Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Response to GET /chart/ with guest token is empty. #25285

Open
pocman opened this issue Sep 13, 2023 · 2 comments
Open

Response to GET /chart/ with guest token is empty. #25285

pocman opened this issue Sep 13, 2023 · 2 comments

Comments

@pocman
Copy link

pocman commented Sep 13, 2023
edited
Loading

GET /api/v1/chart/ endpoints doesn't return charts with guest token but does for a logged user with the same role.

How to reproduce the bug

  • Start superset with Gamma as GUEST_ROLE_NAME;
  • As admin add datasource access to Gamma role;
  • As admin create a user with Gamma role, check that this user can see at least one chart, use this user token to call GET /api/v1/chart/?q=(order_column:changed_on_delta_humanized,order_direction:desc,page:0,page_size:25) and check that you see at least one chart
  • As admin craft a guest token (with RLS in my case), check token roles, check that the guest token allows access to dashboard and /explore and /api/v1/chart/data for at least one chart.
  • Use Guest token to call GET /api/v1/chart/?q=(order_column:changed_on_delta_humanized,order_direction:desc,page:0,page_size:25)

Expected results

Response to GET /chart with guest token is empty.

Actual results

Response to GET /chart should be the same as the one from the user with the same Gamma role.

Environment

superset 2.1.0 deployed using the helm chart on kubernetes

check token roles

curl -X 'GET' \
 'http://xxx:8088/api/v1/me/roles/' \
 -H 'accept: application/json' \
 -H 'X-GuestToken: xxx'

