hughhhh opened a new pull request, #38361:
URL: https://github.com/apache/superset/pull/38361
## Summary
Phase 1 of granular export controls implementation. Adds three new
permissions (`can_export_data`, `can_export_image`, `can_copy_clipboard`) to
replace the single `can_csv` permission, allowing admins to control data
exports, screenshots, and clipboard operations separately. The feature is gated
by the `GRANULAR_EXPORT_CONTROLS` flag (default off) to maintain backward
compatibility. Includes database migration that grants the new permissions to
any role with `can_csv`.
## Testing Instructions
1. Enable the `GRANULAR_EXPORT_CONTROLS` feature flag in config
2. Create a test role without `can_export_data` permission
3. Verify users with that role cannot export chart data via CSV/XLSX
4. Verify users without the flag can still use legacy `can_csv` permission
5. Run unit tests: `pytest
tests/unit_tests/security/test_granular_export_permissions.py`
6. Run frontend tests: `npm run test -- usePermissions`
## Additional Information
- [x] Includes DB Migration
- [x] Migration is atomic, supports rollback & is backwards-compatible
- [x] Maps `can_csv` → all 3 new permissions for existing roles
- [x] Introduces new permissions
- [x] Required feature flags: `GRANULAR_EXPORT_CONTROLS` (default False)
**Next Phase:** Phase 2 will extend enforcement to SQL Lab, dashboard
screenshots, and clipboard operations across all surfaces.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
