Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

4.0.2 - Imported charts shows error on embedding (Guest user cannot modify chart payload) #31872

Open
3 tasks done
choumiwail opened this issue Jan 15, 2025 · 5 comments
Open
3 tasks done

4.0.2 - Imported charts shows error on embedding (Guest user cannot modify chart payload) #31872

choumiwail opened this issue Jan 15, 2025 · 5 comments
Labels
authentication:access-control Rlated to access control authentication Related to authentication embedded

Comments

@choumiwail
Copy link

Bug description

Bug description
「Guest user cannot modify chart payload」 Error is displayed for imported charts.

Screenshots/recordings

How to reproduce the bug
I embedded Apache Superset in the web application (Spring Boot and Angular) with authentication. After connection, the superset is displayed without the charts and in the browser logs, I get a 403.

Here is a print screen of the error :

Image

Image

Can you help me ?

Superset version
4.0.2

Python version
3.9

Spring Boot
3.1.4

Angular
16

Browser
FireFox

Superset version

4.0.2

Python version

3.9

Node version

16

Browser

Firefox

Additional context

No response

Checklist

  • I have searched Superset docs and Slack and didn't find a solution to my problem.
  • I have searched the GitHub issue tracker and didn't find a similar bug report.
  • I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.
@dosubot dosubot bot added authentication Related to authentication embedded labels Jan 15, 2025
@dosubot DosuBot
Copy link

dosubot bot commented Jan 15, 2025

Hey @choumiwail! I'm here to help you with the issue you're experiencing. I can assist with bug solving, answering questions, and more while you wait for a human maintainer.

I found a similar issue regarding the "Guest user cannot modify chart payload" error when embedding charts in Apache Superset. The error typically occurs when the guest user attempts to modify the chart ID, metrics, columns, or other form data, which is not allowed.

To resolve this issue, ensure that the form data being sent by the guest user matches the stored parameters for the chart. Here are some key points to check:

  1. Chart ID Consistency: Ensure that the slice_id in the form data matches the expected chart ID. For example, if the stored chart ID is 65, the form data should also have "slice_id": 65.

  2. Metrics and Columns Consistency: Ensure that the metrics and columns in the form data are not tampered with. They should match the stored metrics and columns for the chart.

  3. Avoid Tampering: Ensure that the form data sent by the guest user is not altered from what is stored, as any modification will raise a SupersetSecurityException.

Additionally, ensure that you have properly configured the guest token authentication. This involves:

  • Activating the EMBEDDED_SUPERSET feature flag.
  • Setting a strong password in the GUEST_TOKEN_JWT_SECRET configuration variable.
  • Using the POST /security/guest_token endpoint to create a guest token with the necessary permissions and passing it to your frontend [1][2].

By ensuring that the guest user's request payload is consistent with the stored chart parameters and properly configuring guest token authentication, you should be able to avoid the 403 Forbidden error.

To continue talking to Dosu, mention @dosu.

Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other

@dosubot dosubot bot added the authentication:access-control Rlated to access control label Jan 15, 2025
@choumiwail
Copy link
Author

Hey @dosu After opening a chart in Superset and refreshing the page where Superset is integrated, I've noticed that the chart is displayed correctly and that the ‘Guest user cannot modify chart payload’ error no longer appears.

The 'EMBEDDED_SUPERSET' is activated and the guest token is generated

@dosubot DosuBot
Copy link

dosubot bot commented Jan 15, 2025

Hey @choumiwail! I'm glad to hear that the error no longer appears after refreshing the page. It sounds like things are working smoothly now. If you have any more technical questions or need help with bugs, feel free to ask. If you think I should have addressed something else, you can always reach out to the Dosu Team. 😊

To continue talking to Dosu, mention @dosu.

Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other

@choumiwail
Copy link
Author

@dosu I don't understand why, after the page has been refreshed, the charts are still displayed.

@dosubot DosuBot
Copy link

dosubot bot commented Jan 15, 2025

After a page refresh, the charts are still displayed because the guest token mechanism in Apache Superset maintains session state across page interactions. When you refresh the page, the guest token is used to authenticate the user as an anonymous user with the specified permissions and access rights. This ensures that the user's session remains consistent, allowing the charts to be displayed correctly without encountering the "Guest user cannot modify chart payload" error [1][2].

To continue talking to Dosu, mention @dosu.

Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
authentication:access-control Rlated to access control authentication Related to authentication embedded
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@choumiwail