Re: [PR] fix(frontend): fix edit/delete permissions for charts, dashboards, and datasets (#18870) (#32981) [superset]

Thu, 23 Oct 2025 07:05:51 -0700 


korbit-ai[bot] commented on code in PR #32995:
URL: https://github.com/apache/superset/pull/32995#discussion_r2455268855


##########
superset-frontend/src/pages/DashboardList/index.tsx:
##########
@@ -421,6 +423,11 @@ function DashboardList(props: DashboardListProps) {
       },
       {
         Cell: ({ row: { original } }: any) => {
+          // Verify owner or isAdmin
+          const allowEdit: boolean =
+            original.owners.map((o: Owner) => o.id).includes(user.userId) ||

Review Comment:
   ### Type mismatch in owner ID comparison <sub>![category 
Functionality](https://img.shields.io/badge/Functionality-0284c7)</sub>
   
   <details>
     <summary>Tell me more</summary>
   
   ###### What is the issue?
   Type mismatch in ownership check - user.userId can be string or number while 
owner.id type is unknown, potentially causing the includes() check to fail even 
for valid owners.
   
   
   ###### Why this matters
   This could result in legitimate dashboard owners being denied edit/delete 
access if the ID types don't match exactly (e.g., string '123' vs number 123).
   
   ###### Suggested change ∙ *Feature Preview*
   Convert both values to the same type for comparison:
   ```typescript
   original.owners.map((o: Owner) => 
o.id.toString()).includes(user.userId.toString())
   ```
   Or ensure type consistency by converting to numbers if IDs are always 
numeric.
   
   
   ###### Provide feedback to improve future suggestions
   [![Nice 
Catch](https://img.shields.io/badge/👍%20Nice%20Catch-71BC78)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/6ec60dc3-d53f-4a59-90af-d80724a39406/upvote)
 
[![Incorrect](https://img.shields.io/badge/👎%20Incorrect-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/6ec60dc3-d53f-4a59-90af-d80724a39406?what_not_true=true)
  [![Not in 
Scope](https://img.shields.io/badge/👎%20Out%20of%20PR%20scope-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/6ec60dc3-d53f-4a59-90af-d80724a39406?what_out_of_scope=true)
 [![Not in coding 
standard](https://img.shields.io/badge/👎%20Not%20in%20our%20standards-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/6ec60dc3-d53f-4a59-90af-d80724a39406?what_not_in_standard=true)
 
[![Other](https://img.shields.io/badge/👎%20Other-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/6ec60dc3-d53f-4a59-90af-d80724a39406)
   </details>
   
   <sub>
   
   💬 Looking for more details? Reply to this comment to chat with Korbit.
   </sub>
   
   <!--- korbi internal id:b092c542-3eaa-42c6-960b-457b417359b8 -->
   
   
   [](b092c542-3eaa-42c6-960b-457b417359b8)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to