GitHub user dosubot[bot] added a comment to the discussion: Overriding can_access_datasource to block access to sensitive tables
<!-- Greeting --> Hi @gabriel-korbato! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the superset team. <!-- Answer --> Overriding `can_access_datasource` is a good start, but Superset's permission model has several layers that can bypass your custom logic. If a user has the `all_database_access` or `all_datasource_access` permission, they get universal access to all databases and datasets, which overrides granular checks—even your custom `can_access_datasource` logic. Also, if dashboard RBAC is enabled or you're using embedded dashboards/guest tokens, dashboard access can implicitly grant access to all charts and their underlying datasets, regardless of dataset-level permissions. In these cases, unauthorized users may still see charts or get "Access Denied" overlays instead of being fully blocked ([source](https://github.com/apache/superset/issues/33698), [source](https://github.com/apache/superset/issues/35795)). To enforce restrictions, make sure roles do not have `all_database_access`, `all_datasource_access`, or explicit access to sensitive datasets. For dashboards, check that the frontend sends the correct `dashboardId` in chart requests—missing this can bypass permission checks and expose data from unauthorized tables ([source](https://github.com/apache/superset/issues/33698)). Fine-grained chart-level access is limited if multiple charts share the same datasource ([source](https://github.com/apache/superset/discussions/32338)). There is an active proposal (SIP-126) to add explicit viewer permissions for dashboards and charts, but it's not implemented yet. If you need strict per-dataset or per-chart visibility, you may need to add custom filtering logic or handle unauthorized chart hiding on the frontend for now. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/0dd80496-0241-4aa0-8cfd-4df0e0082412?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/0dd80496-0241-4aa0-8cfd-4df0e0082412?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/0dd80496-0241-4aa0-8cfd-4df0e0082412?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/0dd80496-0241-4aa0-8cfd-4df0e0082412?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/0dd80496-0241-4aa0-8cfd-4df0e0082412?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/0dd80496-0241-4aa0-8cfd-4df0e0082412?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/0dd80496-0241-4aa0-8cfd-4df0e0082412?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)& nbsp;[](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/35932) GitHub link: https://github.com/apache/superset/discussions/35932#discussioncomment-14839904 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
