hughhhh commented on pull request #11755: URL: https://github.com/apache/incubator-superset/pull/11755#issuecomment-741046410
> It's good that users only see dataset list from they `owned`, and can only overwrite dataset that he `owned`. > But there is a `can_access_all_datasources` permission: Users with `can_access_all_datasources` can add anyone as owner of a dataset. For these users, they can still overwrite others dataset (after they add them as dataset owners). > Can you confirm this is expected behavior? There is no extra protection in `can_access_all_datasources` users? > Thanks @hughhhh! @graceguo-supercat So the only way for the users to overwrite a dataset is if they are in the owner list via `check_ownership` function. So if a user has access to all datasource they must first add themselves as an owner then they'll be able to overwrite. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
