Bug description
After upgrading from 3.1.0 to 3.1.1, dashboards and filters no longer work and give this error: "Guest user cannot modify chart payload". I didn't change any permissions, and I even tried changing GUEST_ROLE_NAME to "Admin", but it still didn't work. I can see that the POST request to /api/v1/chart/data is coming back with 403, but I can't tell what is causing it.
How to reproduce the bug
Using the Docker 3.1.1 image: 1. Create an embedded dashboard app 2. Try to use it
Screenshots/recordings
No response
Superset version
3.1.1
Python version
I don't know
Node version
I don't know
Browser
Chrome
Additional context
Logs: SupersetErrorException Traceback (most recent call last): File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 1823, in full_dispatch_request rv = self.dispatch_request() File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 1799, in dispatch_request return self.ensure_sync(self.view_functions[rule.endpoint])(view_args) File "/usr/local/lib/python3.9/site-packages/flask_appbuilder/security/decorators.py", line 95, in wraps return f(self, *args, kwargs) File "/app/superset/views/base_api.py", line 127, in wraps raise ex File "/app/superset/views/base_api.py", line 121, in wraps duration, response = time_function(f, self, args, kwargs) File "/app/superset/utils/core.py", line 1463, in time_function response = func(args, kwargs) File "/app/superset/utils/log.py", line 255, in wrapper value = f(*args, kwargs) File "/app/superset/charts/data/api.py", line 235, in data command.validate() File "/app/superset/commands/chart/data/get_data_command.py", line 68, in validate self._query_context.raise_for_access() File "/app/superset/common/query_context.py", line 137, in raise_for_access self._processor.raise_for_access() File "/app/superset/common/query_context_processor.py", line 754, in raise_for_access security_manager.raise_for_access(query_context=self._query_context) File "/app/superset/security/manager.py", line 1960, in raise_for_access raise SupersetSecurityException( superset.exceptions.SupersetSecurityException: Guest user cannot modify chart payload 2024-02-20 19:57:34,465:WARNING:superset.views.base:SupersetErrorException Traceback (most recent call last): File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 1823, in full_dispatch_request rv = self.dispatch_request() File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 1799, in dispatch_request return self.ensure_sync(self.view_functions[rule.endpoint])(view_args) File "/usr/local/lib/python3.9/site-packages/flask_appbuilder/security/decorators.py", line 95, in wraps return f(self, *args, kwargs) File "/app/superset/views/base_api.py", line 127, in wraps raise ex File "/app/superset/views/base_api.py", line 121, in wraps duration, response = time_function(f, self, args, kwargs) File "/app/superset/utils/core.py", line 1463, in time_function response = func(args, kwargs) File "/app/superset/utils/log.py", line 255, in wrapper value = f(*args, kwargs) File "/app/superset/charts/data/api.py", line 235, in data command.validate() File "/app/superset/commands/chart/data/get_data_command.py", line 68, in validate self._query_context.raise_for_access() File "/app/superset/common/query_context.py", line 137, in raise_for_access self._processor.raise_for_access() File "/app/superset/common/query_context_processor.py", line 754, in raise_for_access security_manager.raise_for_access(query_context=self._query_context) File "/app/superset/security/manager.py", line 1960, in raise_for_access raise SupersetSecurityException( superset.exceptions.SupersetSecurityException: Guest user cannot modify chart payload 172.20.0.1 - - [20/Feb/2024:19:57:34 +0000] "POST /api/v1/chart/data?form_data=%7B%22slice_id%22%3A108%7D&dashboard_id=65 HTTP/1.1" 403 149 "http://localhost:8088/embedded/3f11daf2-84ac-4c8f-80aa-e9310b488fe7" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
Checklist
- [X] I have searched Superset docs and Slack and didn't find a solution to my problem.
- [X] I have searched the GitHub issue tracker and didn't find a similar bug report.
- [X] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.
Comment From: michael-s-molina
Please check https://github.com/apache/superset/pull/26749.
Comment From: rscarborough1996
Thanks for the response! I see that certain modifications to chart data request will result in this error, but I haven't modified anything. This is just the vanilla request that comes from the embedded dashboard.
After more testing, if I wait on the embedded page for a while, it sometimes starts working when I refresh the chart. I have checked logs and the requests in dev tools, but I can't see any difference between the requests that work and the requests that produce this error, other than a session cookie changing.
Comment From: michael-s-molina
@betodealmeida could you take a look?
