fix(security): fix RBAC access check for dashboards to properly bypass dataset-level permission checks #32289
Conversation
|
Based on your review schedule, I'll hold off on reviewing this PR until it's marked as ready for review. If you'd like me to take a look now, comment
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
dosubot
bot
added
authentication:RBAC
![korbit-ai[bot]](https://avatars.githubusercontent.com/in/322216?s=60&v=4){kind=small}
There was a problem hiding this comment.
Review by Korbit AI
Korbit automatically attempts to detect when you fix issues in new commits.
| Category | Issue | Fix Detected |
|---|---|---|
 |
Insufficient error logging context ▹ view | |
 |
Inconsistent variable grouping spacing ▹ view | ✅ |
 |
Unsafe Dashboard Fetch Exception Handling ▹ view | ✅ |
Files scanned
| File Path | Reviewed |
|---|---|
| superset/security/manager.py | ✅ |
Explore our documentation to understand the languages and file types we support and the files we ignore.
Need a new review? Comment
/korbit-reviewon this PR and I'll review your latest changes.Korbit Guide: Usage and Customization
Interacting with Korbit
- You can manually ask Korbit to review your PR using the
/korbit-reviewcommand in a comment at the root of your PR.- You can ask Korbit to generate a new PR description using the
/korbit-generate-pr-descriptioncommand in any comment on your PR.- Too many Korbit comments? I can resolve all my comment threads if you use the
/korbit-resolvecommand in any comment on your PR.- Chat with Korbit on issues we post by tagging @korbit-ai in your reply.
- Help train Korbit to improve your reviews by giving a 👍 or 👎 on the comments Korbit posts.
Customizing Korbit
- Check out our docs on how you can make Korbit work best for you and your team.
- Customize Korbit for your organization through the Korbit Console.
Feedback and Support
superset/security/manager.py
Outdated
| except Exception as e: | ||
| logging.error(f"Error fetching dashboard {dashboard_id}: {e}") |
There was a problem hiding this comment.
Insufficient error logging context 
Tell me more
What is the issue?
The log message lacks context about the method and operation being performed. The exception traceback is not captured.
Why this matters
Without method context and stack trace, it will be difficult to debug production issues when dashboard fetching fails. The error log may not provide enough information to identify the root cause.
Suggested change ∙ Feature Preview
except Exception as e:
logging.error(
"Error in raise_for_access when fetching dashboard %s: %s",
dashboard_id,
str(e),
exc_info=True
)
💬 Chat with Korbit by mentioning @korbit-ai.
superset/security/manager.py
Outdated
| try: | ||
| dashboard_ = self.get_session.query(Dashboard).filter(Dashboard.id == dashboard_id).one_or_none() | ||
| except Exception as e: | ||
| logging.error(f"Error fetching dashboard {dashboard_id}: {e}") |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
There was a problem hiding this comment.
Review by Korbit AI
Korbit automatically attempts to detect when you fix issues in new commits.
| Category | Issue | Fix Detected |
|---|---|---|
 |
Redundant Data Source Initialization ▹ view | ✅ |
Files scanned
| File Path | Reviewed |
|---|---|
| superset/security/manager.py | ✅ |
Explore our documentation to understand the languages and file types we support and the files we ignore.
Need a new review? Comment
/korbit-reviewon this PR and I'll review your latest changes.Korbit Guide: Usage and Customization
Interacting with Korbit
- You can manually ask Korbit to review your PR using the
/korbit-reviewcommand in a comment at the root of your PR.- You can ask Korbit to generate a new PR description using the
/korbit-generate-pr-descriptioncommand in any comment on your PR.- Too many Korbit comments? I can resolve all my comment threads if you use the
/korbit-resolvecommand in any comment on your PR.- Chat with Korbit on issues we post by tagging @korbit-ai in your reply.
- Help train Korbit to improve your reviews by giving a 👍 or 👎 on the comments Korbit posts.
Customizing Korbit
- Check out our docs on how you can make Korbit work best for you and your team.
- Customize Korbit for your organization through the Korbit Console.
