Error on embedded dashboard after upgrading to 3.1.1: "Guest user cannot modify chart payload"

[rscarborough1996]

Bug description

After upgrading from 3.1.0 to 3.1.1, dashboards and filters no longer work and give this error: "Guest user cannot modify chart payload". I didn't change any permissions, and I even tried changing GUEST_ROLE_NAME to "Admin", but it still didn't work. I can see that the POST request to /api/v1/chart/data is coming back with 403, but I can't tell what is causing it.

How to reproduce the bug

Using the Docker 3.1.1 image:

1. Create an embedded dashboard app
2. Try to use it

Screenshots/recordings

No response

Superset version

3.1.1

Python version

I don't know

Node version

I don't know

Browser

Chrome

Additional context

Logs:
SupersetErrorException
Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 1823, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 1799, in dispatch_request
return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
File "/usr/local/lib/python3.9/site-packages/flask_appbuilder/security/decorators.py", line 95, in wraps
return f(self, *args, **kwargs)
File "/app/superset/views/base_api.py", line 127, in wraps
raise ex
File "/app/superset/views/base_api.py", line 121, in wraps
duration, response = time_function(f, self, *args, **kwargs)
File "/app/superset/utils/core.py", line 1463, in time_function
response = func(*args, **kwargs)
File "/app/superset/utils/log.py", line 255, in wrapper
value = f(*args, **kwargs)
File "/app/superset/charts/data/api.py", line 235, in data
command.validate()
File "/app/superset/commands/chart/data/get_data_command.py", line 68, in validate
self._query_context.raise_for_access()
File "/app/superset/common/query_context.py", line 137, in raise_for_access
self._processor.raise_for_access()
File "/app/superset/common/query_context_processor.py", line 754, in raise_for_access
security_manager.raise_for_access(query_context=self._query_context)
File "/app/superset/security/manager.py", line 1960, in raise_for_access
raise SupersetSecurityException(
superset.exceptions.SupersetSecurityException: Guest user cannot modify chart payload
2024-02-20 19:57:34,465:WARNING:superset.views.base:SupersetErrorException
Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 1823, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 1799, in dispatch_request
return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
File "/usr/local/lib/python3.9/site-packages/flask_appbuilder/security/decorators.py", line 95, in wraps
return f(self, *args, **kwargs)
File "/app/superset/views/base_api.py", line 127, in wraps
raise ex
File "/app/superset/views/base_api.py", line 121, in wraps
duration, response = time_function(f, self, *args, **kwargs)
File "/app/superset/utils/core.py", line 1463, in time_function
response = func(*args, **kwargs)
File "/app/superset/utils/log.py", line 255, in wrapper
value = f(*args, **kwargs)
File "/app/superset/charts/data/api.py", line 235, in data
command.validate()
File "/app/superset/commands/chart/data/get_data_command.py", line 68, in validate
self._query_context.raise_for_access()
File "/app/superset/common/query_context.py", line 137, in raise_for_access
self._processor.raise_for_access()
File "/app/superset/common/query_context_processor.py", line 754, in raise_for_access
security_manager.raise_for_access(query_context=self._query_context)
File "/app/superset/security/manager.py", line 1960, in raise_for_access
raise SupersetSecurityException(
superset.exceptions.SupersetSecurityException: Guest user cannot modify chart payload
172.20.0.1 - - [20/Feb/2024:19:57:34 +0000] "POST /api/v1/chart/data?form_data=%7B%22slice_id%22%3A108%7D&dashboard_id=65 HTTP/1.1" 403 149 "http://localhost:8088/embedded/3f11daf2-84ac-4c8f-80aa-e9310b488fe7" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"

Checklist

• I have searched Superset docs and Slack and didn't find a solution to my problem.
• I have searched the GitHub issue tracker and didn't find a similar bug report.
• I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

[michael-s-molina]

Please check #26749.

[rscarborough1996]

Thanks for the response!
I see that certain modifications to chart data request will result in this error, but I haven't modified anything. This is just the vanilla request that comes from the embedded dashboard.

After more testing, if I wait on the embedded page for a while, it sometimes starts working when I refresh the chart. I have checked logs and the requests in dev tools, but I can't see any difference between the requests that work and the requests that produce this error, other than a session cookie changing.

[michael-s-molina]

@betodealmeida could you take a look?

[nfalco79]

same issue here, all our chart show that guest user (Gamma role) can not set filter neither show charts.
Unexpected error (Guest user cannot modify chart payload)

[raphaelcosta]

+1

[xrdavies]

same issue here

[rusackas]

Ping @sadpandajoe

[xrdavies]

same issue here

it seems particular types of charts have this issue in dashboard. not all of them.

