deepankar-np opened a new issue, #24745: URL: https://github.com/apache/superset/issues/24745
I am embedding the Superset dashboard into my Angular App and using a guest token with RLS to show the dashboard in an iframe. If the guest token expires, instead of getting a failure I am able to download full data without the where clause present in the RLS. #### How to reproduce the bug 1. Embed the Superset Dashboard into an Angular App 2. Call guest token API from the angular app 3. Pass the guest token to the embedded dashboard 4. It will open an iframe and do API calls to fetch UI elements and the data. 5. Guest token will be passed in all of the data APIs 6. iFrame will open the dashboard and also filter out the data based on the RLS 'where clause' present in the guest token 7. Click on the download CSV option to download the report in the CSV file format. 8. Check the file, it will contain the same set of data that is visible on the UI 9. Suppose the guest token expires in 5 mins then wait for 5 mins and redownload the report ### Expected results As the token is already expired, we should get a failure error (Access Denied) in the chart/data API response ### Actual results Superset is allowing the download and sending of unfiltered data without RLS 'where clause' and the same is visible in the CSV file. #### Screenshots If needed will share it later ### Environment - browser type and version: Microsoft Edge Version 114.0.1823.82 (Official build) (64-bit) and Google Chrome latest version - superset version: 2.0.0 - python version: 3.9.6 - node.js version: not installed - any feature flags active: ### Checklist Make sure to follow these steps before submitting your issue - thank you! - [ ] I have checked the superset logs for python stacktraces and included it here as text if there are any. - _No error in Superset logs_ - [ ] I have reproduced the issue with at least the latest released version of superset. - _No, we have not tested this in the latest version of Superset_ - [ ] I have checked the issue tracker for the same issue and I haven't found one similar. - _Yes, I have not found any existing error related to the download report._ ### Additional context No -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
