chandug1991 commented on issue #33698: URL: https://github.com/apache/superset/issues/33698#issuecomment-2945739767
Thanks again for the clarification. I understand and accept that charts can't be visually hidden in embedded dashboards at the moment—but my concern is deeper than that. In my case: user1 is assigned to role1, which has access only to dataset1 chart1 uses dataset1 (authorized), chart2 uses dataset2 (unauthorized) Both charts are part of the same embedded dashboard When user1 accesses the embedded dashboard, both chart1 and chart2 are displaying data, even though user1 should have no access to dataset2. My expectation is that chart2 should show "Access Denied" or error overlay, not the actual data from dataset2. This feels like a violation of dataset-level access control, rather than just a UI limitation. I’ve confirmed: role1 has no all_datasource_access dataset2 is not included in role1's permissions DASHBOARD_RBAC is disabled Guest token is generated only for the dashboard, not the dataset If Superset is granting data access to datasets that the user's role doesn’t allow—just because the chart is part of an embedded dashboard—that seems like a gap in access enforcement, not just a rendering choice. Is this behavior expected with embedded dashboards? Or could this be a regression or misconfiguration? Would really appreciate any insight on whether data-level protection should still apply in this scenario. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
