Add buttons are available for user with no rights

[casmoir]

Bug description

I've created custom role with no rights

After log in user with this role is taken to the page superset/welcome/ where he can see buttons "+ DASHBOARD" and "+ CHART"

After clicking on these buttons user gets notification "Access is Denied"

Expectation: user can see buttons "+ DASHBOARD" and "+ CHART" only if he has right to create Dashboard/Chart

Screenshots/recordings

No response

Superset version

master / latest-dev

Python version

3.9

Node version

16

Browser

Chrome

Additional context

No response

Checklist

• I have searched Superset docs and Slack and didn't find a solution to my problem.
• I have searched the GitHub issue tracker and didn't find a similar bug report.
• I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

[dosubot]

Hey @casmoir! I'm here to help you with any issues or questions you have. I'm a bot designed to assist with bug resolution, answer queries, and guide you on how to contribute. Let's dive into solving the problem you've encountered!

The issue you're experiencing, where users without the appropriate permissions can see the "+ DASHBOARD" and "+ CHART" buttons, seems to be related to how Superset handles the visibility of UI elements based on user roles and permissions.

In Superset, the visibility of UI components is typically controlled by checking user permissions before rendering them. However, it appears that the logic for these specific buttons might not be correctly implemented to hide them for users without the necessary permissions. This could be a bug in the permission-checking logic for these buttons.

To address this, you might want to look into the code responsible for rendering these buttons and ensure that it includes proper permission checks. The functions canUserEditDashboard and userHasPermission are examples of how permissions are typically checked in Superset ^[1]. These functions ensure that only users with the appropriate permissions can perform certain actions or see specific UI elements.

If you're comfortable with code, you could investigate the relevant components in the Superset codebase to see if similar permission checks are missing for the "+ DASHBOARD" and "+ CHART" buttons. If not, this might be something to report as a bug to the maintainers for further investigation.

To continue talking to Dosu, mention @dosu.

[casmoir]

@dosu thanks for your answer, but it doesn't solve my issue

[dosubot]

The issue you're facing might be due to missing permission checks for the "+ DASHBOARD" and "+ CHART" buttons. In Superset, permissions are typically enforced through functions that check user roles and permissions before allowing access to certain UI elements. However, it seems these checks might not be correctly implemented for these buttons.

To resolve this, you would need to ensure that the code responsible for rendering these buttons includes proper permission checks. Specifically, the buttons should only be visible to users who have the necessary permissions to create dashboards and charts. This typically involves checking if the user has the 'can_write' permission for the 'Dashboard' and 'Dataset' views, respectively ^[1][2].

If you're able to modify the code, you could add these permission checks to the components responsible for rendering the buttons. If not, this might be something to report as a bug to the maintainers for further investigation.

To continue talking to Dosu, mention @dosu.

[anantmulchandani]

hey @casmoir .
I see 500 internal server error if the user has no roles.
What superset version are you using and the what is your auth method?