Hide list of users

[Ultil]

Hello - we have someone external who wants access to our data. Is there a way to stop them viewing a list of all the users when they go to settings? Alternatively can we set it up so that they can only see users of a specific group?

Thank you very much in advance!

[gaecoli]

A filtering list needs to be set up to judge each time a user visits.

[Ultil]

Thank you for your response - do you know how I would do this?

[gaecoli]

I don't know if your user is recorded in redash or not. If there is a record, you can create a group group, and then you need to change the front-end code and add some restrictions.

[Ultil]

Thank you!

[Ultil]

I have emailed you to see if you would be willing to help us - let me know :)

[gpspake]

For anyone still interested in this, we moved the list_users and list_data_sources in to the admin list in users.py

@generic_repr("id", "name", "type", "org_id")
class Group(db.Model, BelongsToOrgMixin):
    DEFAULT_PERMISSIONS = [
        "create_dashboard",
        "create_query",
        "edit_dashboard",
        "edit_query",
        "view_query",
        "view_source",
        "execute_query",
        "schedule_query",
        "list_dashboards",
        "list_alerts",
    ]
    ADMIN_PERMISSIONS = ["admin", "super_admin", "list_data_sources", "list_users"]

This causes a bunch of tests to break, most of which can be fixed by passing in an admin user:

    def test_gets_all_enabled(self):
        admin = self.factory.create_admin()

        users = self.create_filters_fixtures()
        user_ids = self.make_request_and_return_ids("get", "/api/users", user=admin)
        self.assertUsersListMatches(
            user_ids,
            [users.enabled_active1, users.enabled_active2, users.enabled_pending],
            [users.disabled_active1, users.disabled_active2, users.disabled_pending],
        )

You'll also need to update the permissions in the groups table manually for groups that already exist

Aside: I don't quite understand why permissions can't be assigned to groups in the UI. There are useful granular permissions but they're effectively hard coded. I'm also not sure why any non-admin user would need to see a list of other users accounts/email addresses? Anyway, this seems like it will do the trick.