rusackas commented on issue #39682: URL: https://github.com/apache/superset/issues/39682#issuecomment-4434116430
Hey @sandy4597niko — thanks for your patience working through this. The bot's last suggestion is actually the most promising lead so far: since your custom `has_access` debug hook isn't logging any denied permissions, the 403 is almost certainly firing before any RBAC check runs, which points to the referrer domain validation in the embedded route itself. To confirm, can you check two things? 1) In Superset, go to your dashboard → three-dot menu → Embed dashboard and tell us what's in the Allowed Domains field. If it's empty, that's fine (any domain is allowed). If it has entries, they need to match exactly the origin your iframe is served from (including protocol and port). 2) What is the origin of the page where you're embedding the iframe (e.g. https://yourapp.com)? Also, to make sure we're ruling out config issues — could you confirm that `GUEST_ROLE_NAME` in your `superset_config.py` is set to the name of the new dedicated role you created, and not "Gamma" or "Public"? If none of that resolves it, a full server-side stack trace (not just the werkzeug line — the whole traceback) and a screenshot of the failing request in your browser's Network tab would help us pinpoint exactly where the 403 is being thrown. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