Comment From: nfalco79
same issue here, all our chart show that guest user (Gamma role) can not set filter neither show charts. Unexpected error (Guest user cannot modify chart payload)
Comment From: raphaelcosta
+1
Comment From: xrdavies
same issue here
Comment From: rusackas
Ping @sadpandajoe
Comment From: xrdavies
same issue here
it seems particular types of charts have this issue in dashboard. not all of them.
Comment From: betodealmeida
I wonder if anything changed in the way we generate form_data? That would cause a mismatch between the chart payload requested by a dashboard and what's stored in the DB.
Can anyone affected share the form_data requested by the dashboard (from the network tab in developers tools) and compare it with the params field of the chart in the database?
Comment From: rscarborough1996
form_data request from embedded dashboard:
{
"datasource": "76__table",
"viz_type": "table",
"slice_id": 108,
"url_params": {},
"query_mode": "raw",
"groupby": [],
"time_grain_sqla": "P1D",
"temporal_columns_lookup": {},
"metrics": [],
"all_columns": [...],
"percent_metrics": [],
"adhoc_filters": [],
"order_by_cols": [
"[\"tstamp\", false]"
],
"row_limit": 50000,
"server_page_length": 10,
"order_desc": true,
"table_timestamp_format": "smart_date",
"show_cell_bars": false,
"color_pn": true,
"column_config": {
"operatorId": {
"showCellBars": false
},
"tstamp": {
"d3TimeFormat": "%Y-%m-%d %H:%M:%S"
}
},
"conditional_formatting": [],
"extra_form_data": {},
"granularity_sqla": "tstamp",
"time_range": "No filter",
"label_colors": {},
"shared_label_colors": {},
"extra_filters": [],
"dashboardId": 65,
"force": false,
"result_format": "json",
"result_type": "full",
"include_time": false
}
params for that chart from the database:
{
"adhoc_filters": [],
"all_columns": [...],
"color_pn": true,
"column_config": {
"operatorId": {
"showCellBars": false
},
"tstamp": {
"d3TimeFormat": "%Y-%m-%d %H:%M:%S"
}
},
"conditional_formatting": [],
"datasource": "76__table",
"extra_form_data": {},
"granularity_sqla": "tstamp",
"groupby": [],
"metrics": [],
"order_by_cols": [
"[\"tstamp\", false]"
],
"order_desc": true,
"percent_metrics": [],
"query_mode": "raw",
"row_limit": 50000,
"server_page_length": 10,
"show_cell_bars": false,
"slice_id": 108,
"table_timestamp_format": "smart_date",
"time_grain_sqla": "P1D",
"time_range": "No filter",
"viz_type": "table"
}
I've removed the columns here, but I did verify that they match.
Comment From: betodealmeida
Thanks, let me try to repro it.
Comment From: xrdavies
For more info, I have tried to downgrade to 3.1.0, and it works well
Comment From: lindenh
I had left a comment after the fact (though I probably should have created an issue earlier) on that here: https://github.com/apache/superset/pull/26749#issuecomment-1930672542 tl;dr: I think this is caused by mixed charts and saved metrics on big number charts.
Comment From: MickJerin12
We are encountering the same problem following an upgrade from V3.1.0 to V4.0.0rc1.
most of the charts and all the filters are showing the following error(Guest user cannot modify chart payload)
Comment From: avree
Same here - downgrade to 3.1.0 resolved it. Simple charts, such as our Table chart, are still working, but other visualizations such as the pie chart are not.
Comment From: ilndinesh
Same problem for us too
Comment From: ilndinesh
For now we had to comment out that raise error code on our local deploys, and it works as before.
Comment From: loretoparisi
For now we had to comment out that raise error code on our local deploys, and it works as before.
I'm getting this error on the main (master) branch, building with docker, how can I downgrade that modification on the code, without changing the whole code base?
Comment From: ilndinesh
For now we had to comment out that raise error code on our local deploys, and it works as before.
I'm getting this error on the main (master) branch, building with docker, how can I downgrade that modification on the code, without changing the whole code base?
You can add a patch step to your build to modify just that file with the changes you need. We did the same as a build step, by overwriting just that file with the updated file with commented/removed code.
Comment From: ilndinesh
Maybe an explicit superset flag to turn off this security feature will help. Thank you.
Comment From: loretoparisi
@ilndinesh source patched it works, definitively an env to be checked would be good, thanks.
