Bug description

The bug is: As long as there is permission to "can get results on SQLLAB", data in results can be downloaded and copied, even though the "can export csv on SQLLab" permission has been revoked.

Image

Screenshots/recordings

No response

Superset version

master / latest-dev

Python version

3.9

Node version

16

Browser

Chrome

Additional context

No response

Checklist

  • [x] I have searched Superset docs and Slack and didn't find a solution to my problem.
  • [x] I have searched the GitHub issue tracker and didn't find a similar bug report.
  • [x] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

Comment From: dosubot[bot]

Hi @IMYR666! I'm Dosu and I’m helping the superset team.

This is a confirmed limitation in Superset: if a user has the "can get results on SQLLAB" permission, they can view, copy, and download data from SQLLab results, even if the "can export csv on SQLLab" permission is revoked. The frontend checks "can_export_csv" for both the "Download to CSV" and "Copy to Clipboard" buttons, so revoking it hides those options in the UI, but there is no separate permission for copying data—it's gated by the same export permission. The backend only enforces "can get results" for fetching data and does not restrict copying or downloading beyond what the frontend controls. There is currently no granular way to prohibit copying data separately from exporting CSV; users with access to results can always copy visible data as long as they can view it in the browser. Source

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Chat with Dosu Join Discord Share on X

Comment From: IMYR666

How does the frontend disable theCopy the current data and Download to CSV functions in the results table? @dosu.

Comment From: IMYR666

Additional Information: The version I am currently using is 5.0.0.

Comment From: rusackas

Per @sadpandajoe's suggestion, we need to figure out when this was added and suss out the intent. We should also probably add documentation around this and other permissions to explicitly state their purpose, and how they combine/interact with other settings.