callum-jones19 opened a new issue, #31513: URL: https://github.com/apache/superset/issues/31513
### Bug description The bug involves a user without the admin or sql_lab roles being allowed to access the SQLLab editor page. When on this page, they are unable to do anything, as the backend correctly refuses to send through any data to an unauthenticated account. However, the user is not redirected off this page as intended, and instead is presented with an Unexpected Error header. To achieve this bug: 1. Log into Superset with a non-administrator account who does not have the sql_lab role, but who can access the create dataset page. 2. Click on the Datasets header button to go to the /tablemodelview/list/ URL. 3. Click on the "+ Dataset" button to go to the /dataset/add page. 4. Click on the link embedded in the empty dataset source page that says "create dataset from SQL query". The expected behavior here (as occurred in previous Superset versions) is that the user gets redirected to the home page with an "Access denied" toast notifying them of their insufficient permissions. The observed behavior is that they stay on this page, which is marked with an Unexpected Error header. Attached below are the screenshots as the error occurs/appears in the master branch, using the `docker-compose-non-dev.yml` docker compose file. That is, the errors displayed in the screenshots are what appears in production. ### Screenshots/recordings    ### Superset version master / latest-dev ### Python version 3.10 ### Node version 16 ### Browser Firefox ### Additional context I narrowed the bug down specifically to commit 5ab1e7eae45b789c08c0b99612b4a410bbb986b8, to the changes made in the following file: `superset-frontend/src/features/datasets/AddDataset/DatasetPanel/MessageContent.tsx`. Specifically, changing the span that `onClick` redirected the page to /superset/sqllab into a SPA react-router link. This SPA `<Link>` component appears to skip the permissions check, allowing the user onto the SQLLab page, although I am unsure why. This can be verified by refreshing the broken SQLLab page, or reverting the `<Link>` into a `<a>` element, which causes Superset to correctly re-route the user to the home page. ### Checklist - [X] I have searched Superset docs and Slack and didn't find a solution to my problem. - [X] I have searched the GitHub issue tracker and didn't find a similar bug report. - [X] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