Feedback and Support
superset/security/manager.py
Outdated
| if datasource or query_context or viz: | ||
| form_data = None | ||
|
|
||
| if query_context: | ||
| datasource = query_context.datasource | ||
| form_data = query_context.form_data | ||
| elif viz: | ||
| datasource = viz.datasource | ||
| form_data = viz.form_data |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
imad-hl
changed the title
imad-hl
changed the title
There was a problem hiding this comment.
Review by Korbit AI
Korbit automatically attempts to detect when you fix issues in new commits.
| Category | Issue | Fix Detected |
|---|---|---|
|
Unclear variable assignment pattern ▹ view |
Files scanned
| File Path | Reviewed |
|---|---|
| superset/security/manager.py | ✅ |
Explore our documentation to understand the languages and file types we support and the files we ignore.
Need a new review? Comment
/korbit-reviewon this PR and I'll review your latest changes.Korbit Guide: Usage and Customization
Interacting with Korbit
- You can manually ask Korbit to review your PR using the
/korbit-reviewcommand in a comment at the root of your PR.- You can ask Korbit to generate a new PR description using the
/korbit-generate-pr-descriptioncommand in any comment on your PR.- Too many Korbit comments? I can resolve all my comment threads if you use the
/korbit-resolvecommand in any comment on your PR.- Chat with Korbit on issues we post by tagging @korbit-ai in your reply.
- Help train Korbit to improve your reviews by giving a 👍 or 👎 on the comments Korbit posts.
Customizing Korbit
- Check out our docs on how you can make Korbit work best for you and your team.
- Customize Korbit for your organization through the Korbit Console.
Current Korbit Configuration
General Settings
Setting Value Review Schedule Automatic excluding drafts Max Issue Count 10 Automatic PR Descriptions ❌ Issue Categories
Category Enabled Documentation ✅ Logging ✅ Error Handling ✅ Readability ✅ Design ✅ Performance ✅ Security ✅ Functionality ✅ Feedback and Support
Note
Korbit Pro is free for open source projects 🎉
Looking to add Korbit to your team? Get started with a free 2 week trial here
| if form_data and (dashboard_id := form_data.get("dashboardId")): | ||
| dashboard_ = self.get_session.query(Dashboard).filter(Dashboard.id == dashboard_id).one_or_none() |
There was a problem hiding this comment.
Unclear variable assignment pattern 
Tell me more
What is the issue?
The use of walrus operator (:=) combined with underscore suffix naming makes the code less immediately readable.
Why this matters
While the walrus operator can be useful, combining it with underscore suffix naming reduces code clarity at first glance.
Suggested change ∙ Feature Preview
dashboard_id = form_data.get("dashboardId") if form_data else None
if dashboard_id:
dashboard = self.get_session.query(Dashboard).filter(Dashboard.id == dashboard_id).one_or_none()💬 Chat with Korbit by mentioning @korbit-ai.
michael-s-molina
added
the
review:checkpoint
sadpandajoe
removed
the
review:checkpoint
|
Thank you so much for giving DASHBOARD_RBAC this love! It possible, can this please be tested (or otherwise checked) to tell if the change also resolves the special case that "a dataset included in a dataset as a subquery using the built-in (I looked through the file changes, and was not entirely certain if such DASHBOARD_RBAC-based nested/Jinja-included dataset accessibility is already fixed in this change -- to me, it looked like "maybe?"). |
SUMMARY
This PR addresses issue #31938 by fixing the RBAC access checks in the security manager. The changes:
DASHBOARD_RBACand granting a role access to a dashboard properly bypasses dataset-level permission checks.Before this fix, enabling DASHBOARD_RBAC failed to bypass dataset-level checks for users who had dashboard access through their role, causing incorrect access control behavior.
fixes: #31938
BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
BEFORE : The user, despite having the correct RBAC role, was incorrectly blocked by dataset-level checks.
AFTER: The fix ensures that the user’s RBAC role correctly bypasses dataset-level access checks.
TESTING INSTRUCTIONS
DASHBOARD_RBACfeature flag.ADDITIONAL INFORMATION