{
    "result":
    {
        "firstName": "guest",
        "isActive": false,
        "isAnonymous": false,
        "lastName": "token",
        "permissions":
        {
            "datasource_access":
            [
                "[Google BigQuery].[fraud_detection](id:1)"
            ]
        },
        "roles":
        {
            "Gamma":
            [
                [
                    "can_read",
                    "CssTemplate"
                ],
                [
                    "can_read",
                    "Chart"
                ],
                [
                    "can_write",
                    "Chart"
                ],
                [
                    "can_read",
                    "Annotation"
                ],
                [
                    "can_read",
                    "Dataset"
                ],
                [
                    "can_read",
                    "Dashboard"
                ],
                [
                    "can_write",
                    "Dashboard"
                ],
                [
                    "can_read",
                    "Database"
                ],
                [
                    "can_this_form_post",
                    "ResetMyPasswordView"
                ],
                [
                    "can_this_form_get",
                    "ResetMyPasswordView"
                ],
                [
                    "can_userinfo",
                    "UserDBModelView"
                ],
                [
                    "resetmypassword",
                    "UserDBModelView"
                ],
                [
                    "can_get",
                    "OpenApi"
                ],
                [
                    "can_show",
                    "SwaggerView"
                ],
                [
                    "can_get",
                    "MenuApi"
                ],
                [
                    "can_list",
                    "AsyncEventsRestApi"
                ],
                [
                    "can_read",
                    "AdvancedDataType"
                ],
                [
                    "can_read",
                    "AvailableDomains"
                ],
                [
                    "can_invalidate",
                    "CacheRestApi"
                ],
                [
                    "can_export",
                    "Chart"
                ],
                [
                    "can_read",
                    "DashboardFilterStateRestApi"
                ],
                [
                    "can_write",
                    "DashboardFilterStateRestApi"
                ],
                [
                    "can_read",
                    "DashboardPermalinkRestApi"
                ],
                [
                    "can_write",
                    "DashboardPermalinkRestApi"
                ],
                [
                    "can_delete_embedded",
                    "Dashboard"
                ],
                [
                    "can_export",
                    "Dashboard"
                ],
                [
                    "can_get_embedded",
                    "Dashboard"
                ],
                [
                    "can_read",
                    "EmbeddedDashboard"
                ],
                [
                    "can_read",
                    "Explore"
                ],
                [
                    "can_read",
                    "ExploreFormDataRestApi"
                ],
                [
                    "can_write",
                    "ExploreFormDataRestApi"
                ],
                [
                    "can_read",
                    "ExplorePermalinkRestApi"
                ],
                [
                    "can_write",
                    "ExplorePermalinkRestApi"
                ],
                [
                    "can_list",
                    "FilterSets"
                ],
                [
                    "can_delete",
                    "FilterSets"
                ],
                [
                    "can_edit",
                    "FilterSets"
                ],
                [
                    "can_add",
                    "FilterSets"
                ],
                [
                    "can_list",
                    "DynamicPlugin"
                ],
                [
                    "can_show",
                    "DynamicPlugin"
                ],
                [
                    "can_query",
                    "Api"
                ],
                [
                    "can_query_form_data",
                    "Api"
                ],
                [
                    "can_time_range",
                    "Api"
                ],
                [
                    "can_get",
                    "Datasource"
                ],
                [
                    "can_external_metadata_by_name",
                    "Datasource"
                ],
                [
                    "can_external_metadata",
                    "Datasource"
                ],
                [
                    "can_store",
                    "KV"
                ],
                [
                    "can_get_value",
                    "KV"
                ],
                [
                    "can_user_slices",
                    "Superset"
                ],
                [
                    "can_dashboard",
                    "Superset"
                ],
                [
                    "can_fetch_datasource_metadata",
                    "Superset"
                ],
                [
                    "can_fave_dashboards_by_username",
                    "Superset"
                ],
                [
                    "can_created_slices",
                    "Superset"
                ],
                [
                    "can_estimate_query_cost",
                    "Superset"
                ],
                [
                    "can_available_domains",
                    "Superset"
                ],
                [
                    "can_request_access",
                    "Superset"
                ],
                [
                    "can_datasources",
                    "Superset"
                ],
                [
                    "can_fave_dashboards",
                    "Superset"
                ],
                [
                    "can_profile",
                    "Superset"
                ],
                [
                    "can_add_slices",
                    "Superset"
                ],
                [
                    "can_explore_json",
                    "Superset"
                ],
                [
                    "can_tables",
                    "Superset"
                ],
                [
                    "can_slice_json",
                    "Superset"
                ],
                [
                    "can_csv",
                    "Superset"
                ],
                [
                    "can_queries",
                    "Superset"
                ],
                [
                    "can_testconn",
                    "Superset"
                ],
                [
                    "can_import_dashboards",
                    "Superset"
                ],
                [
                    "can_created_dashboards",
                    "Superset"
                ],
                [
                    "can_explore",
                    "Superset"
                ],
                [
                    "can_recent_activity",
                    "Superset"
                ],
                [
                    "can_fave_slices",
                    "Superset"
                ],
                [
                    "can_extra_table_metadata",
                    "Superset"
                ],
                [
                    "can_copy_dash",
                    "Superset"
                ],
                [
                    "can_favstar",
                    "Superset"
                ],
                [
                    "can_validate_sql_json",
                    "Superset"
                ],
                [
                    "can_annotation_json",
                    "Superset"
                ],
                [
                    "can_schemas_access_for_file_upload",
                    "Superset"
                ],
                [
                    "can_save_dash",
                    "Superset"
                ],
                [
                    "can_log",
                    "Superset"
                ],
                [
                    "can_filter",
                    "Superset"
                ],
                [
                    "can_slice",
                    "Superset"
                ],
                [
                    "can_dashboard_permalink",
                    "Superset"
                ],
                [
                    "can_results",
                    "Superset"
                ],
                [
                    "can_post",
                    "TagView"
                ],
                [
                    "can_get",
                    "TagView"
                ],
                [
                    "can_tagged_objects",
                    "TagView"
                ],
                [
                    "can_suggestions",
                    "TagView"
                ],
                [
                    "can_delete",
                    "TagView"
                ],
                [
                    "can_recent_activity",
                    "Log"
                ],
                [
                    "can_read",
                    "SecurityRestApi"
                ],
                [
                    "menu_access",
                    "Access requests"
                ],
                [
                    "menu_access",
                    "Home"
                ],
                [
                    "menu_access",
                    "Data"
                ],
                [
                    "menu_access",
                    "Databases"
                ],
                [
                    "menu_access",
                    "Dashboards"
                ],
                [
                    "menu_access",
                    "Charts"
                ],
                [
                    "menu_access",
                    "Datasets"
                ],
                [
                    "menu_access",
                    "Plugins"
                ],
                [
                    "menu_access",
                    "Import Dashboards"
                ],
                [
                    "can_share_dashboard",
                    "Superset"
                ],
                [
                    "can_share_chart",
                    "Superset"
                ],
                [
                    "datasource_access",
                    "[Google BigQuery].[fraud_detection](id:1)"
                ]
            ]
        },
        "username": "tpocreau"
    }
}

