Skip to main content

Power BI

Needs Votes

Don't allow front-end config to override AppWorkspace settings

Vote (4) Share
sdaviesnz's profile image

sdaviesnz on 16 Aug 2018 05:44:58

There's a problem with the PowerBI-Javascript library.

It seems like anyone can manipulate variables for embedded reports using Javascript / Typescript using a browser debugger. If they can change the report config settings, they can display the Save button in the report and this will allow them save changes to the report back to the Power BI service. This is regardless of whether they are an Admin/Member, or the AppWorkspace has "Allow users to view content only..." set. This front-end ability makes any Power BI read-only setting redundant. What seems to allow this is the "viewMode" and "bookmarksPaneEnabled" report config settings.

This was true for all combinations of these conditions:
-for a Power BI Appworkspace's settings, no matter whether someone chooses "Members can edit Power BI content" or "Members can only view Power BI content"
-no matter whether the Azure AD Guest user is on an external domain (e.g. user@gmail.com) or internal domain
-no matter whether the user has Power BI Appworkspace Admin or Member rights

Someone needs to fix this, it might be a bug!

The process we've gone through in the back-end uses the Power BI C# SDK, i.e.
-Make a generate token request with an EffectiveIdentity for an Azure AD user, e.g.
Microsoft.PowerBI.Api.V2.Models.GenerateTokenRequest(...)

-This gives you an embed URL and an embed token

-Then in the front end code, using something like the Chrome Inspector debugger, set a breakpoint in a block of code like below and manipulate the "viewMode" and "bookmarksPaneEnabled" config settings variables.

I am pasting my example below. It's in Typescript, but it's very similar to Javascript.


//in an Angular 2+ component file
//import * as pbi from 'powerbi-client';
let config = {
type: "report",
accessToken: embedConfig.EmbedToken.Token,
embedUrl: embedConfig.EmbedUrl,
permissions: pbi.models.Permissions.All, // .ReadWrite, //.ReadAll,
viewMode: pbi.models.ViewMode.View;,
tokenType: pbi.models.TokenType.Embed,
id: embedConfig.Id,
};

this.embedReport(config);
let reportContainer = document.getElementById("reportEmbedded");
// Embed the report and display it within the div container.
let powerbiService = new pbi.service.Service(pbi.factories.hpmFactory, pbi.factories.wpmpFactory, pbi.factories.routerFactory);
powerbiService.reset(reportContainer);

this.report = powerbiService.embed(reportContainer, config);

const newSettings = {
filterPaneEnabled: true,
bookmarksPaneEnabled: false
};

if (this.pBIGroupUserAccessRightProperty == "Admin") {
newSettings.bookmarksPaneEnabled = true;
}
this.report.on("loaded",
() => {
this.report.updateSettings(newSettings);
}
);