Bug description

After upgrading from 3.1.0 to 3.1.1, dashboards and filters no longer work and give this error: "Guest user cannot modify chart payload". I didn't change any permissions, and I even tried changing GUEST_ROLE_NAME to "Admin", but it still didn't work. I can see that the POST request to /api/v1/chart/data is coming back with 403, but I can't tell what is causing it.

How to reproduce the bug

Using the Docker 3.1.1 image: 1. Create an embedded dashboard app 2. Try to use it

Screenshots/recordings

No response

Superset version

3.1.1

Python version

I don't know

Node version

I don't know

Browser

Chrome

Additional context

Logs: SupersetErrorException Traceback (most recent call last): File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 1823, in full_dispatch_request rv = self.dispatch_request() File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 1799, in dispatch_request return self.ensure_sync(self.view_functions[rule.endpoint])(view_args) File "/usr/local/lib/python3.9/site-packages/flask_appbuilder/security/decorators.py", line 95, in wraps return f(self, *args, kwargs) File "/app/superset/views/base_api.py", line 127, in wraps raise ex File "/app/superset/views/base_api.py", line 121, in wraps duration, response = time_function(f, self, args, kwargs) File "/app/superset/utils/core.py", line 1463, in time_function response = func(args, kwargs) File "/app/superset/utils/log.py", line 255, in wrapper value = f(*args, kwargs) File "/app/superset/charts/data/api.py", line 235, in data command.validate() File "/app/superset/commands/chart/data/get_data_command.py", line 68, in validate self._query_context.raise_for_access() File "/app/superset/common/query_context.py", line 137, in raise_for_access self._processor.raise_for_access() File "/app/superset/common/query_context_processor.py", line 754, in raise_for_access security_manager.raise_for_access(query_context=self._query_context) File "/app/superset/security/manager.py", line 1960, in raise_for_access raise SupersetSecurityException( superset.exceptions.SupersetSecurityException: Guest user cannot modify chart payload 2024-02-20 19:57:34,465:WARNING:superset.views.base:SupersetErrorException Traceback (most recent call last): File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 1823, in full_dispatch_request rv = self.dispatch_request() File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 1799, in dispatch_request return self.ensure_sync(self.view_functions[rule.endpoint])(view_args) File "/usr/local/lib/python3.9/site-packages/flask_appbuilder/security/decorators.py", line 95, in wraps return f(self, *args, kwargs) File "/app/superset/views/base_api.py", line 127, in wraps raise ex File "/app/superset/views/base_api.py", line 121, in wraps duration, response = time_function(f, self, args, kwargs) File "/app/superset/utils/core.py", line 1463, in time_function response = func(args, kwargs) File "/app/superset/utils/log.py", line 255, in wrapper value = f(*args, kwargs) File "/app/superset/charts/data/api.py", line 235, in data command.validate() File "/app/superset/commands/chart/data/get_data_command.py", line 68, in validate self._query_context.raise_for_access() File "/app/superset/common/query_context.py", line 137, in raise_for_access self._processor.raise_for_access() File "/app/superset/common/query_context_processor.py", line 754, in raise_for_access security_manager.raise_for_access(query_context=self._query_context) File "/app/superset/security/manager.py", line 1960, in raise_for_access raise SupersetSecurityException( superset.exceptions.SupersetSecurityException: Guest user cannot modify chart payload 172.20.0.1 - - [20/Feb/2024:19:57:34 +0000] "POST /api/v1/chart/data?form_data=%7B%22slice_id%22%3A108%7D&dashboard_id=65 HTTP/1.1" 403 149 "http://localhost:8088/embedded/3f11daf2-84ac-4c8f-80aa-e9310b488fe7" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"

Checklist

  • [X] I have searched Superset docs and Slack and didn't find a solution to my problem.
  • [X] I have searched the GitHub issue tracker and didn't find a similar bug report.
  • [X] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

Comment From: michael-s-molina

Please check https://github.com/apache/superset/pull/26749.

Comment From: rscarborough1996

Thanks for the response! I see that certain modifications to chart data request will result in this error, but I haven't modified anything. This is just the vanilla request that comes from the embedded dashboard.

After more testing, if I wait on the embedded page for a while, it sometimes starts working when I refresh the chart. I have checked logs and the requests in dev tools, but I can't see any difference between the requests that work and the requests that produce this error, other than a session cookie changing.

Comment From: michael-s-molina

@betodealmeida could you take a look?

