kamalk-github opened a new issue #11662: URL: https://github.com/apache/incubator-superset/issues/11662
If a user can access some dashboard(via access to underlying datasource(s)) where the user is not owner/admin, the user can create a new chart and add it to the dashboard without admin rights. Follow below steps to reproduce: 1. A user who is not owner/admin of a dashboard can view it(via access to underlying datasource(s)). 2. Create a new chart from available datasources. 3. Edit the chart properties, and add the dashboard name to "Dashboards" section of "Edit Chart" screen. 4. New chart created by user is added to dashboard and can be seen on Dashboard by everyone. This should not be allowed since the user is not owner/admin of Dashboard. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
