Add Separate Permission for Dashboard List to Improve DASHBOARD_RBAC Security

[wai52168]

Hello Superset Team,

I would like to propose a permission enhancement related to dashboard sharing when using DASHBOARD_RBAC + AUTH_ROLE_PUBLIC.

Current Challenge

We are using:

DASHBOARD_RBAC

AUTH_ROLE_PUBLIC

to share private dashboards via direct links.

This approach works well for controlled dashboard access.

However, even when users only need access to specific dashboards, they can still navigate to:

/dashboard/list

and view all dashboards that their role has access to.

In some use cases, this behavior is not desired.
We would like users to access dashboards only via direct links, without being able to browse the dashboard list.

Proposed Improvement

It would be helpful to introduce a separate granular permission, such as:

can list on Dashboard

so that:

can read on Dashboard → allows viewing a specific dashboard

can list on Dashboard → controls visibility of the dashboard list page

This would allow administrators to:

Enable direct-link access

Disable dashboard browsing

Improve security for external sharing scenarios

Better support public or semi-public dashboard use cases

Why This Is Important

In enterprise environments, it is common to:

Share dashboards via controlled links

Avoid exposing the full dashboard catalog

Restrict browsing capabilities

Maintain strict role-based access control

Having a dedicated "list" permission would make DASHBOARD_RBAC much more flexible and secure.

Thank you for considering this enhancement.

Best regards,
josh

[manimovassagh]

Solid proposal. Separating can read from can list is a common pattern in RBAC systems and it makes total sense for Superset's dashboard sharing model.

Until this gets implemented natively, here's a workaround that achieves the same effect:

Block access to /dashboard/list/ via FLASK_APP_MUTATOR:

def mutate_app(app):
    from flask import g, redirect, abort
    from functools import wraps

    @app.before_request
    def block_dashboard_list():
        from flask import request
        if request.path == '/dashboard/list/' and not g.user.has_role('Admin'):
            abort(403)

    return app

FLASK_APP_MUTATOR = mutate_app

You can also block the API endpoint that feeds the list:

@app.before_request
def block_dashboard_list_api():
    from flask import request
    if request.path.startswith('/api/v1/dashboard/') and request.method == 'GET':
        # Allow single dashboard access (has numeric ID in path)
        import re
        if not re.match(r'/api/v1/dashboard/\d+', request.path):
            if not g.user.has_role('Admin'):
                abort(403)

This is a bit blunt, but it works. You could refine it by checking for a custom permission or a specific role instead of just Admin.

For a proper upstream solution, the change would need to touch superset/dashboards/api.py (adding a separate permission class for the list endpoint) and superset-frontend/src/pages/DashboardList/ (checking for the new permission before rendering). Might be worth opening a formal feature request issue if you'd like to see this prioritized.