ktmud commented on a change in pull request #13773:
URL: https://github.com/apache/superset/pull/13773#discussion_r605269892
##########
File path: superset/views/core.py
##########
@@ -1869,6 +1875,19 @@ def dashboard( # pylint: disable=too-many-locals
if key not in [param.value for param in
utils.ReservedUrlParameters]
}
+ extra_jwt = {}
+ if feature_flag_manager.is_feature_enabled("DASHBOARD_RBAC"):
Review comment:
I'm a little bit wary of the security implication of allowing dashboard
readers to have access to charts and datasets they explicitly don't have access
to.
What if someone creates a dashboard with charts that use datasets they don't
have access to, but add themselves to the allowed list of roles? What is the
access control flow look like? Would you restrict who can change dashboard
roles only to those who have admin access to the underlying datasets? Because
if someone has view access to a dataset or edit access to a dashboard, it
doesn't mean they can just publish this dataset or the content of this
dashboard to any audience.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
