Incubator-superset: Give users the rights to change their password

Created on 9 May 2017  路  9Comments  路  Source: apache/incubator-superset

What access should I add to allow users to change their password? I checked, Alpha and Gamma users get an "access denied" when clicking on the Profile Icon (upper right corner next to version info icon).

Only Admin role is allowed to change its password

Make sure these boxes are checked before submitting your issue - thank you!

  • [x] I have checked the superset logs for python stacktraces and included it here as text if any
  • [x] I have reproduced the issue with at least the latest released version of superset
  • [x] I have checked the issue tracker for the same issue and I haven't found one similar

Superset version

0.18.0-alpha.1

Expected results

Actual results

Steps to reproduce

.pinned
Source
picture lilila
👍5

Most helpful comment

I was able to work around this issue by creating a separate role that has these permissions:

can this form post on ResetMyPasswordView,
can this form get on ResetMyPasswordView,
can this form post on UserInfoEditView,
can this form get on UserInfoEditView,
resetmypassword on UserDBModelView,
can edit on UserDBModelView,
can userinfo on UserDBModelView,
userinfoedit on UserDBModelView

Then I added that role to all the non-admin users which allowed them to view/edit their profile and change their own passwords.

picture stevekaeser on 22 Sep 2017
👍6

All 9 comments

I was able to work around this issue by creating a separate role that has these permissions:

can this form post on ResetMyPasswordView,
can this form get on ResetMyPasswordView,
can this form post on UserInfoEditView,
can this form get on UserInfoEditView,
resetmypassword on UserDBModelView,
can edit on UserDBModelView,
can userinfo on UserDBModelView,
userinfoedit on UserDBModelView

Then I added that role to all the non-admin users which allowed them to view/edit their profile and change their own passwords.

stevekaeser picture stevekaeser on 22 Sep 2017
👍6

@stevekaeser doesn't can edit on UserDBModelView give them the right to edit everyone else's too?

mistercrunch picture mistercrunch on 11 Oct 2017

I am not sure but I am afraid there is a mismatch between ResetMyPasswordView and ResetPasswordView. With the defaults Gamma and Alpha roles, it's not possible to access the user info page (profile page) nor see the reset password button on this page. Maybe it's been fixed in later releases but I haven't found any issue on the matter.

I was able to grant access to the profile and reset password pages only by granting permission sthat are more supposed to be admin permissions and yes you can change other user passwords then...
E.g: resetPasswordView (get + post) is necessary to see the rest button on the profile page...

guillaumewibaux picture guillaumewibaux on 6 Apr 2018
👍2

One workaround is to grant a role only the can this form post on ResetMyPasswordView and can this form get on ResetMyPasswordView permissions, then have the users manually go to your Superset URL + /resetmypassword/form to reset their password.

Using the Network developer tool in Firefox, I verified that only the password (and a CSRF token) is sent in the POST request -- there's no user ID, so this doesn't appear to open a way to reset other users' passwords.

muraiki picture muraiki on 7 Jan 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 10 Apr 2019
👎1

Please don't close this issue, as I think it makes using Superset more difficult for users.

muraiki picture muraiki on 12 Apr 2019
👍1

It's possible to make them see their own profile + see the password change button + allowing them to change their own password without allowing can edit on UserDBModelView or related to ResetPasswordView, by enabling only these permissions:

can this form post on ResetMyPasswordView,
can this form get on ResetMyPasswordView, 
can userinfo on UserDBModelView, 
resetmypassword on UserDBModelView

Is there anything that I'm missing or a potential security issue with these enabled?

Giuzzilla picture Giuzzilla on 29 Aug 2019

@Giuzzilla those permissions should be safe enough to enable.

willbarrett picture willbarrett on 9 Mar 2020

I have a role with these permissions but the /resetmypassword/form URL 404s.

can this form post on ResetMyPasswordView,
can this form get on ResetMyPasswordView, 
can userinfo on UserDBModelView, 
resetmypassword on UserDBModelView

Can anyone help get a password reset?

andrewmusselman picture andrewmusselman on 16 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

thoralf-gutierrez picture thoralf-gutierrez  路  3Comments
josephtyler picture josephtyler  路  3Comments
vylc picture vylc  路  3Comments
joshuacano picture joshuacano  路  3Comments
kalimuthu123 picture kalimuthu123  路  3Comments