[Superset]: A "daf_viewers" user can delete a Superset table

Question

[Superset]: A "daf_viewers" user can delete a Superset table

Closed this issue 6 years ago · 3 comments

mariaclaudia commented 6 years ago

Subject of the issue

It's possible to delete a table in Superset with a "daf_viewers" user

Your environment

Chrome Version 66.0.3359.170 (Official Build) (64-bit)

Steps to reproduce

login with an account with "daf_viewers" permission
open Superset and go to Sources -> Tables in order to see the tables
click on the icon "Delete record"

Expected behaviour

It should not possible to delete a table with a "Daf_viewers" profile

Actual behaviour

With a "daf_viewers" you can delete a record/table from superset

Please see attached the profile I used to delete a table:

mariaclaudia commented 6 years ago

Fixed

Answer 1 · 2018-05-15T17:35:52.000Z

@mariaclaudia domani segnalalo ad andrea lui credo sappia come risolverlo

Answer 2 · 2018-05-16T08:23:00.000Z

@mariaclaudia at the moment, superset doesn't view daf roles (e.g. daf_viewer and daf_editor). Since we are going to manage dataset only from the dataportal, we removed the delete table permission (can delete on TableModelView, muldelete on TableModelView) for non-admin superset users