superset icon indicating copy to clipboard operation
superset copied to clipboard
verified publisher icon apache

Without "can write on DashboardPermalinkRestApi", a click on a anchor (tabs or header) redirect to login page

Open xavier-GitHub76 opened this issue 1 year ago • 1 comments

Bug description

Without "can write to DashboardPermalinkRestApi", clicking on an anchor (tabs or header) redirects to the login page

The anchor should only be displayed if permission is present

How to reproduce the bug

Click on a anchor

Screenshots/recordings

image or image --> image

Superset version

4.0.2

Python version

3.9

Node version

16

Browser

Chrome

Additional context

No response

Checklist

  • [X] I have searched Superset docs and Slack and didn't find a solution to my problem.
  • [X] I have searched the GitHub issue tracker and didn't find a similar bug report.
  • [X] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

xavier-GitHub76 avatar Aug 23 '24 10:08 xavier-GitHub76

I found a similar closed issue that might be relevant to your problem: How to disable authentication to bypass login? [1].

Regarding your specific issue, the expected behavior for users without the "can write to DashboardPermalinkRestApi" permission is that they should receive a 404 Not Found response when attempting to create a new dashboard's permanent link, not a redirection to the login page [2][3][4].

The logic for rendering anchors (tabs or headers) and their visibility based on permissions is managed within the Header component. The visibility of these elements is controlled by props such as userCanEdit, userCanShare, userCanSave, and userCanCurate [5][6][7].

To address the issue, you should ensure that the anchors are only displayed if the user has the necessary permissions. This can be done by checking the relevant permissions before rendering the anchors in the Header component.

To continue talking to Dosu, mention @dosu.

dosubot[bot] avatar Aug 23 '24 10:08 dosubot[bot]

@xavier-GitHub76 are you still facing this one? I'm assuming this still exists in 4.1.2.

This seems like another case for a disabled button, like https://github.com/apache/superset/pull/32995

rusackas avatar Apr 04 '25 04:04 rusackas

I don't reproduce the problem with version 5.0.0-RC2 anymore

xavier-GitHub76 avatar Apr 30 '25 09:04 xavier-GitHub76