Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dashboards list includes dashboards with text widgets where you have no access to any other widgets #4099

Closed
yusha2016 opened this issue Aug 27, 2019 · 1 comment · Fixed by #4492

Comments

@yusha2016
Copy link

yusha2016 commented Aug 27, 2019

in this case, a use named A, he has not have any datasource access or view permission, while the dashboard have a text widget, the user A can find the dashboard which have text widget on dashboard lis page, the reason is than this python file: app/redash/model/init.py about the class Dashboard with that method :

    @classmethod
    def all(cls, org, group_ids, user_id):
        query = (
            Dashboard.query
            .options(
                subqueryload(Dashboard.user).load_only('_profile_image_url', 'name'),
            )
            .outerjoin(Widget)
            .outerjoin(Visualization)
            .outerjoin(Query)
            .outerjoin(DataSourceGroup, Query.data_source_id == DataSourceGroup.data_source_id)
            .filter(
                Dashboard.is_archived == False,
                (DataSourceGroup.group_id.in_(group_ids) |
                 (Dashboard.user_id == user_id)
                  ((Widget.dashboard != None) & (Widget.visualization == None))),
                Dashboard.org == org)
            .distinct())

        query = query.filter(or_(Dashboard.user_id == user_id, Dashboard.is_draft == False))

        return query

the query on Widget.visualization == None so will find all dashboard that have text widget

  • Redash Version: 6.0.7.0.8.0
  • Browser/OS: chrome/ios
  • How did you install Redash: k8s
@arikfr
Copy link
Member

arikfr commented Sep 9, 2019

It was implemented this way intentionally, but we no longer need this behavior. You're welcome to submit a Pull Request to update this behavior.

@arikfr arikfr changed the title dashboard permission bug Dashboards list includes dashboards with text widgets Sep 9, 2019
@arikfr arikfr changed the title Dashboards list includes dashboards with text widgets Dashboards list includes dashboards with text widgets where you have no access to any other widgets Sep 9, 2019
arikfr added a commit that referenced this issue Dec 30, 2019
* Allow executing query with either view_query or execute_query permissions.

* Render AuthHeader according to permissions.

* Don't return dashboards where you only have access to textbox widget.

Closes #4099.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants