helo-ch opened a new issue #12279: URL: https://github.com/apache/incubator-superset/issues/12279
We have created several custom roles like `DB_ACCESS_XXX` so that each team cannot see and interact with datasets from an other team. So each user have the following roles : * Gamma * sql_lab : `[can list on UserDBModelView, can sql json on Superset, can sqllab on Superset, can search queries on Superset, can csv on Superset, can sqllab viz on Superset, menu access on SQL Lab, menu access on SQL Editor, menu access on Saved Queries, menu access on Query Search, can list on UserLDAPModelView, can sqllab table viz on Superset]` * DB_ACCESS_XXX : `[database access on [Timescaledb XXX].(id:3)]` * tables_modify : `[can edit on TableModelView, can add on TableModelView, can list on TableModelView, can show on TableModelView, can tables on Superset, refresh on TableModelView, can save on Datasource, can get on Datasource, can datasources on Superset, menu access on Tables, can list on TableColumnInlineView, can show on TableColumnInlineView, can fetch datasource metadata on Superset]` * Annotations : `[can list on AnnotationLayerModelView, can show on AnnotationLayerModelView, can delete on AnnotationLayerModelView, can edit on AnnotationLayerModelView, can add on AnnotationLayerModelView, muldelete on AnnotationLayerModelView, can list on AnnotationModelView, can show on AnnotationModelView, can delete on AnnotationModelView, can edit on AnnotationModelView, can add on AnnotationModelView, muldelete on AnnotationModelView, can annotation json on Superset, menu access on Annotation Layers, menu access on Annotations, menu access on Manage]` ### Expected results When users save queries, we are expecting users to only see queries that are in relation to the database XXX to which they have access, and not see the savec queries from other databases. Example : user1 has access to DB ABC, user 2 has access to DB EDF. user1 saves a query qurying a table from ABC. user1 can see their saved query, but user2 cannot. ### Actual results Taking the same example, what actually happens is that user2 can see the query user1 saved, even though they don't have access to DB ABC. ### Environment - superset version: `0.38.0` ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
