Impact
As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. What this means is that if a person in a group with more access to data creates a dashboard subscription, and adds a person with fewer data privileges, the data delivered to that person's inbox, and all recipients of that subscription, would be the same: the charts shown in the email would abide by the privileges of the user who created the subscription.
The problem was that users with fewer privileges who could view a dashboard were able to add themselves to a dashboard subscription created by someone with additional data privileges, and thus get access to more data via email.
Patches
This issue will be patched in 0.43.7.1
, 1.43.7.1
, 0.44.6.1
, 1.44.6.1
, 0.45.2.1
, 1.45.2.1
. In the upgraded version of Metabase, people can only edit dashboard subscriptions that they create. Admins can still edit any dashboard subscription.
Workarounds
On Metabase instances running Enterprise Edition, admins can disable the "Subscriptions and Alerts" permission for groups that have restricted data permissions.
Impact
As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. What this means is that if a person in a group with more access to data creates a dashboard subscription, and adds a person with fewer data privileges, the data delivered to that person's inbox, and all recipients of that subscription, would be the same: the charts shown in the email would abide by the privileges of the user who created the subscription.
The problem was that users with fewer privileges who could view a dashboard were able to add themselves to a dashboard subscription created by someone with additional data privileges, and thus get access to more data via email.
Patches
This issue will be patched in
0.43.7.1
,1.43.7.1
,0.44.6.1
,1.44.6.1
,0.45.2.1
,1.45.2.1
. In the upgraded version of Metabase, people can only edit dashboard subscriptions that they create. Admins can still edit any dashboard subscription.Workarounds
On Metabase instances running Enterprise Edition, admins can disable the "Subscriptions and Alerts" permission for groups that have restricted data permissions.