An user without edition permission can access on swap dataset function

[xavier-GitHub76]

Bug description

Hello,

with superset v3.0.0, I create an user with essential permission (cf. https://github.com/apache/superset/issues/27765), an access on a dataset is created.

From the buttons "View all" on home page (always displayed), the user can list dashboards or charts He can select a chart, the editor page is displayed although he has not edition permssion.

Several error messages are displayed, like on "swap dataset" function. The function "swap data" must not be displayed without permission.

Best regards

How to reproduce the bug

Screenshots/recordings

https://github.com/apache/superset/assets/82046143/8f955075-c117-4062-a39d-bf8a5bb6f1f2

Superset version

master / latest-dev

Python version

3.9

Node version

16

Browser

Chrome

Additional context

No response

Checklist

• [X] I have searched Superset docs and Slack and didn't find a solution to my problem.
• [X] I have searched the GitHub issue tracker and didn't find a similar bug report.
• [ ] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

[xavier-GitHub76]

We have two superset :

• on "demo" : datasets list is empty
  • on "dis" : dataset list has values (= permissions on datasets)

All instances are in version 3.0.0 and use following roles :

READ_ONLY : [can read on CssTemplate, can userinfo on UserRemoteUserModelView, can time range on Api, can dashboard on Superset, can profile on Superset, can recent activity on Log]

ACCESS_ON_1_DATASET : [datasource access on [PostgreSQL].test]

Best regards

[projectd-sae]

I would like to report the same issue. It is problematic because we want to create a role with read-only access to specific charts within specific dashboards. With above scenario those users can go in the charts, ignore the error, swap the dataset and start slicing. This is not what we want. We do not want to give them this type of access to the underlying data.

[projectd-sae]

And all of that because you need to give them "can recent activity on Log" to avoid an error on the home screen. If we just could ommit that recent activity page and go straight to the dashboard page, we would not have this security hole.

[projectd-sae]

Found the solution. Forget the datasource access, use the role-based access to dashboards: https://www.restack.io/docs/superset-knowledge-superset-dashboard-rbac. With this you can decide on a dashboard-by-dashboard basis who has access. Granting a role access to a dashboard provides read access to all its charts and datasets. No need to grant the datasource access anymore and no security loophole anymore: the charts are no longer listed on the recent activity page.