Yassuip commented on issue #33346: URL: https://github.com/apache/superset/issues/33346#issuecomment-2857073988
If RLS is not supported when creating charts from raw SQL queries, then allowing users to build charts without first saving the dataset poses a potential data security risk. Currently, I haven't found any permission setting that restricts this behavior—aside from completely removing SQL Lab or dataset access. If RLS can't be enforced in this flow, there should be a built-in mechanism to disable chart creation from raw queries to prevent unintended data exposure. Given this, we should treat the ability to bypass RLS as a data exposure issue and consider implementing a fix. Ideally, RLS should be enforced even for raw queries, especially **_since SQL Lab itself applies RLS when returning raw query results. And a user clicks “Create Chart” from the same SQL Lab screen, the chart should be based on the already-filtered data—not the full underlying dataset_**. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
