dosubot[bot] commented on issue #36244: URL: https://github.com/apache/superset/issues/36244#issuecomment-3572770287
<!-- Answer --> This is a confirmed issue in Superset 4.1.3: when a user imports a dashboard, the backend logic appends the importing user to the dashboard's owners list, even if they weren't an owner before. This means a user with "can write on dashboard" permission can gain owner privileges on dashboards they import, which can lead to unauthorized privilege escalation. The import logic does check that only owners or admins can overwrite an existing dashboard, but it does not prevent non-owners from being added as owners during import, nor does it create a copy for non-owners as you described is expected. There is also no separation between import and write permissions in 4.1.3—"can write on dashboard" controls both creation, editing, and import/overwrite operations, and there is no built-in way to disable or hide the "Overwrite" option for non-owners in the UI or API ([source](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/commands/dashboard/importe rs/v1/utils.py#L146-L197)). Recent versions have introduced a CopyDashboardCommand and improved RBAC checks, but these are not present in 4.1.3. To mitigate this risk in your current version, you can restrict "can write on dashboard" to only trusted users, review dashboard ownership after imports, and train users on the implications of importing dashboards. There is no config flag or built-in workaround to fully prevent this in 4.1.3; a custom patch to the import logic would be required to enforce the secure workflow you described. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/97e9a8f6-563e-4ef6-860f-0ec1bb65e3b4?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/97e9a8f6-563e-4ef6-860f-0ec1bb65e3b4?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/97e9a8f6-563e-4ef6-860f-0ec1bb65e3b4?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/97e9a8f6-563e-4ef6-860f-0ec1bb65e3b4?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/97e9a8f6-563e-4ef6-860f-0ec1bb65e3b4?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/97e9a8f6-563e-4ef6-860f-0ec1bb65e3b4?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/97e9a8f6-563e-4ef6-860f-0ec1bb65e3b4?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=This%20is%20a%20confirmed%20issue%20in%20Superset%204.1.3%3A%20when%20a%20user%20imports%20a%20dashboard%2C%20the%20backend%20logic%20appends%20the%20importing%20user%20to%20the%20dashboard%27s%20owners%20list%2C%20even%20if%20they%20weren%27t%20an%20owner%20before.%20This%20means%20a%20user%20with%20%22can%20write%20on%20dashboard%22%20permission%20can%20gain%20owner%20privileges%20on%20dashboards%20they%20import%2C%20which%20can%20lead%20to%20unauthorized%20privilege%20escalation.%20The%20import%20logic%20does%20check%20that%20only%20owners%20or%20admins%20can%20overwrite%20an%20existing%20dashboard%2C%20but%20it%20does%20not%20prevent%20non-owners%20from%20being%20added%20as%20owners%20during%20import%2C%20nor%20does%20it%20create%20a%20copy%20f or%20non-owners%20as%20you%20described%20is%20expected.%20There%20is%20also%20no%20separation%20between%20import%20and%20write%20permissions%20in%204.1.3%E2%80%94%22can%20write%20on%20dashboard%22%20controls%20both%20creation%2C%20editing%2C%20and%20import/overwrite%20operations%2C%20and%20there%20is%20no%20built-in%20way%20to%20disable%20or%20hide%20the%20%22Overwrite%22%20option%20for%20non-owners%20in%20the%20UI%20or%20API%C2%A0%28%5Bsource%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/commands/dashboard/importers/v1/utils.py%23L146-L197%29%29.%0A%0ARecent%20versions%20have%20introduced%20a%20CopyDashboardCommand%20and%20improved%20RBAC%20checks%2C%20but%20these%20are%20not%20present%20in%204.1.3.%20To%20mitigate%20this%20risk%20in%20your%20current%20version%2C%20you%20can%20restrict%20%22can%20write%20on%20dashboard%22%20to%20only%20trusted%20users%2C%20review%20dashboard%20ownership%20after%20imports%2C%20and%20train%20users%20 on%20the%20implications%20of%20importing%20dashboards.%20There%20is%20no%20config%20flag%20or%20built-in%20workaround%20to%20fully%20prevent%20this%20in%204.1.3%3B%20a%20custom%20patch%20to%20the%20import%20logic%20would%20be%20required%20to%20enforce%20the%20secure%20workflow%20you%20described.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/36244) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
