Hello Metabase team,
I am currently using the free version of Metabase for learning and testing purposes. I've set up two dashboards for two different users based on hardcoding state names into the filters. The expectation is that users should only be able to view data for their respective states.
For example, if a user from Karnataka logs in, they should only see data related to Karnataka, and similarly for another user from a different state.
The Problem:
When a user from Karnataka logs in, they are initially presented with the correct data. However, if they manually modify the URL and change the query parameter from select_state=Karnataka to another state like select_state=Kerala, they can then access data for Kerala, which should not be permitted.
For example:
-
Original URL (working as expected):
/dashboard/4-state-report-karnataka?state_param=Karnataka
-
Modified URL (security issue):
/dashboard/4-state-report-karnataka?state_param=Kerala
This unauthorized access exposes data from other states, which breaks the intended state-specific restrictions. My expectation was that each user would be restricted to their own state data, regardless of any changes they make to the URL.
I would appreciate your help in fixing this issue or guiding me towards the correct way to implement state-specific access restrictions that cannot be overridden by URL changes.
Thank you for your attention to this matter!