superset
superset copied to clipboard
apache
An user without edition permission can access on swap dataset function
Bug description
Hello,
with superset v3.0.0, I create an user with essential permission (cf. https://github.com/apache/superset/issues/27765), an access on a dataset is created.
From the buttons "View all" on home page (always displayed), the user can list dashboards or charts He can select a chart, the editor page is displayed although he has not edition permssion.
Several error messages are displayed, like on "swap dataset" function. The function "swap data" must not be displayed without permission.
Best regards
How to reproduce the bug
Screenshots/recordings
https://github.com/apache/superset/assets/82046143/8f955075-c117-4062-a39d-bf8a5bb6f1f2
Superset version
master / latest-dev
Python version
3.9
Node version
16
Browser
Chrome
Additional context
No response
Checklist
- [X] I have searched Superset docs and Slack and didn't find a solution to my problem.
- [X] I have searched the GitHub issue tracker and didn't find a similar bug report.
- [ ] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.
We have two superset :
- on "demo" : datasets list is empty
- on "dis" : dataset list has values (= permissions on datasets)
All instances are in version 3.0.0 and use following roles :
READ_ONLY : [can read on CssTemplate, can userinfo on UserRemoteUserModelView, can time range on Api, can dashboard on Superset, can profile on Superset, can recent activity on Log]
ACCESS_ON_1_DATASET : [datasource access on [PostgreSQL].test]
Best regards