user? It appears my local 'Gamma' role might
inherently have can_read on User or Security by default, which is masking the
issue on my end.
That said, looking at the code in superset/security/api.py, I do see the
@permission_name("read") decorator, which implies that the endpoint is indeed
enforcing a global read check. I agree that removing this decorator is likely
the correct fix, but I wanted to confirm the permission set first.
GitHub link:
https://github.com/apache/superset/discussions/37406#discussioncomment-15590861
----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
