dosubot[bot] commented on issue #37061: URL: https://github.com/apache/superset/issues/37061#issuecomment-3739619323
<!-- Answer --> There isn't currently a way to allow guest users to interact more granularly with embedded dashboards (like enabling sorting) via roles or permissions. The restriction is enforced by hardcoded security logic: any modification to the chart payload—including sorting—triggers a security exception for guest users, regardless of their assigned role or permissions. Even with a custom guest role and all possible permissions, guest users are still blocked from modifying chart payloads in embedded dashboards, including sorting table columns [[source](https://github.com/apache/superset/blob/master/superset/security/manager.py)][[source](https://github.com/apache/superset/blob/master/tests/unit_tests/security/manager_test.py)]. To support more granular guest interactivity (like sorting only), the codebase would need changes—specifically in the logic that checks for query context modifications and enforces guest restrictions. There are no configuration flags, feature toggles, or workarounds available for this today. If you need interactive features for embedded users, the only current alternative is to use authenticated users with restricted roles instead of guest tokens. This approach allows you to control permissions more flexibly, but it does require user authentication. If you'd like to see this capability in the future, you might want to follow or participate in related feature discussions or proposals. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/6f9c7798-0b5c-4081-9e95-743cdd778b65?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/6f9c7798-0b5c-4081-9e95-743cdd778b65?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/6f9c7798-0b5c-4081-9e95-743cdd778b65?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/6f9c7798-0b5c-4081-9e95-743cdd778b65?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/6f9c7798-0b5c-4081-9e95-743cdd778b65?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/6f9c7798-0b5c-4081-9e95-743cdd778b65?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/6f9c7798-0b5c-4081-9e95-743cdd778b65?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=There%20isn%27t%20currently%20a%20way%20to%20allow%20guest%20users%20to%20interact%20more%20granularly%20with%20embedded%20dashboards%20%28like%20enabling%20sorting%29%20via%20roles%20or%20permissions.%20The%20restriction%20is%20enforced%20by%20hardcoded%20security%20logic%3A%20any%20modification%20to%20the%20chart%20payload%E2%80%94including%20sorting%E2%80%94triggers%20a%20security%20exception%20for%20guest%20users%2C%20regardless%20of%20their%20assigned%20role%20or%20permissions.%20Even%20with%20a%20custom%20guest%20role%20and%20all%20possible%20permissions%2C%20guest%20users%20are%20still%20blocked%20from%20modifying%20chart%20payloads%20in%20embedded%20dashboards%2C%20including%20sorting%20table%20columns%20%5B%5Bsource%5D%28https%3A//github.c om/apache/superset/blob/master/superset/security/manager.py%29%5D%5B%5Bsource%5D%28https%3A//github.com/apache/superset/blob/master/tests/unit_tests/security/manager_test.py%29%5D.%0A%0ATo%20support%20more%20granular%20guest%20interactivity%20%28like%20sorting%20only%29%2C%20the%20codebase%20would%20need%20changes%E2%80%94specifically%20in%20the%20logic%20that%20checks%20for%20query%20context%20modifications%20and%20enforces%20guest%20restrictions.%20There%20are%20no%20configuration%20flags%2C%20feature%20toggles%2C%20or%20workarounds%20available%20for%20this%20today.%0A%0AIf%20you%20need%20interactive%20features%20for%20embedded%20users%2C%20the%20only%20current%20alternative%20is%20to%20use%20authenticated%20users%20with%20restricted%20roles%20instead%20of%20guest%20tokens.%20This%20approach%20allows%20you%20to%20control%20permissions%20more%20flexibly%2C%20but%20it%20does%20require%20user%20authentication.%0A%0AIf%20you%27d%20like%20to%20see%20this%20capability%20in%20the%20futur e%2C%20you%20might%20want%20to%20follow%20or%20participate%20in%20related%20feature%20discussions%20or%20proposals.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/37061) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
