Bug description
Steps to Reproduce:
- Create a chart with a specific Time Grain set.
- Add the chart to a dashboard.
- Inside the dashboard, create a Time Grain filter.
- Embed the dashboard and apply a Time Grain filter different from the default Time Grain of the chart.
Expected Behavior:
The chart should update according to the selected Time Grain filter in the embedded dashboard.
Actual Behavior:
An error message appears: Guest user cannot modify chart payload.
Screenshots/recordings
Chart with default Time Grain:
Embedded Dashboard with same Time Grain
Embedded Dashboard with different Time Grain from the default Time Grain of the chart.
Superset version
master / latest-dev
Python version
3.10
Node version
16
Browser
Chrome
Additional context
I also tried granting all permissions to the role of the user embedding the dashboard.
Checklist
- [x] I have searched Superset docs and Slack and didn't find a solution to my problem.
- [x] I have searched the GitHub issue tracker and didn't find a similar bug report.
- [x] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.
Comment From: dosubot[bot]
Hey @guidobonuzzi! I'm here to help you with any bugs or questions you have about the issue you posted. Let's work together to solve this!
To resolve the "Guest user cannot modify chart payload" error when applying a Time Grain filter different from the default in an embedded Superset dashboard, you need to ensure that the user is not a guest user or that the query context is not modified. The error occurs because guest users are restricted from modifying the chart payload, which includes changing filters like the Time Grain.
Here are some steps you can take:
-
Authenticate the User: Ensure that the user accessing the dashboard is authenticated and not a guest user. Implement a proper authentication mechanism in your application that embeds the Superset dashboard.
-
Avoid Modifying the Query Context: If the user must remain a guest, ensure that the query context is not modified from what is saved in the dashboard. This means using the default settings and filters as configured in the dashboard without making changes.
If neither of these solutions is feasible, you may need to adjust your application logic to handle user roles and permissions more effectively, ensuring that only authenticated users can make such modifications [1].
To continue talking to Dosu, mention @dosu.
Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other
Comment From: rusackas
Hmm... I thought all this "Guest user cannot modify chart payload" was behind us after some fixes that @betodealmeida provided a while back. Can you validate if this is happening on the 5.0.0 release candidate? If so @sadpandajoe or @michael-s-molina might want to add it to the project board for a 5.0.1 patch.
Comment From: guidobonuzzi
Hi @rusackas, thanks for getting back to me. I tried with version 5.0.0rc1, but I’m still experiencing the same behavior.
Comment From: rusackas
We'll take a look to see if it's a new regression in 5.0, or something we can fix in general.
Comment From: guidobonuzzi
The issue is present in versions 4.1.2rc1 and 5.0.0.rc1 but is not present in 4.0.2. Thank you.
Comment From: lakako
it can be reproduce on rev 629b137bb00b87d6d7345cbae0b1b8d3dc439598
Just setup a new superset instance and share 'COVID Vaccine Dashboard'
comment this line will temporary solve this
# superset/security/manager.py
if not queries_values.issubset(stored_values):
return True
Comment From: rusackas
@betodealmeida added that safety check. While commenting it out might work in this case, I'm not sure what else you might be exposing yourself too. Perhaps they have an idea for a better fix here.