dpgaspar edited a comment on issue #9438: revert #9329 URL: https://github.com/apache/incubator-superset/pull/9438#issuecomment-607413835 I'm able to reproduce it the following way: - Give users access to dashboards that contain charts they are able to access by having database access permission, and datasource permission. - Low priv user Favorites the dashboard - Remove the datasource access permission to the user. - Users are not able to view these charts on the charts list view, but they can viz them on the dashboard - Users use "Explore Chart" on the dashboard, and then click "Edit properties" and get HTTP 404. This is caused by user's having access to viz charts by having the database access permission, but the chart filter does not include the database access filter, just schema, datasource or all datasources: here: https://github.com/apache/incubator-superset/blob/master/superset/charts/filters.py and here: https://github.com/apache/incubator-superset/blob/master/superset/views/chart/filters.py Can you confirm this reasoning? Possible path forward could be to add the database access to this filter, and assume this is the new security filter in-place for charts Other path: could be the front end disable the edit properties if the backend returns 404
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