Comment From: nfalco79

same issue here, all our chart show that guest user (Gamma role) can not set filter neither show charts. Unexpected error (Guest user cannot modify chart payload)

Comment From: raphaelcosta

+1

Comment From: xrdavies

same issue here

Apache Superset Error on embedded dashboard after upgrading to 3.1.1:

Comment From: rusackas

Ping @sadpandajoe

Comment From: xrdavies

same issue here

Apache Superset Error on embedded dashboard after upgrading to 3.1.1:

it seems particular types of charts have this issue in dashboard. not all of them.

Comment From: betodealmeida

I wonder if anything changed in the way we generate form_data? That would cause a mismatch between the chart payload requested by a dashboard and what's stored in the DB.

Can anyone affected share the form_data requested by the dashboard (from the network tab in developers tools) and compare it with the params field of the chart in the database?

Comment From: rscarborough1996

form_data request from embedded dashboard:

{
    "datasource": "76__table",
    "viz_type": "table",
    "slice_id": 108,
    "url_params": {},
    "query_mode": "raw",
    "groupby": [],
    "time_grain_sqla": "P1D",
    "temporal_columns_lookup": {},
    "metrics": [],
    "all_columns": [...],
    "percent_metrics": [],
    "adhoc_filters": [],
    "order_by_cols": [
        "[\"tstamp\", false]"
    ],
    "row_limit": 50000,
    "server_page_length": 10,
    "order_desc": true,
    "table_timestamp_format": "smart_date",
    "show_cell_bars": false,
    "color_pn": true,
    "column_config": {
        "operatorId": {
            "showCellBars": false
        },
        "tstamp": {
            "d3TimeFormat": "%Y-%m-%d %H:%M:%S"
        }
    },
    "conditional_formatting": [],
    "extra_form_data": {},
    "granularity_sqla": "tstamp",
    "time_range": "No filter",
    "label_colors": {},
    "shared_label_colors": {},
    "extra_filters": [],
    "dashboardId": 65,
    "force": false,
    "result_format": "json",
    "result_type": "full",
    "include_time": false
}

params for that chart from the database:

{
  "adhoc_filters": [],
  "all_columns": [...],
  "color_pn": true,
  "column_config": {
    "operatorId": {
      "showCellBars": false
    },
    "tstamp": {
      "d3TimeFormat": "%Y-%m-%d %H:%M:%S"
    }
  },
  "conditional_formatting": [],
  "datasource": "76__table",
  "extra_form_data": {},
  "granularity_sqla": "tstamp",
  "groupby": [],
  "metrics": [],
  "order_by_cols": [
    "[\"tstamp\", false]"
  ],
  "order_desc": true,
  "percent_metrics": [],
  "query_mode": "raw",
  "row_limit": 50000,
  "server_page_length": 10,
  "show_cell_bars": false,
  "slice_id": 108,
  "table_timestamp_format": "smart_date",
  "time_grain_sqla": "P1D",
  "time_range": "No filter",
  "viz_type": "table"
}

I've removed the columns here, but I did verify that they match.

Comment From: betodealmeida

Thanks, let me try to repro it.

Comment From: xrdavies

For more info, I have tried to downgrade to 3.1.0, and it works well

Comment From: lindenh

I had left a comment after the fact (though I probably should have created an issue earlier) on that here: https://github.com/apache/superset/pull/26749#issuecomment-1930672542 tl;dr: I think this is caused by mixed charts and saved metrics on big number charts.

Comment From: MickJerin12

We are encountering the same problem following an upgrade from V3.1.0 to V4.0.0rc1.

most of the charts and all the filters are showing the following error(Guest user cannot modify chart payload)

Comment From: avree

Same here - downgrade to 3.1.0 resolved it. Simple charts, such as our Table chart, are still working, but other visualizations such as the pie chart are not.

Comment From: ilndinesh

Same problem for us too

Comment From: ilndinesh

For now we had to comment out that raise error code on our local deploys, and it works as before.

Comment From: loretoparisi

For now we had to comment out that raise error code on our local deploys, and it works as before.

I'm getting this error on the main (master) branch, building with docker, how can I downgrade that modification on the code, without changing the whole code base?

Comment From: ilndinesh

For now we had to comment out that raise error code on our local deploys, and it works as before.

I'm getting this error on the main (master) branch, building with docker, how can I downgrade that modification on the code, without changing the whole code base?

You can add a patch step to your build to modify just that file with the changes you need. We did the same as a build step, by overwriting just that file with the updated file with commented/removed code.

Comment From: ilndinesh

Maybe an explicit superset flag to turn off this security feature will help. Thank you.

Comment From: loretoparisi

@ilndinesh source patched it works, definitively an env to be checked would be good, thanks.

