I am currently using the free version of Metabase for learning and testing purposes. I’ve set up two dashboards for two different users based on hardcoding state names into the filters. The expectation is that users should only be able to view data for their respective states.
For example, if a user from Karnataka login, they should only see data related to Karnataka, and similarly for another user from a different state.
The Problem:
When a user from Karnataka logs in, they are initially presented with the correct data. However, if they manually modify the URL and change the query parameter from select_state=Karnataka to another state like select_state=Kerala, they can then access data for Kerala, which should not be permitted.
For example:
Original URL (working as expected):
/dashboard/4-state-report-karnataka?state_param=Karnataka
Modified URL (security issue):
/dashboard/4-state-report-karnataka?state_param=Kerala
I would appreciate your help in fixing this issue or guiding me towards the correct way to implement state-specific access restrictions that cannot be overridden by URL changes.
Thank you for your attention to this matter!
Created two dashboards for each state user with the same question card, But state user-1 logs in and manipulates URL and sees data of other state
This unauthorised access exposes data from other states, which breaks the intended state-specific restrictions. My expectation was that each user would be restricted to their own state data, regardless of any changes they make to the URL.
You need to sign in to view this answers