[betodealmeida]

I wonder if anything changed in the way we generate form_data? That would cause a mismatch between the chart payload requested by a dashboard and what's stored in the DB.

Can anyone affected share the form_data requested by the dashboard (from the network tab in developers tools) and compare it with the params field of the chart in the database?

[rscarborough1996]

form_data request from embedded dashboard:

{
    "datasource": "76__table",
    "viz_type": "table",
    "slice_id": 108,
    "url_params": {},
    "query_mode": "raw",
    "groupby": [],
    "time_grain_sqla": "P1D",
    "temporal_columns_lookup": {},
    "metrics": [],
    "all_columns": [...],
    "percent_metrics": [],
    "adhoc_filters": [],
    "order_by_cols": [
        "[\"tstamp\", false]"
    ],
    "row_limit": 50000,
    "server_page_length": 10,
    "order_desc": true,
    "table_timestamp_format": "smart_date",
    "show_cell_bars": false,
    "color_pn": true,
    "column_config": {
        "operatorId": {
            "showCellBars": false
        },
        "tstamp": {
            "d3TimeFormat": "%Y-%m-%d %H:%M:%S"
        }
    },
    "conditional_formatting": [],
    "extra_form_data": {},
    "granularity_sqla": "tstamp",
    "time_range": "No filter",
    "label_colors": {},
    "shared_label_colors": {},
    "extra_filters": [],
    "dashboardId": 65,
    "force": false,
    "result_format": "json",
    "result_type": "full",
    "include_time": false
}

params for that chart from the database:

{
  "adhoc_filters": [],
  "all_columns": [...],
  "color_pn": true,
  "column_config": {
    "operatorId": {
      "showCellBars": false
    },
    "tstamp": {
      "d3TimeFormat": "%Y-%m-%d %H:%M:%S"
    }
  },
  "conditional_formatting": [],
  "datasource": "76__table",
  "extra_form_data": {},
  "granularity_sqla": "tstamp",
  "groupby": [],
  "metrics": [],
  "order_by_cols": [
    "[\"tstamp\", false]"
  ],
  "order_desc": true,
  "percent_metrics": [],
  "query_mode": "raw",
  "row_limit": 50000,
  "server_page_length": 10,
  "show_cell_bars": false,
  "slice_id": 108,
  "table_timestamp_format": "smart_date",
  "time_grain_sqla": "P1D",
  "time_range": "No filter",
  "viz_type": "table"
}

I've removed the columns here, but I did verify that they match.

[betodealmeida]

Thanks, let me try to repro it.

[xrdavies]

For more info, I have tried to downgrade to 3.1.0, and it works well

[lindenh]

I had left a comment after the fact (though I probably should have created an issue earlier) on that here: #26749 (comment)
tl;dr: I think this is caused by mixed charts and saved metrics on big number charts.

[MickJerin12]

We are encountering the same problem following an upgrade from V3.1.0 to V4.0.0rc1.

most of the charts and all the filters are showing the following error(Guest user cannot modify chart payload)

[avree]

Same here - downgrade to 3.1.0 resolved it. Simple charts, such as our Table chart, are still working, but other visualizations such as the pie chart are not.

[ilndinesh]

Same problem for us too

[ilndinesh]

For now we had to comment out that raise error code on our local deploys, and it works as before.

[loretoparisi]

For now we had to comment out that raise error code on our local deploys, and it works as before.

I'm getting this error on the main (master) branch, building with docker, how can I downgrade that modification on the code, without changing the whole code base?

[ilndinesh]

For now we had to comment out that raise error code on our local deploys, and it works as before.

I'm getting this error on the main (master) branch, building with docker, how can I downgrade that modification on the code, without changing the whole code base?

You can add a patch step to your build to modify just that file with the changes you need. We did the same as a build step, by overwriting just that file with the updated file with commented/removed code.

[ilndinesh]

Maybe an explicit superset flag to turn off this security feature will help. Thank you.

[loretoparisi]

@ilndinesh source patched it works, definitively an env to be checked would be good, thanks.

[JurajBurian]

Hello folks is there any progresss with the issue ?
affected is everithing from 3.1.1+.
May be partial rollback of the 26749 is temporary solution.

[jose-l-goncalves-alb]

+1

+1 (version 3.0.4)

[tvc12]

Sample problem in version 4.1.0rc1. Reverted to 3.1.0 work for me!

[enzo-dechaene]

same from 3.0.3 to 3.0.4

[michael-s-molina]

@betodealmeida Reopening the issue as it looks like the issue persists for some use cases even after #27484.