Comment From: JurajBurian

Hello folks is there any progresss with the issue ? affected is everithing from 3.1.1+. May be partial rollback of the 26749 is temporary solution.

Comment From: jose-l-goncalves-alb

+1

+1 (version 3.0.4)

Comment From: tvc12

Sample problem in version 4.1.0rc1. Reverted to 3.1.0 work for me!

Comment From: enzo-dechaene

same from 3.0.3 to 3.0.4

Comment From: JurajBurian

We have other critical issues fixes in master (behind 4.1.0.rc1), but embedding is not working and it is also critical for us :-(.

Comment From: tycerch

Same from 2.1.0 to 3.1.1

Comment From: michael-s-molina

Fixed by https://github.com/apache/superset/pull/27484 @betodealmeida

Comment From: michael-s-molina

@betodealmeida Reopening the issue as it looks like the issue persists for some use cases even after https://github.com/apache/superset/pull/27484.

Comment From: talk2morris

Hello folks, pls how do I downgrade from 3.1.1 to 3.1.0

Comment From: michael-s-molina

Hello folks, pls how do I downgrade from 3.1.1 to 3.1.0

Hi @talk2morris. There are no migrations between 3.1.1 and 3.1.0. You can just download/point to the previous patch.

Comment From: michael-s-molina

It would be helpful if folks here could check if the issue persists after https://github.com/apache/superset/pull/27484 as @JurajBurian mentioned here. It would be helpful to determine if it's only a specific case that's still failing or if there are others. Given the nature of the bug, please provide as much detail as possible.

Comment From: rscarborough1996

@michael-s-molina I tested this using the apache/superset:735b895 docker image (correct me if I am wrong, but I believe that refers to the #27484 merge commit).

I am still getting the same error.

Comment From: talk2morris

Hello folks, pls how do I downgrade from 3.1.1 to 3.1.0

Hi @talk2morris. There are no migrations between 3.1.1 and 3.1.0. You can just download/point to the previous patch.

@michael-s-molina thanks, actually I have downgraded to 3.1.0 and it solved the issue.

Comment From: JurajBurian

It would be helpful if folks here could check if the issue persists after #27484 as @JurajBurian mentioned here. It would be helpful to determine if it's only a specific case that's still failing or if there are others. Given the nature of the bug, please provide as much detail as possible.

I patched latest docker image (and also manager.py looks as actual in master) and I believe that first change in my patch was correct. I replaced return True on False on the line 158 in sanity check:

    # sanity checks
    if form_data is None or stored_chart is None:
        return False

this is probably correct, because in same case one (or maybe both) of values is None in the condition. And this patch was almost "correct", but for some cases then type cast exception occured - as I mentioned in my remark. I hope that my observation help fix this bug. For now we use almost1 absolutely fresh image from master (fixed other bugs ) on production :-(.

1) Latest image has another problem: some selects written in PostgreSQL dialect throw exception see my remark on slack. @michael-s-molina should I raise an issue about this problem? Sorry if it is not a good place to ask question like this.

Comment From: michael-s-molina

I patched latest docker image (and also manager.py looks as actual in master) and I believe that first change in my patch was correct. I replaced return True on False on the line 158 in sanity check:

Thanks for the details @JurajBurian. Please open a specific issue for the Postgres problem.

Comment From: betodealmeida

Taking a look.

Comment From: michael-s-molina

Thanks @betodealmeida for the fix 🙏🏼

Comment From: rscarborough1996

I tested this using the apache/superset:36290ce docker image and it seems to have fixed the issue!

Comment From: guga-kudos

Downgrading to 3.1.0 worked for me as well. Waiting for 3.2.0 or 3.1.2 to be released. Do we have any dates on that? 😄

Comment From: sandeepr43

Same issue here....

I had to downgrade my superset version from 3.1.1 to 3.1.0.

it sucks as 3.1.1 version has resolved some bugs like "Full screen error" in embedded UI.

Comment From: rusackas

Downgrading to 3.1.0 worked for me as well. Waiting for 3.2.0 or 3.1.2 to be released. Do we have any dates on that? 😄

3.1.2 is up for testing/voting now (as is 4.0, incidentally)

Comment From: Attachai77

I got same issue (v 4.0) Screenshot 2567-04-10 at 14 42 09

Screenshot 2567-04-10 at 14 41 49

Screenshot 2567-04-10 at 14 42 21

Comment From: enzo-dechaene

Hi @Attachai77, I don't know if this is a solution but I solved the problem by removing the "datasource access on table..." right on my specific role.

