can_csv_on_Superset Deprecated since 3.0.0 but always present in 4.0.2

[xavier-GitHub76]

Bug description

Hello,

a deprecated alert is present in the file superset/security/manager.py for the permission "can csv on Superset"

but the permission is always used in 4.0.2

Without the permission, a user can't download a chart (in CSV, Excel or Image)

How to reproduce the bug

Go to Settings > List Roles Create a Role Add "can csv on Superset" permission

Screenshots/recordings

No response

Superset version

master / latest-dev

Python version

3.9

Node version

16

Browser

Chrome

Additional context

No response

Checklist

• [X] I have searched Superset docs and Slack and didn't find a solution to my problem.
• [X] I have searched the GitHub issue tracker and didn't find a similar bug report.
• [ ] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

[dosubot[bot]]

The can_csv permission is indeed still present in Superset 4.0.2, despite being marked for removal in version 3.0.0. This permission is necessary for users to download charts in CSV, Excel, or Image formats. The current implementation of the can_csv permission is as follows:

SQLLAB_EXTRA_PERMISSION_VIEWS = {
    ("can_csv", "Superset"),  # Deprecated permission remove on 3.0.0
    ("can_read", "Superset"),
    ("can_read", "Database"),
}

Additionally, the can_csv permission is created in the create_custom_permissions method:

def create_custom_permissions(self) -> None:
    """
    Create custom FAB permissions.
    """
    self.add_permission_view_menu("all_datasource_access", "all_datasource_access")
    self.add_permission_view_menu("all_database_access", "all_database_access")
    self.add_permission_view_menu("all_query_access", "all_query_access")
    self.add_permission_view_menu("can_csv", "Superset")
    self.add_permission_view_menu("can_share_dashboard", "Superset")
    self.add_permission_view_menu("can_share_chart", "Superset")
    self.add_permission_view_menu("can_sqllab", "Superset")
    self.add_permission_view_menu("can_view_query", "Dashboard")
    self.add_permission_view_menu("can_view_chart_as_table", "Dashboard")
    self.add_permission_view_menu("can_drill", "Dashboard")
    self.add_permission_view_menu("can_tag", "Chart")
    self.add_permission_view_menu("can_tag", "Dashboard")

This indicates that the can_csv permission is still present in the codebase but is marked as deprecated and scheduled for removal in version 3.0.0 ^[1].

For downloading charts in CSV, Excel, or Image formats, the following alternative permissions or methods are recommended:

1. CSV Download Permission:

   • Ensure the user has the can_csv permission in Superset. This is checked in the explore_json method:

     if (
      response_type == ChartDataResultFormat.CSV
      and not security_manager.can_access("can_csv", "Superset")
     ):
      return json_error_response(
          _("You don't have the rights to download as csv"),
          status=403,
      )

2. CSV Response Generation:

   • The generate_json method handles the generation of CSV responses:

     def generate_json(
      self, viz_obj: BaseViz, response_type: str | None = None
     ) -> FlaskResponse:
      if response_type == ChartDataResultFormat.CSV:
          return CsvResponse(
              viz_obj.get_csv(), headers=generate_download_headers("csv")
          )

3. Frontend Menu Options:

   • The frontend provides a menu with various download options, including CSV, Excel, and Image formats. These options are defined in the useExploreAdditionalActionsMenu component:

     const MENU_KEYS = {
     DOWNLOAD_SUBMENU: 'download_submenu',
     EXPORT_TO_CSV: 'export_to_csv',
     EXPORT_TO_CSV_PIVOTED: 'export_to_csv_pivoted',
     EXPORT_TO_JSON: 'export_to_json',
     EXPORT_TO_XLSX: 'export_to_xlsx',
     DOWNLOAD_AS_IMAGE: 'download_as_image',
     };

4. Slice Header Controls:

   • The SliceHeaderControls component in superset-frontend/src/dashboard/components/SliceHeaderControls/index.tsx includes menu items for exporting charts. The relevant permissions and feature flags are checked to enable these options:

     {isFeatureEnabled(FeatureFlag.AllowFullCsvExport) &&
      props.supersetCanCSV &&
      isTable && (
        <>
          <Menu.Item
            key={MenuKeys.ExportFullCsv}
            icon={<Icons.FileOutlined css={dropdownIconsStyles} />}
          >
            {t('Export to full .CSV')}
          </Menu.Item>
          <Menu.Item
            key={MenuKeys.ExportFullXlsx}
            icon={<Icons.FileOutlined css={dropdownIconsStyles} />}
          >
            {t('Export to full Excel')}
          </Menu.Item>
        </>
      )}
     
     <Menu.Item
      key={MenuKeys.DownloadAsImage}
      icon={<Icons.FileImageOutlined css={dropdownIconsStyles} />}
     >
      {t('Download as image')}
     </Menu.Item>

These methods ensure that users with the appropriate permissions can download charts in the desired formats ^[2][3][4].

To continue talking to Dosu, mention @dosu.