[talk2morris]

Hello folks, pls how do I downgrade from 3.1.1 to 3.1.0

[michael-s-molina]

Hello folks, pls how do I downgrade from 3.1.1 to 3.1.0

Hi @talk2morris. There are no migrations between 3.1.1 and 3.1.0. You can just download/point to the previous patch.

[michael-s-molina]

It would be helpful if folks here could check if the issue persists after #27484 as @JurajBurian mentioned here. It would be helpful to determine if it's only a specific case that's still failing or if there are others. Given the nature of the bug, please provide as much detail as possible.

[rscarborough1996]

@michael-s-molina I tested this using the apache/superset:735b895 docker image (correct me if I am wrong, but I believe that refers to the #27484 merge commit).

I am still getting the same error.

[talk2morris]

Hello folks, pls how do I downgrade from 3.1.1 to 3.1.0

Hi @talk2morris. There are no migrations between 3.1.1 and 3.1.0. You can just download/point to the previous patch.

@michael-s-molina thanks, actually I have downgraded to 3.1.0 and it solved the issue.

[JurajBurian]

It would be helpful if folks here could check if the issue persists after #27484 as @JurajBurian mentioned here. It would be helpful to determine if it's only a specific case that's still failing or if there are others. Given the nature of the bug, please provide as much detail as possible.

I patched latest docker image (and also manager.py looks as actual in master) and I believe that first change in my patch was correct. I replaced return True on False on the line 158 in sanity check:

    # sanity checks
    if form_data is None or stored_chart is None:
        return False

this is probably correct, because in same case one (or maybe both) of values is None in the condition. And this patch was almost "correct", but for some cases then type cast exception occured - as I mentioned in my remark.
I hope that my observation help fix this bug.
For now we use almost¹ absolutely fresh image from master (fixed other bugs ) on production :-(.

1. Latest image has another problem: some selects written in PostgreSQL dialect throw exception see my remark on slack. @michael-s-molina should I raise an issue about this problem? Sorry if it is not a good place to ask question like this.

[michael-s-molina]

I patched latest docker image (and also manager.py looks as actual in master) and I believe that first change in my patch was correct. I replaced return True on False on the line 158 in sanity check:

Thanks for the details @JurajBurian. Please open a specific issue for the Postgres problem.

[betodealmeida]

Taking a look.

[michael-s-molina]

Thanks @betodealmeida for the fix 🙏🏼

[rscarborough1996]

I tested this using the apache/superset:36290ce docker image and it seems to have fixed the issue!

[guga-kudos]

Downgrading to 3.1.0 worked for me as well. Waiting for 3.2.0 or 3.1.2 to be released. Do we have any dates on that? 😄

[sandeepr43]

Same issue here....

I had to downgrade my superset version from 3.1.1 to 3.1.0.

it sucks as 3.1.1 version has resolved some bugs like "Full screen error" in embedded UI.

[rusackas]

Downgrading to 3.1.0 worked for me as well. Waiting for 3.2.0 or 3.1.2 to be released. Do we have any dates on that? 😄

3.1.2 is up for testing/voting now (as is 4.0, incidentally)

[Attachai77]

I got same issue (v 4.0)

[enzo-dechaene]

Hi @Attachai77, I don't know if this is a solution but I solved the problem by removing the "datasource access on table..." right on my specific role.

[Attachai77]

Hello @enzo-dechaene , Thank you for your reply, the below is my permissions which no any "datasource access on table..." , Could you please show me your guest permissions for work or tell me my some permission wrong , Thanks.

[enzo-dechaene]

It fix the problem for me, can you check using Gamma role instead ? it will help to know if it's a role problem

[Attachai77]

I will try it.

[justin-tomlinson]

@Attachai77 I was testing v4.0 docker image and imported some dashboards from v3.1.0 and still see the issue on some charts. I then opened the problem charts in explore and saved them again (no changes just save) and they appear to work ok. so maybe persisting something in chart definition somewhere

[Attachai77]

@justin-tomlinson I did it, but not work. the same error. 😭

[gabrielheck]

I encountered the issue "Guest user cannot modify chart payload" in version 4.0 after importing dashboards from version 3.1. To resolve this, I opened the affected chart and saved it again. I believe there is a minor difference in the chart data structure between these versions that causes this error. Notably, this issue occurs only with the Pie Chart and Big Number chart.

[stockarea]

In embedding i am getting the same issue,
I even tried to generate guest token for my user having admin role, still I am getting the same issue.

[rusackas]

If you're still encountering this in current versions, please add additional context here: #28446

[StaSotiro]

For me this was resolved by upgrading to 4.0.2 from 3.1.1

[marianysilva]

Workaround: You can open the Chart using Superset Interface, load the data, and then go to your Embedded dashboard and reload it. It should work.

FROM apache/superset:4.0.2-py310