Apache Superset Without "can time range on Api", a click on a custom filter redirect to login page

Bug description

Without "can time range on Api", a click on a custom filter redirect to login page

How to reproduce the bug

https://github.com/user-attachments/assets/5412ab7d-1683-40af-93d0-ee040bc9b7b2

Screenshots/recordings

No response

Superset version

4.0.2

Python version

3.9

Node version

16

Browser

Chrome

Additional context

No response

Checklist

• [ ] I have searched Superset docs and Slack and didn't find a solution to my problem.
• [ ] I have searched the GitHub issue tracker and didn't find a similar bug report.
• [ ] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

Comment From: dosubot[bot]

The issue you're encountering is likely due to missing permissions for the "can time range on Api" feature. This permission is required for users to access the time_range method in the API, which is essential for handling custom filters. Without this permission, the system redirects the user to the login page.

To resolve this, ensure that the user has the necessary permissions. The "can time range on Api" permission is available to users with the Admin, Alpha, and Gamma roles, but not to users with the SQL_LAB role ^[1][2].

You can assign the appropriate role to the user or explicitly grant the "can time range on Api" permission to their current role.

To continue talking to Dosu, mention @dosu.

Comment From: Suvendu-UI

is this issue resolved ?

Comment From: xavier-GitHub76

In the absence of permission ("can time range on Api" or others), it would be preferable to have an error message rather than a redirection to the login page.

Comment From: rusackas

Is anyone still facing this? I think we'd be open to a PR, and I'm on the fence about whether or not this is a bug.

Maybe it's worth a wider audit of which API requests should throw errors rather than redirection, but I think as it stands, a 401 redirects and a 403 does not. Or at least, that seems like how it should work, but that could use validation.

Comment From: xavier-GitHub76

with superset 5.0.0-RC2, "Access is denied" is diplayed without redirection

Comment From: rusackas

Seems like we're good in 5.0, so I'll close this, but say the word if there's more to tackle here!