Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Bypassing view access control using direct link
See original GitHub issueWhen using the dash_app template tag, the contents are rendered in an iframe. A curious user can inspect the page source and get the direct link to the Dash app directly form the iframe. The direct link might allow the user to bypass access control and other precautions built into a project. This seems to undermine the view based access control:
Each view delegated through to plotly_dash can be wrapped using a view decoration function. This enables access to be restricted to logged-in user
How can we mitigate the risk of potential abuse, particularly when dashboards may contain sensitive data?
Issue Analytics
- State:
- Created 5 years ago
- Comments:22 (21 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@brylie The function supplied as the
view_decoratorshould get called on every call that passes throughdjango_plotly_dash, so you should not be able to subvert the access control by copying the link.You can verify this by doing exactly as you describe - go to an app as an authorized user, grab one of the urls (the debugging console of your browser can help you do this), and then try to access that url as an unauthorized user.
Just pulled #90 into master, which hopefully addresses this, and closing this issue. Please reopen with comments if the documentation can be improved.