dosubot[bot] commented on issue #33698: URL: https://github.com/apache/superset/issues/33698#issuecomment-2947977541
<!-- Answer --> What you’re seeing—where embedded dashboards show data from unauthorized datasets—is not expected and points to a misconfiguration or a frontend bug. Superset’s backend is designed to enforce dataset-level permissions for embedded dashboards using guest tokens: only datasets associated with the dashboard should be accessible, and unauthorized charts should show an “Access Denied” overlay, not data ([reference](https://github.com/apache/superset/blob/b3f436a030ae110c75e5a6cd02d63e63021eb49d/superset/security/manager.py)). A common cause is the frontend not including the correct `dashboardId` in the `form_data` when requesting chart data. This can bypass permission checks and expose data from unauthorized datasets. Make sure your embedding code (or SDK) sends the `dashboardId` in every chart’s `form_data`—see [this issue and fix](https://github.com/apache/superset/issues/32552) for details. For React apps, you can do this by pulling the dashboard ID from state and injecting it into the chart’s `formData` before making the request. Also, double-check that your guest role (e.g., `Gamma`) does not have `all_datasource_access` or explicit access to restricted datasets, and that your guest token is only scoped to the dashboard, not to datasets directly ([reference](https://github.com/apache/superset/issues/26201)). If you confirm the frontend is sending the correct `dashboardId` and your roles are locked down, but the issue persists, it could be a regression. In that case, it’s worth checking for recent changes in your Superset version or any custom code that might affect how chart queries are built or sent. Let me know if you want more details on how to check or patch the frontend code for this! <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/364f7b81-812a-4e01-bd1c-507887d57f22?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/364f7b81-812a-4e01-bd1c-507887d57f22?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/364f7b81-812a-4e01-bd1c-507887d57f22?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/364f7b81-812a-4e01-bd1c-507887d57f22?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/364f7b81-812a-4e01-bd1c-507887d57f22?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/364f7b81-812a-4e01-bd1c-507887d57f22?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/364f7b81-812a-4e01-bd1c-507887d57f22?feedback_type=other)</sup> [](https://go.dosu.dev/discord-bot) [! [Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/33698) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
