GitHub user manimovassagh added a comment to the discussion: Add Separate
Permission for Dashboard List to Improve DASHBOARD_RBAC Security
Solid proposal. Separating `can read` from `can list` is a common pattern in
RBAC systems and it makes total sense for Superset's dashboard sharing model.
Until this gets implemented natively, here's a workaround that achieves the
same effect:
**Block access to `/dashboard/list/` via `FLASK_APP_MUTATOR`:**
```python
def mutate_app(app):
from flask import g, redirect, abort
from functools import wraps
@app.before_request
def block_dashboard_list():
from flask import request
if request.path == '/dashboard/list/' and not g.user.has_role('Admin'):
abort(403)
return app
FLASK_APP_MUTATOR = mutate_app
```
You can also block the API endpoint that feeds the list:
```python
@app.before_request
def block_dashboard_list_api():
from flask import request
if request.path.startswith('/api/v1/dashboard/') and request.method ==
'GET':
# Allow single dashboard access (has numeric ID in path)
import re
if not re.match(r'/api/v1/dashboard/\d+', request.path):
if not g.user.has_role('Admin'):
abort(403)
```
This is a bit blunt, but it works. You could refine it by checking for a custom
permission or a specific role instead of just `Admin`.
For a proper upstream solution, the change would need to touch
`superset/dashboards/api.py` (adding a separate permission class for the list
endpoint) and `superset-frontend/src/pages/DashboardList/` (checking for the
new permission before rendering). Might be worth opening a formal feature
request issue if you'd like to see this prioritized.
GitHub link:
https://github.com/apache/superset/discussions/38624#discussioncomment-16233593
----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