Retrieve chart

curl -X 'GET' \
  'http://xxx:8088/api/v1/chart/?q=(order_column:changed_on_delta_humanized,order_direction:desc,page:0,page_size:25)' \
  -H 'accept: application/json' \  
  -H 'X-GuestToken: xxx'

{
    "count": 0,
    "description_columns":
    {},
    "ids":
    [],
    "label_columns":
    {
        "cache_timeout": "Cache Timeout",
        "certification_details": "Certification Details",
        "certified_by": "Certified By",
        "changed_by.first_name": "Changed By First Name",
        "changed_by.last_name": "Changed By Last Name",
        "changed_by_name": "Changed By Name",
        "changed_by_url": "Changed By Url",
        "changed_on_delta_humanized": "Changed On Delta Humanized",
        "changed_on_utc": "Changed On Utc",
        "created_by.first_name": "Created By First Name",
        "created_by.id": "Created By Id",
        "created_by.last_name": "Created By Last Name",
        "created_on_delta_humanized": "Created On Delta Humanized",
        "dashboards.dashboard_title": "Dashboards Dashboard Title",
        "dashboards.id": "Dashboards Id",
        "datasource_id": "Datasource Id",
        "datasource_name_text": "Datasource Name Text",
        "datasource_type": "Datasource Type",
        "datasource_url": "Datasource Url",
        "description": "Description",
        "description_markeddown": "Description Markeddown",
        "edit_url": "Edit Url",
        "id": "Id",
        "is_managed_externally": "Is Managed Externally",
        "last_saved_at": "Last Saved At",
        "last_saved_by.first_name": "Last Saved By First Name",
        "last_saved_by.id": "Last Saved By Id",
        "last_saved_by.last_name": "Last Saved By Last Name",
        "owners.first_name": "Owners First Name",
        "owners.id": "Owners Id",
        "owners.last_name": "Owners Last Name",
        "owners.username": "Owners Username",
        "params": "Params",
        "slice_name": "Slice Name",
        "table.default_endpoint": "Table Default Endpoint",
        "table.table_name": "Table Table Name",
        "thumbnail_url": "Thumbnail Url",
        "url": "Url",
        "viz_type": "Viz Type"
    },
    "list_columns":
    [
        "is_managed_externally",
        "certified_by",
        "certification_details",
        "cache_timeout",
        "changed_by.first_name",
        "changed_by.last_name",
        "changed_by_name",
        "changed_by_url",
        "changed_on_delta_humanized",
        "changed_on_utc",
        "created_by.first_name",
        "created_by.id",
        "created_by.last_name",
        "created_on_delta_humanized",
        "datasource_id",
        "datasource_name_text",
        "datasource_type",
        "datasource_url",
        "description",
        "description_markeddown",
        "edit_url",
        "id",
        "last_saved_at",
        "last_saved_by.id",
        "last_saved_by.first_name",
        "last_saved_by.last_name",
        "owners.first_name",
        "owners.id",
        "owners.last_name",
        "owners.username",
        "dashboards.id",
        "dashboards.dashboard_title",
        "params",
        "slice_name",
        "table.default_endpoint",
        "table.table_name",
        "thumbnail_url",
        "url",
        "viz_type"
    ],
    "list_title": "List Slice",
    "order_columns":
    [
        "changed_by.first_name",
        "changed_on_delta_humanized",
        "datasource_id",
        "datasource_name",
        "last_saved_at",
        "last_saved_by.id",
        "last_saved_by.first_name",
        "last_saved_by.last_name",
        "slice_name",
        "viz_type"
    ],
    "result":
    []
}
@rusackas
Copy link
Member

rusackas commented Mar 8, 2024

Is this still an issue in 3.x?

@giacomochiarella
Copy link

looks very similar to this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rusackas @pocman @giacomochiarella