GitHub user manimovassagh added a comment to the discussion: Download button
visible for users with only can read permissions (v4.1.2)
Beyond the CSS workaround Dosu mentioned (which is visual-only), you can
actually enforce this server-side using `FLASK_APP_MUTATOR` in your
`superset_config.py`:
```python
def mutate_app(app):
from flask import g, request, abort
@app.before_request
def block_dashboard_export():
# Block screenshot/thumbnail/export endpoints for non-admin roles
export_paths = [
'/api/v1/dashboard/export',
'/api/v1/chart/export',
]
screenshot_patterns = ['/thumbnail/', '/screenshot/']
path = request.path
if any(path.startswith(p) for p in export_paths) or \
any(p in path for p in screenshot_patterns):
if hasattr(g, 'user') and g.user and not g.user.has_role('Admin'):
abort(403)
return app
FLASK_APP_MUTATOR = mutate_app
```
Combine this with the CSS approach to also hide the buttons in the UI:
```css
/* Add via Dashboard CSS or a custom Jinja template */
.header-actions-container [data-test="download-dropdown"] {
display: none;
}
```
This gives you both visual removal and backend enforcement. The
`before_request` hook runs before any view function, so even if someone crafts
a direct API call, they'll get a 403.
For a cleaner long-term solution, it would be great to see a native `can export
on Dashboard` permission added to FAB. That's the right architectural approach
-- the frontend would check the permission and conditionally render the
download menu, while the backend would enforce it on the API endpoints.
GitHub link:
https://github.com/apache/superset/discussions/38734#discussioncomment-16233758
----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
