Anyone can access the dashboards and datasets via the login page even without logging in, anything wrong with my configuration?

[710700]

Screenshot

Description

Anonymous user can access the dashboards and data(including datasets and databases), however if click charts, it throws an unexpected error like this

Version: 1.5.0 SHA: 24cf33ee

my superset_config.py:

from flask_appbuilder.security.manager import AUTH_LDAP
from celery.schedules import crontab
from superset.typing import CacheConfig

SQLALCHEMY_DATABASE_URI = 'xxxx'

APP_NAME = "xxxx"

# ----------------------------------------------------
# AUTHENTICATION CONFIG
# ----------------------------------------------------
# The authentication type
# AUTH_OID : Is for OpenID
# AUTH_DB : Is for database (username/password)
# AUTH_LDAP : Is for LDAP
# AUTH_REMOTE_USER : Is for using REMOTE_USER from web server
AUTH_TYPE = AUTH_LDAP

# Uncomment to setup Full admin role name
AUTH_ROLE_ADMIN = 'Admin'

# Uncomment to setup Public role name, no authentication needed
AUTH_ROLE_PUBLIC = 'Public'

# Will allow user self registration
AUTH_USER_REGISTRATION = True

# The default user self registration role
AUTH_USER_REGISTRATION_ROLE = "Public"

PUBLIC_ROLE_LIKE = "Gamma"

# When using LDAP Auth, setup the LDAP server
# AUTH_LDAP_SERVER = "ldap://ldapserver.new"
AUTH_LDAP_SERVER = " xxxx"
AUTH_LDAP_SEARCH = "xxxx"
AUTH_LDAP_UID_FIELD = "sn"
AUTH_LDAP_LASTTNAME_FIELD = "cn"
AUTH_LDAP_BIND_USER = "xxxx"
AUTH_LDAP_BIND_PASSWORD = "xxxx"

# FEATURE_FLAGS: Dict[str, bool] = {}
FEATURE_FLAGS = {
    "ALERT_REPORTS": True,
    # This could cause the server to run out of memory or compute.
    "ALLOW_FULL_CSV_EXPORT": True,
}

# ---------------------------------------------------
# Thumbnail config (behind feature flag)
# Also used by Alerts & Reports
# ---------------------------------------------------
THUMBNAIL_SELENIUM_USER = "xxxx"

# Default cache for Superset objects
CACHE_CONFIG: CacheConfig = {"CACHE_TYPE": "simple"}

# Cache for datasource metadata and query results
DATA_CACHE_CONFIG: CacheConfig = {"CACHE_TYPE": "simple"}

# CSV Options: key/value pairs that will be passed as argument to DataFrame.to_csv
# method.
# note: index option should not be overridden
CSV_EXPORT = {"encoding": "utf-8"}

# Default celery config is to use SQLA as a broker, in a production setting
# you'll want to use a proper broker as specified here:
# http://docs.celeryproject.org/en/latest/getting-started/brokers/index.html

class CeleryConfig:  # pylint: disable=too-few-public-methods
    # BROKER_URL = "sqla+sqlite:///celerydb.sqlite"
    BROKER_URL = 'xxxx'
    CELERY_IMPORTS = ("superset.sql_lab", "superset.tasks")
    # CELERY_RESULT_BACKEND = "db+sqlite:///celery_results.sqlite"
    CELERY_RESULT_BACKEND = 'xxxx'
    CELERYD_LOG_LEVEL = "DEBUG"
    CELERYD_PREFETCH_MULTIPLIER = 10
    CELERY_ACKS_LATE = True
    CELERY_ANNOTATIONS = {
        "sql_lab.get_sql_results": {"rate_limit": "100/s"},
        "email_reports.send": {
            "rate_limit": "1/s",
            "time_limit": 300,
            "soft_time_limit": 300,
            "ignore_result": True,
        },
    }
    CELERYBEAT_SCHEDULE = {
        "email_reports.schedule_hourly": {
            "task": "email_reports.schedule_hourly",
            "schedule": crontab(minute=1, hour="*"),
        },
        "reports.scheduler": {
            "task": "reports.scheduler",
            "schedule": crontab(minute="*", hour="*"),
        },
        "reports.prune_log": {
            "task": "reports.prune_log",
            "schedule": crontab(minute=0, hour=0),
        },
    }

# smtp server configuration
EMAIL_NOTIFICATIONS = True  # all the emails are sent using dryrun
SMTP_HOST = "xxxx"
SMTP_STARTTLS = True
SMTP_SSL = True
SMTP_USER = "xxxx"
SMTP_PORT = 465
SMTP_PASSWORD = "xxxx"
SMTP_MAIL_FROM = "xxxx"

ENABLE_CHUNK_ENCODING = True

# Enable / disable scheduled email reports
#
# Warning: This config key is deprecated and will be removed in version 2.0.0"
ENABLE_SCHEDULED_EMAIL_REPORTS = True

# A custom prefix to use on all Alerts & Reports emails
EMAIL_REPORTS_SUBJECT_PREFIX = "xxxx"

# The base URL to query for accessing the user interface
WEBDRIVER_BASEURL = "xxxx"
# The base URL for the email report hyperlinks.
WEBDRIVER_BASEURL_USER_FRIENDLY = "xxxx"

WTF_CSRF_TIME_LIMIT = None

[710700]

update By removing "menu access of dashboards", "menu access of charts", "menu access of data“ of Public role, anonymous user cannot access these components anymore.