Comment From: JurajBurian
Hello folks is there any progresss with the issue ? affected is everithing from 3.1.1+. May be partial rollback of the 26749 is temporary solution.
Comment From: jose-l-goncalves-alb
+1
+1 (version 3.0.4)
Comment From: tvc12
Sample problem in version 4.1.0rc1. Reverted to 3.1.0 work for me!
Comment From: enzo-dechaene
same from 3.0.3 to 3.0.4
Comment From: JurajBurian
We have other critical issues fixes in master (behind 4.1.0.rc1), but embedding is not working and it is also critical for us :-(.
Comment From: tycerch
Same from 2.1.0 to 3.1.1
Comment From: michael-s-molina
Fixed by https://github.com/apache/superset/pull/27484 @betodealmeida
Comment From: michael-s-molina
@betodealmeida Reopening the issue as it looks like the issue persists for some use cases even after https://github.com/apache/superset/pull/27484.
Comment From: talk2morris
Hello folks, pls how do I downgrade from 3.1.1 to 3.1.0
Comment From: michael-s-molina
Hello folks, pls how do I downgrade from 3.1.1 to 3.1.0
Hi @talk2morris. There are no migrations between 3.1.1 and 3.1.0. You can just download/point to the previous patch.
Comment From: michael-s-molina
It would be helpful if folks here could check if the issue persists after https://github.com/apache/superset/pull/27484 as @JurajBurian mentioned here. It would be helpful to determine if it's only a specific case that's still failing or if there are others. Given the nature of the bug, please provide as much detail as possible.
Comment From: rscarborough1996
@michael-s-molina I tested this using the apache/superset:735b895 docker image (correct me if I am wrong, but I believe that refers to the #27484 merge commit).
I am still getting the same error.
Comment From: talk2morris
Hello folks, pls how do I downgrade from 3.1.1 to 3.1.0
Hi @talk2morris. There are no migrations between 3.1.1 and 3.1.0. You can just download/point to the previous patch.
@michael-s-molina thanks, actually I have downgraded to 3.1.0 and it solved the issue.
Comment From: JurajBurian
It would be helpful if folks here could check if the issue persists after #27484 as @JurajBurian mentioned here. It would be helpful to determine if it's only a specific case that's still failing or if there are others. Given the nature of the bug, please provide as much detail as possible.
I patched latest docker image (and also manager.py looks as actual in master) and I believe that first change in my patch was correct. I replaced return True on False on the line 158 in sanity check:
# sanity checks
if form_data is None or stored_chart is None:
return False
this is probably correct, because in same case one (or maybe both) of values is None in the condition. And this patch was almost "correct", but for some cases then type cast exception occured - as I mentioned in my remark. I hope that my observation help fix this bug. For now we use almost1 absolutely fresh image from master (fixed other bugs ) on production :-(.
1) Latest image has another problem: some selects written in PostgreSQL dialect throw exception see my remark on slack. @michael-s-molina should I raise an issue about this problem? Sorry if it is not a good place to ask question like this.
Comment From: michael-s-molina
I patched latest docker image (and also manager.py looks as actual in master) and I believe that first change in my patch was correct. I replaced return True on False on the line 158 in sanity check:
Thanks for the details @JurajBurian. Please open a specific issue for the Postgres problem.
Comment From: betodealmeida
Taking a look.
Comment From: michael-s-molina
Thanks @betodealmeida for the fix 🙏🏼
Comment From: rscarborough1996
I tested this using the apache/superset:36290ce docker image and it seems to have fixed the issue!
Comment From: guga-kudos
Downgrading to 3.1.0 worked for me as well. Waiting for 3.2.0 or 3.1.2 to be released. Do we have any dates on that? 😄
Comment From: sandeepr43
Same issue here....
I had to downgrade my superset version from 3.1.1 to 3.1.0.
it sucks as 3.1.1 version has resolved some bugs like "Full screen error" in embedded UI.
Comment From: rusackas
Downgrading to 3.1.0 worked for me as well. Waiting for 3.2.0 or 3.1.2 to be released. Do we have any dates on that? 😄
3.1.2 is up for testing/voting now (as is 4.0, incidentally)
Comment From: Attachai77
I got same issue (v 4.0)
Comment From: enzo-dechaene
Hi @Attachai77, I don't know if this is a solution but I solved the problem by removing the "datasource access on table..." right on my specific role.
