Bug description
Hello everyone, I am using Superset v4.1.1 and I am embedding dashboards from it on another site in an iframe. I am trying to disable the "Edit chart" button from the charts there and also remove the clickable option to edit the chart when you hover over the chart title. This is a similar issue that was discussed in:
https://github.com/apache/superset/issues/28141 https://github.com/apache/superset/issues/28172
I would like to ask if there are potential options to remove this functionality from the embedded dashboard without using the CSS editor (as it might potentially cause other issues with the layout and doesn't remove the permissions themselves). I have tried the proposed solution of using a custom role with these permissions for the account that is used for embedding the dashboard:
- can csrf token on Superset
- can csv on Superset
- can fetch datasource metadata on Superset
- can invalidate on CacheRestApi
- can log on Superset
- can read on Chart
- can read on CssTemplate
- can read on Dashboard
- can read on DashboardFilterStateRestApi
- can read on Database
- can read on Dataset
- can read on Query
- can read on SavedQuery
- can slice json on Superset
- can time range on Api
- can warm up cache on Superset
but I am still seeing the options to edit the charts in the embedded dashboard. Could you let me know please if there is a solution for this or whether I am missing something?
Screenshots/recordings
No response
Superset version
4.1.1
Python version
Not applicable
Node version
Not applicable
Browser
Chrome
Additional context
No response
Checklist
- [x] I have searched Superset docs and Slack and didn't find a solution to my problem.
- [x] I have searched the GitHub issue tracker and didn't find a similar bug report.
- [x] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.
Comment From: dosubot[bot]
Hello, @DenisPnko! I'm here to help you with any bugs, questions, or assistance you need. Let's tackle this together!
There are a few similar discussions related to your issue:
- Embedded dashboard: hide edit chart title link - This discussion is still open and might provide some insights or potential solutions.
- How to disable
in chart controls? - This is another open discussion that might be relevant. - Not Able To Disable Edit Chart Option And Clickable Title Option In Iframe - This discussion is also open and directly relates to your issue.
A closed issue suggested creating a custom role with a subset of permissions to make up a view-only profile. Starting with the Gamma role and removing permissions that allow editing might help. A user shared their personal 'view-only' definition, which includes permissions like can read on Chart, can read on Dashboard, and others that fit a view-only use case [1].
Additionally, the specific permission associated with the 'Edit chart' functionality in Superset is can_explore. The 'Edit chart' button is rendered as disabled if the user does not have the can_explore permission [2][3]. You might want to ensure that this permission is not included in your custom role.
For embedded dashboards, Superset uses a class permission name and method permission name to handle permissions. The EmbeddedDashboardRestApi class has a class_permission_name set to "EmbeddedDashboard" and uses MODEL_API_RW_METHOD_PERMISSION_MAP for method_permission_name [4].
Lastly, there are configuration options in Superset that allow for disabling interactive elements in embedded dashboards. The dashboardUiConfig parameter in the embedDashboard function includes options such as hideTitle, hideTab, and hideChartControls which can be used to control the visibility of these elements [5]. You might want to explore these options to see if they meet your needs.
To continue talking to Dosu, mention @dosu.
Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other
Comment From: rusackas
I believe there's a "can_edit" permission that you can remove for your embedded user account(s) that should hide the button.
Comment From: diegoquintanav
Make sure the permission can explore on Superset is not present in any of the roles assigned to the user. Try also with removing the can explore json on Superset permission.
Comment From: rusackas
Assuming the above comments helped deal with this issue, since it's been silent for quite a while. Please feel free to drop a comment if we need to revisit/reopen this!