getredash
Cannot change group permissions using REST API
Issue Summary
When performing a POST call to api/groups/id with a payload to update/edit group permissions, the request comes back without the permissions set to the new permissions in payload. The only parameter inside the payload that can be changed is name.
The permissions parameter should be a parameter that can be configured using the API. As per the docs, there is currently no support to change group permissions in UI, but the docs kind of suggest you can do it otherwise, i.e. using API:
"Group membership defines the actions a user is allowed to take (although currently there’s no UI to edit group action permissions), and which data sources they have access to (for this we have UI)".
Looking at the code, I can see that in fact the only parameter that is being commited is name and the value for permissions coming from the request is not appended/commited: https://github.com/getredash/redash/blob/master/redash/handlers/groups.py#L32-L45
Nonetheless, in cli code, I can see that group permissions can be edited: https://github.com/getredash/redash/blob/master/redash/cli/groups.py#L57-L76
Hence why I am considering this as a bug.
Steps to Reproduce
- Perform a
POSTcall to/api/groups/idand set the payload to:
{
"name": "user-group-role",
"permissions": [
"view_query",
"view_source",
"list_dashboards"
]
}
This is considered a bug since looking at the code, cli supports editing group permissions but can't do using API. User group permissions should be allowed to be edited using API as well, not just the name parameter.
Technical details:
- Redash Version:
10.1.0 (2589bef1) - Browser/OS: Chrome/Firefox/MacOS
- How did you install Redash: K8s EKS deployment