Comment From: Attachai77

Hello @enzo-dechaene , Thank you for your reply, the below is my permissions which no any "datasource access on table..." , Could you please show me your guest permissions for work or tell me my some permission wrong , Thanks.

Screenshot 2567-04-11 at 10 39 47

Comment From: enzo-dechaene

It fix the problem for me, can you check using Gamma role instead ? it will help to know if it's a role problem

Comment From: Attachai77

I will try it.

Comment From: justin-tomlinson

@Attachai77 I was testing v4.0 docker image and imported some dashboards from v3.1.0 and still see the issue on some charts. I then opened the problem charts in explore and saved them again (no changes just save) and they appear to work ok. so maybe persisting something in chart definition somewhere

Comment From: Attachai77

@justin-tomlinson I did it, but not work. the same error. 😭

Comment From: gabrielheck

I encountered the issue "Guest user cannot modify chart payload" in version 4.0 after importing dashboards from version 3.1. To resolve this, I opened the affected chart and saved it again. I believe there is a minor difference in the chart data structure between these versions that causes this error. Notably, this issue occurs only with the Pie Chart and Big Number chart.

Comment From: stockarea

Apache Superset Error on embedded dashboard after upgrading to 3.1.1:

In embedding i am getting the same issue, I even tried to generate guest token for my user having admin role, still I am getting the same issue.

Comment From: rusackas

If you're still encountering this in current versions, please add additional context here: https://github.com/apache/superset/issues/28446

Comment From: StaSotiro

For me this was resolved by upgrading to 4.0.2 from 3.1.1

Comment From: marianysilva

Workaround: You can open the Chart using Superset Interface, load the data, and then go to your Embedded dashboard and reload it. It should work.

FROM apache/superset:4.0.2-py310

Screenshot 2024-08-06 at 11 51 32

Comment From: natwar585

Same here - downgrade to 3.1.0 resolved it. Simple charts, such as our Table chart, are still working, but other visualizations such as the pie chart are not.

how to resolve this issue

Comment From: natwar585

pie chart is not render in my angular application and filter also show error Cannot load filter Guest user cannot modify chart payload

Comment From: natwar585

Bug description

After upgrading from 3.1.0 to 3.1.1, dashboards and filters no longer work and give this error: "Guest user cannot modify chart payload". I didn't change any permissions, and I even tried changing GUEST_ROLE_NAME to "Admin", but it still didn't work. I can see that the POST request to /api/v1/chart/data is coming back with 403, but I can't tell what is causing it. How to reproduce the bug

Using the Docker 3.1.1 image:

Create an embedded dashboard app
Try to use it

Screenshots/recordings

No response Superset version

3.1.1 Python version

I don't know Node version

I don't know Browser

Chrome

Comment From: danilobraga-loft

@natwar585 did you resolve this issue? I believe a have similar scenario, I always getting "Guest user cannot modify chart payload"

here are my configs in case any of you have a clue:

# Embedded
PUBLIC_ROLE_LIKE_GAMMA = True
FEATURE_FLAGS = {"EMBEDDED_SUPERSET": True}

ENABLE_CORS = True
CORS_OPTIONS = {
    "supports_credentials": True,
    "allow_headers": ["Content-Type", "Authorization", "X-CSRFToken"],
    "resources": ["*"],
    "origins": [
        "https://myappid-on.ngrok-free.app"
    ],
    "methods": ["GET", "POST", "OPTIONS"],
}

HTTP_HEADERS = {
    "X-Frame-Options": "ALLOWALL",
    "Content-Security-Policy": "frame-ancestors *",
}

SESSION_COOKIE_SAMESITE = None 
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = False

GUEST_ROLE_NAME = "Gamma"
GUEST_TOKEN_JWT_ALGO = "HS256"
GUEST_TOKEN_HEADER_NAME = "X-GuestToken"
GUEST_TOKEN_JWT_AUDIENCE = "https://myappid-on.ngrok-free.app"


# TALISMAN CONFIGURATIONS
TALISMAN_ENABLED = False
WTF_CSRF_ENABLED = False
# Embedded End

Comment From: isaac868

I am encountering this issue when attempting to change the time grain of an embedded dashboard. I havent migrated my charts or dashboard from an earlier version, they were all made in 4.1.1. My other filters work as expected. Why is the guest user prevented from changing the time grain? Would it make sense to allow an admin to select which metrics can be changed by the guest user's query on chart creation? A config option to disable these checks would also be helpful. Thanks

Comment From: singhs124

We are still facing same issue on superset 4.0.2 version.

Comment From: danfer

I was having same issue, showing that error, fixed on using GUEST_ROLE_NAME = "Gamma".