chandug1991 commented on issue #33698: URL: https://github.com/apache/superset/issues/33698#issuecomment-2947973454
Yes, this is exactly the issue I'm facing: A user who has access to only one dataset is still able to see data from charts built on unauthorized datasets within an embedded dashboard. This behavior is not expected, as Superset should enforce dataset-level permissions even in embedded mode. What’s surprising is that the same setup behaves correctly when logging in directly to Superset—the unauthorized charts display an "Access Denied" overlay as expected. However, when using a guest token in the embedded approach, those same charts load and show data, bypassing the expected dataset-level access checks. To clarify further, here are some examples based on role and access: Dashboard access in Superset via direct login (using the view and manager roles): - VIEW ROLE  - MANAGER ROLE  Dashboard access via embedded approach with the same roles: - VIEW ROLE  - MANAGER ROLE  Below is the config for better clarity DEFAULT_FEATURE_FLAGS: dict[str, bool] = { # Experimental feature introducing a client (browser) cache "CLIENT_CACHE": False, # deprecated "DISABLE_DATASET_SOURCE_EDIT": False, # deprecated # When using a recent version of Druid that supports JOINs turn this on "DRUID_JOINS": False, "DYNAMIC_PLUGINS": False, # With Superset 2.0, we are updating the default so that the legacy datasource # editor no longer shows. Currently this is set to false so that the editor # option does show, but we will be depreciating it. "DISABLE_LEGACY_DATASOURCE_EDITOR": True, # For some security concerns, you may need to enforce CSRF protection on # all query request to explore_json endpoint. In Superset, we use # `flask-csrf <https://sjl.bitbucket.io/flask-csrf/>`_ add csrf protection # for all POST requests, but this protection doesn't apply to GET method. # When ENABLE_EXPLORE_JSON_CSRF_PROTECTION is set to true, your users cannot # make GET request to explore_json. explore_json accepts both GET and POST request. # See `PR 7935 <https://github.com/apache/superset/pull/7935>`_ for more details. "ENABLE_EXPLORE_JSON_CSRF_PROTECTION": False, # deprecated #"ENABLE_TEMPLATE_PROCESSING": True, "ENABLE_TEMPLATE_PROCESSING": True, "ENABLE_TEMPLATE_REMOVE_FILTERS": True, # deprecated # Allow for javascript controls components # this enables programmers to customize certain charts (like the # geospatial ones) by inputting javascript in controls. This exposes # an XSS security vulnerability "ENABLE_JAVASCRIPT_CONTROLS": True, "KV_STORE": False, # When this feature is enabled, nested types in Presto will be # expanded into extra columns and/or arrays. This is experimental, # and doesn't work with all nested types. "PRESTO_EXPAND_DATA": False, # Exposes API endpoint to compute thumbnails "THUMBNAILS": False, "DASHBOARD_CACHE": True, # deprecated "REMOVE_SLICE_LEVEL_LABEL_COLORS": False, # deprecated "SHARE_QUERIES_VIA_KV_STORE": False, "TAGGING_SYSTEM": False, "SQLLAB_BACKEND_PERSISTENCE": True, "LISTVIEWS_DEFAULT_CARD_VIEW": False, # When True, this escapes HTML (rather than rendering it) in Markdown components "ESCAPE_MARKDOWN_HTML": False, "DASHBOARD_NATIVE_FILTERS": True, # deprecated "DASHBOARD_CROSS_FILTERS": True, # Feature is under active development and breaking changes are expected "DASHBOARD_NATIVE_FILTERS_SET": True, # deprecated "DASHBOARD_FILTERS_EXPERIMENTAL": True, # deprecated "DASHBOARD_VIRTUALIZATION": False, "GLOBAL_ASYNC_QUERIES": False, "VERSIONED_EXPORT": True, # deprecated "EMBEDDED_SUPERSET": True, # Enables Alerts and reports new implementation "ALERT_REPORTS": False, "DASHBOARD_RBAC": True, "ENABLE_EXPLORE_DRAG_AND_DROP": True, # deprecated "ENABLE_ADVANCED_DATA_TYPES": False, # Enabling ALERTS_ATTACH_REPORTS, the system sends email and slack message # with screenshot and link # Disables ALERTS_ATTACH_REPORTS, the system DOES NOT generate screenshot # for report with type 'alert' and sends email and slack message with only link; # for report with type 'report' still send with email and slack message with # screenshot and link "ALERTS_ATTACH_REPORTS": True, # Allow users to export full CSV of table viz type. # This could cause the server to run out of memory or compute. "ALLOW_FULL_CSV_EXPORT": True, "GENERIC_CHART_AXES": True, # deprecated "ALLOW_ADHOC_SUBQUERY": False, "USE_ANALAGOUS_COLORS": False, # Apply RLS rules to SQL Lab queries. This requires parsing and manipulating the # query, and might break queries and/or allow users to bypass RLS. Use with care! "RLS_IN_SQLLAB": True, # Enable caching per impersonation key (e.g username) in a datasource where user # impersonation is enabled "CACHE_IMPERSONATION": False, # Enable caching per user key for Superset cache (not database cache impersonation) "CACHE_QUERY_BY_USER": True, # Enable sharing charts with embedding "EMBEDDABLE_CHARTS": True, "DRILL_TO_DETAIL": True, "DRILL_BY": True, "DATAPANEL_CLOSED_BY_DEFAULT": False, "HORIZONTAL_FILTER_BAR": True, # The feature is off by default, and currently only supported in Presto and Postgres, # and Bigquery. # It also needs to be enabled on a per-database basis, by adding the key/value pair # `cost_estimate_enabled: true` to the database `extra` attribute. "ESTIMATE_QUERY_COST": False, # Allow users to enable ssh tunneling when creating a DB. # Users must check whether the DB engine supports SSH Tunnels # otherwise enabling this flag won't have any effect on the DB. "SSH_TUNNELING": False, "AVOID_COLORS_COLLISION": True, # Set to False to only allow viewing own recent activity # or to disallow users from viewing other users profile page # Do not show user info or profile in the menu "MENU_HIDE_USER_INFO": False, # Allows users to add a ``superset://`` DB that can query across databases. This is # an experimental feature with potential security and performance risks, so use with # caution. If the feature is enabled you can also set a limit for how much data is # returned from each database in the ``SUPERSET_META_DB_LIMIT`` configuration value # in this file. "ENABLE_SUPERSET_META_DB": False, # Set to True to replace Selenium with Playwright to execute reports and thumbnails. # Unlike Selenium, Playwright reports support deck.gl visualizations # Enabling this feature flag requires installing "playwright" pip package "PLAYWRIGHT_REPORTS_AND_THUMBNAILS": False, } FEATURE_FLAGS: dict[str, bool] = { "EMBEDDED_SUPERSET": True } # Embedded config options ENABLE_GUEST_TOKEN = True GUEST_ROLE_NAME = "Gamma" GUEST_TOKEN_JWT_SECRET = "test-guest-secret-change-me" GUEST_TOKEN_JWT_ALGO = "HS256" GUEST_TOKEN_HEADER_NAME = "X-GuestToken" GUEST_TOKEN_JWT_EXP_SECONDS = 28800 # 8 hours # Guest token audience for the embedded superset, either string or callable GUEST_TOKEN_JWT_AUDIENCE: Callable[[], str] | str | None = None Looking forward to further guidance. @dosu. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
