john-bodley edited a comment on issue #13954: URL: https://github.com/apache/superset/issues/13954#issuecomment-840152353
@bkyryliuk @kamalkeshavani-aiinside @nytai: @etr2460, @graceguo-supercat and myself discussed this in more detail and we feel at Airbnb we can close the current security vulnerability with custom overrides in our security manager. The TL;DR is we would perform a check on behalf of the members of the email or Slack group and deny access to the chart if any member does not have access. We'll leverage the Google Directory and Slack APIs to enumerate the group members from the information provided in the modal. In order to achieve this there would be two minor changes: 1. Add a config option to define valid email domains and add frontend validation in the modal, i.e., we want to ensure that emails can only be sent to the `@airbnb.com` domain. 2. Add the email or Slack group to the `Flask.g` context which the security manager can access. This approach feels cleaner than having to pass the information through a litany of function calls. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