Comment From: Attachai77
Hello @enzo-dechaene , Thank you for your reply, the below is my permissions which no any "datasource access on table..." , Could you please show me your guest permissions for work or tell me my some permission wrong , Thanks.
Comment From: enzo-dechaene
It fix the problem for me, can you check using Gamma role instead ? it will help to know if it's a role problem
Comment From: Attachai77
I will try it.
Comment From: justin-tomlinson
@Attachai77 I was testing v4.0 docker image and imported some dashboards from v3.1.0 and still see the issue on some charts. I then opened the problem charts in explore and saved them again (no changes just save) and they appear to work ok. so maybe persisting something in chart definition somewhere
Comment From: Attachai77
@justin-tomlinson I did it, but not work. the same error. 😭
Comment From: gabrielheck
I encountered the issue "Guest user cannot modify chart payload" in version 4.0 after importing dashboards from version 3.1. To resolve this, I opened the affected chart and saved it again. I believe there is a minor difference in the chart data structure between these versions that causes this error. Notably, this issue occurs only with the Pie Chart and Big Number chart.
Comment From: stockarea
In embedding i am getting the same issue, I even tried to generate guest token for my user having admin role, still I am getting the same issue.
Comment From: rusackas
If you're still encountering this in current versions, please add additional context here: https://github.com/apache/superset/issues/28446
Comment From: StaSotiro
For me this was resolved by upgrading to 4.0.2 from 3.1.1
Comment From: marianysilva
Workaround: You can open the Chart using Superset Interface, load the data, and then go to your Embedded dashboard and reload it. It should work.
FROM apache/superset:4.0.2-py310
Comment From: natwar585
Same here - downgrade to 3.1.0 resolved it. Simple charts, such as our Table chart, are still working, but other visualizations such as the pie chart are not.
how to resolve this issue
Comment From: natwar585
pie chart is not render in my angular application and filter also show error Cannot load filter Guest user cannot modify chart payload
Comment From: natwar585
Bug description
After upgrading from 3.1.0 to 3.1.1, dashboards and filters no longer work and give this error: "Guest user cannot modify chart payload". I didn't change any permissions, and I even tried changing GUEST_ROLE_NAME to "Admin", but it still didn't work. I can see that the POST request to /api/v1/chart/data is coming back with 403, but I can't tell what is causing it. How to reproduce the bug
Using the Docker 3.1.1 image:
Create an embedded dashboard app
Try to use it
Screenshots/recordings
No response Superset version
3.1.1 Python version
I don't know Node version
I don't know Browser
Chrome
Comment From: danilobraga-loft
@natwar585 did you resolve this issue? I believe a have similar scenario, I always getting "Guest user cannot modify chart payload"
here are my configs in case any of you have a clue:
# Embedded
PUBLIC_ROLE_LIKE_GAMMA = True
FEATURE_FLAGS = {"EMBEDDED_SUPERSET": True}
ENABLE_CORS = True
CORS_OPTIONS = {
"supports_credentials": True,
"allow_headers": ["Content-Type", "Authorization", "X-CSRFToken"],
"resources": ["*"],
"origins": [
"https://myappid-on.ngrok-free.app"
],
"methods": ["GET", "POST", "OPTIONS"],
}
HTTP_HEADERS = {
"X-Frame-Options": "ALLOWALL",
"Content-Security-Policy": "frame-ancestors *",
}
SESSION_COOKIE_SAMESITE = None
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = False
GUEST_ROLE_NAME = "Gamma"
GUEST_TOKEN_JWT_ALGO = "HS256"
GUEST_TOKEN_HEADER_NAME = "X-GuestToken"
GUEST_TOKEN_JWT_AUDIENCE = "https://myappid-on.ngrok-free.app"
# TALISMAN CONFIGURATIONS
TALISMAN_ENABLED = False
WTF_CSRF_ENABLED = False
# Embedded End
Comment From: isaac868
I am encountering this issue when attempting to change the time grain of an embedded dashboard. I havent migrated my charts or dashboard from an earlier version, they were all made in 4.1.1. My other filters work as expected. Why is the guest user prevented from changing the time grain? Would it make sense to allow an admin to select which metrics can be changed by the guest user's query on chart creation? A config option to disable these checks would also be helpful. Thanks
Comment From: singhs124
We are still facing same issue on superset 4.0.2 version.
Comment From: danfer
I was having same issue, showing that error, fixed on using GUEST_ROLE_NAME = "Gamma".