giftig commented on PR #21535: URL: https://github.com/apache/superset/pull/21535#issuecomment-1534824666
Hi, I've just run into this issue in 2.1 so I can confirm that the issue still exists. I'll attempt to rebase this patch onto the latest state of the project. I'd like to flag that this is a serious security issue around bypassing datasource access permissions, though, so it'd be good to get some eyes on this issue from your side if possible. As @victorarbuesmallada has raised here, currently in superset a user with no permissions to access `forbidden_table` can do so regardless using a query like ```sql SELECT * FROM (SELECT * FROM forbidden_table) AS forbidden_table; ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For additional commands, e-mail: notifications-h...@superset.apache.org
