Show only Slices and Dashboards users have access to

[mistercrunch]

@michellethomas @williaster

• Materialized the perm associated to the slice in the slice model to make queries faster when listing Dashboards and Slices.
• Also added Many to many owners for slices and dashboards, should eventually define who can alter the objects, looking for the proper hook in FAB

[landscape-bot]

Repository health decreased by 0.95% when pulling dd824c8 on mistercrunch:security into c0fb9ee on airbnb:master.

• 9 new problems were found (including 1 error and 4 code smells).
• No problems were fixed.

[coveralls]

Coverage decreased (-0.4%) to 80.362% when pulling dd824c83ea26f7a12ec6428ba957ab6108f8c195 on mistercrunch:security into c0fb9ee on airbnb:master.

[landscape-bot]

Repository health decreased by 0.02% when pulling 5c79214 on mistercrunch:security into ab64a26 on airbnb:master.

• 1 new problem was found (including 0 errors and 0 code smells).
• No problems were fixed.

[coveralls]

Coverage increased (+0.2%) to 80.986% when pulling 5c79214 on mistercrunch:security into ab64a26 on airbnb:master.

[x4base]

@mistercrunch
So right now whether a user can access a dashboard is determined by whether the role has the datasource access. It has nothing to do with whether the user is the owner of the slice or dashboard. Am I correct? Thanks

[mistercrunch]

Admin and Alpha have access to all datasources, Gamma user need and extra role with specific datasource access to list and access dashboard and slices

[mistercrunch]

I'm planning on making it such that only object owners can alter dashboards and slices. This PR added the possibility to add many owners to a dashboard or slice, but that is not taken into account yet. I opened issues to ask the Flask AppBuilder project on advice on how to implement that

[x4base]

So in your plan it is only for the access control of editing dashboards/slices, right? Do you think it is good to have the view access control on whether a user can see a certain dashboard/slice, maybe like #357 ? Is it in any of your plans?

[MrMauricioLeite]

Hi @x4base, I guess that @mistercrunch is going to finish the edit permissions first and them extend for view permissions once we have the edit fixed.

But that sure is needed to deploy here at our company too so I'm keeping this issue on my bookmarks.

[hamidmahmoodnbs]

can anybody confirm that has this issue been fixed or not? #1434

I am facing the same issue with superset v 0.25.6. The issue still persists as the user seeing all the datasources in chart drop down that he has no access to. I have given user the gamma role and new role that only has permission to a single datasource.

[pbr0ck3r]

@hamidmahmoodnbs seems like the slices/dashboard/schema filtering works. But the databases themselves are not filtered based on roles/permissions. On load of the SQL editor all databases are returned. Even if you have a role such as database access on x.[id:5] you get that database and all of the others. Instead of only getting x. Seems like a security issue to me.

[pbr0ck3r]

@mistercrunch databases are not being filtered at all. Every user is returned all databases. Even if they only have a role such as database access x.[id:5] they still get all databases.