All users display in a pulse list

gatalec · May 6, 2019, 9:51pm

Hello,

Metabase v. 3.25, with Chrome browser in Windows 10.

I created a regular user and made it part of a group with access to only one table.

When log into that user I only see the one table. So far so good. I then create a pulse and I see the list of all other users.

Is there a way to limit that list and either not show any user or only the one user that is currently logged in?

BR,

flamber · May 6, 2019, 10:30pm

Hi @gatalec

I cannot find a feature request for that, so you can create one if you want:
https://github.com/metabase/metabase/issues/new

To make a hack/workaround, you would have to filter out the response from /api/user and only show the user, which has the id from the response /api/user/current. Not sure what happens if you just block /api/user or make it return an empty JSON.

By the way, it’s version 0.32.5

gatalec · May 6, 2019, 10:34pm

Thank you flamber.

How would I go about figuring out filtering the response? Modifying the source code?

flamber · May 6, 2019, 10:40pm

You could probably do everything exactly like you want if you modify the source, but that would probably be a huge task and then you would have to maintain it every time there’s an upgrade.

You can do a lot of things with a reverse proxy. So if you place a reverse proxy in front of Metabase, you (the user) are actually talking to the proxy. You can replace responses or modify then (i.e. with Nginx, you would use sub_filter to modify).

mrmiffo · February 14, 2020, 9:58am

I’ve created a feature request issue for this as we would like to limit which users to display based on the user group of the current user. Feel free to give it a

gatalec · April 4, 2020, 3:54pm

I have the same request and to me it’s a security risk.

I set different user logins for different customers, each one set with permission to only access a specific table(s). However, when it comes to creating pulses or even alerts, the email field automatically populates with all users in the system.

I would expect the correct behavior to be that only users with the same access rights are displayed on the list.

flamber · April 4, 2020, 3:57pm

@gatalec Then go and upvote by clicking on the first post:
https://github.com/metabase/metabase/issues/10795

gatalec · April 4, 2020, 4:01pm

Just did, Thank you flamber!