Open xavier-GitHub76 opened 3 days ago
The can_csv
permission is indeed still present in Superset 4.0.2, despite being marked for removal in version 3.0.0. This permission is necessary for users to download charts in CSV, Excel, or Image formats. The current implementation of the can_csv
permission is as follows:
SQLLAB_EXTRA_PERMISSION_VIEWS = {
("can_csv", "Superset"), # Deprecated permission remove on 3.0.0
("can_read", "Superset"),
("can_read", "Database"),
}
Additionally, the can_csv
permission is created in the create_custom_permissions
method:
def create_custom_permissions(self) -> None:
"""
Create custom FAB permissions.
"""
self.add_permission_view_menu("all_datasource_access", "all_datasource_access")
self.add_permission_view_menu("all_database_access", "all_database_access")
self.add_permission_view_menu("all_query_access", "all_query_access")
self.add_permission_view_menu("can_csv", "Superset")
self.add_permission_view_menu("can_share_dashboard", "Superset")
self.add_permission_view_menu("can_share_chart", "Superset")
self.add_permission_view_menu("can_sqllab", "Superset")
self.add_permission_view_menu("can_view_query", "Dashboard")
self.add_permission_view_menu("can_view_chart_as_table", "Dashboard")
self.add_permission_view_menu("can_drill", "Dashboard")
self.add_permission_view_menu("can_tag", "Chart")
self.add_permission_view_menu("can_tag", "Dashboard")
This indicates that the can_csv
permission is still present in the codebase but is marked as deprecated and scheduled for removal in version 3.0.0 [1].
For downloading charts in CSV, Excel, or Image formats, the following alternative permissions or methods are recommended:
CSV Download Permission:
can_csv
permission in Superset. This is checked in the explore_json
method:
if (
response_type == ChartDataResultFormat.CSV
and not security_manager.can_access("can_csv", "Superset")
):
return json_error_response(
_("You don't have the rights to download as csv"),
status=403,
)
CSV Response Generation:
generate_json
method handles the generation of CSV responses:
def generate_json(
self, viz_obj: BaseViz, response_type: str | None = None
) -> FlaskResponse:
if response_type == ChartDataResultFormat.CSV:
return CsvResponse(
viz_obj.get_csv(), headers=generate_download_headers("csv")
)
Frontend Menu Options:
useExploreAdditionalActionsMenu
component:
const MENU_KEYS = {
DOWNLOAD_SUBMENU: 'download_submenu',
EXPORT_TO_CSV: 'export_to_csv',
EXPORT_TO_CSV_PIVOTED: 'export_to_csv_pivoted',
EXPORT_TO_JSON: 'export_to_json',
EXPORT_TO_XLSX: 'export_to_xlsx',
DOWNLOAD_AS_IMAGE: 'download_as_image',
};
Slice Header Controls:
The SliceHeaderControls
component in superset-frontend/src/dashboard/components/SliceHeaderControls/index.tsx
includes menu items for exporting charts. The relevant permissions and feature flags are checked to enable these options:
{isFeatureEnabled(FeatureFlag.AllowFullCsvExport) &&
props.supersetCanCSV &&
isTable && (
<>
<Menu.Item
key={MenuKeys.ExportFullCsv}
icon={<Icons.FileOutlined css={dropdownIconsStyles} />}
>
{t('Export to full .CSV')}
</Menu.Item>
<Menu.Item
key={MenuKeys.ExportFullXlsx}
icon={<Icons.FileOutlined css={dropdownIconsStyles} />}
>
{t('Export to full Excel')}
</Menu.Item>
</>
)}
<Menu.Item
key={MenuKeys.DownloadAsImage}
icon={<Icons.FileImageOutlined css={dropdownIconsStyles} />}
>
{t('Download as image')}
</Menu.Item>
These methods ensure that users with the appropriate permissions can download charts in the desired formats [2][3][4].
To continue talking to Dosu, mention @dosu.
Bug description
Hello,
a deprecated alert is present in the file superset/security/manager.py for the permission "can csv on Superset"
but the permission is always used in 4.0.2
Without the permission, a user can't download a chart (in CSV, Excel or Image)
How to reproduce the bug
Go to Settings > List Roles Create a Role Add "can csv on Superset" permission
Screenshots/recordings
No response
Superset version
master / latest-dev
Python version
3.9
Node version
16
Browser
Chrome
Additional context
No response
Checklist