cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
timker
Frequent Visitor

Re-Embedding a Report with a Different Access token, Shows Pervious User Data

I have a report with RLS

I embed the report with user A accessToken, and it loads user A Data.

I then Re-embed the Report with User B, and it loads User A Data instead

 

Here is a demo page which shows the issue (you need a access to a report with RLS and a way to Generate AccessToken).

I've very slightly modified the default sandbox code.

 

 

<html>
<script type="module" src="https://cdn.skypack.dev/@vanillawc/wc-markdown"></script>
<body>
    <wc-markdown>
        <script type="wc-content">
            ### Steps

            1. Get Embed url and Report Id for a report with RLS.
            1. Get AccessToken for a User with RLS
            1. Load Report
            1. Get AccessToken for different user with Different RLS
            1. Load Report
            


            * Expectation: Report Data has changed for the new users
            * Reality: Report Data has not Changed
        </script>
        </wc-markdown>

<div>
    embedUrl:<input type="text" id="embedUrl">
</div>
<div>
    ReportId:<input type="text" id="embedReportId">
</div>
    
<div>
    Access Token:<input type="text" id="accessToken">
</div>

    <button onclick="embedPowerBIReport()">Load Report</button>After Report has loaded, Change the AccessToken to a different AccessToken.
    <div id="embedContainer"></div>
    
    </body>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js" integrity="sha512-894YE6QWD5I59HgZOGReFYm4dnWc1Qt5NtvYSaNcOP+u1T9qYdvdihz0PPSiiqn/+/3e7Jo4EaG7TubfWGUrMQ==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/powerbi-client/2.18.2/powerbi.min.js" integrity="sha512-zYg8edFyKJ6NjrCsaC/q35V3M4wByqLcd4yJihgJIAknN7XT9aLPB23TASrSMP1ndFq/koQHOwjlzZBvTkSe8g==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
    <script >

    let loadedResolvereportLoaded = new Promise((resrej=> { loadedResolve = res; });
    let renderedResolvereportRendered = new Promise((resrej=> { renderedResolve = res; });

    // Get models. models contains enums that can be used.
    models = window['powerbi-client'].models;

    // Embed a Power BI report in the given HTML element with the given configurations
    // Read more about how to embed a Power BI report in your application here: https://go.microsoft.com/fwlink/?linkid=2153590
    function embedPowerBIReport() {
        // Read embed application token
    // let accessToken = EMBED_ACCESS_TOKEN;
    let accessToken = document.getElementById("accessToken").value;
        // Read embed URL
    // let embedUrl = EMBED_URL;
    let embedUrl = document.getElementById("embedUrl").value;

        // Read report Id
    // let embedReportId = REPORT_ID;
    let embedReportId =document.getElementById("embedReportId").value;

    
        // Read embed type from radio
        let tokenType = 1;

        // We give All permissions to demonstrate switching between View and Edit mode and saving report.
        let permissions = models.Permissions.All;

        // Create the embed configuration object for the report
        // For more information see https://go.microsoft.com/fwlink/?linkid=2153590
        let config = {
            type'report',
            tokenTypetokenType == '0' ? models.TokenType.Aad : models.TokenType.Embed,
            accessTokenaccessToken,
            embedUrlembedUrl,
            idembedReportId,
            permissionspermissions,
            settings: {
                panes: {
                    filters: {
                        visibletrue
                    },
                    pageNavigation: {
                        visibletrue
                    }
                }
            }
        };

        // Get a reference to the embedded report HTML element
        let embedContainer = $('#embedContainer')[0];

        // Embed the report and display it within the div container.
        report = powerbi.embed(embedContainerconfig);

        // report.off removes all event handlers for a specific event
        report.off("loaded");

        // report.on will add an event handler
        report.on("loaded"function () {
            loadedResolve();
            report.off("loaded");
        });

        // report.off removes all event handlers for a specific event
        report.off("error");

        report.on("error"function (event) {
            console.log(event.detail);
        });

        // report.off removes all event handlers for a specific event
        report.off("rendered");

        // report.on will add an event handler
        report.on("rendered"function () {
            renderedResolve();
            report.off("rendered");
        });
    }

    </script>
</html>
2 REPLIES 2
timker
Frequent Visitor

I believe this is a security issue (although very minor).

It would be great to get a reply from the powerbi client team to confirm.

Also to know if it will be fixed, or not fixed (either way is fine, but it feedback would be fantastic).

 

Cheers

Tim

V-lianl-msft
Community Support
Community Support

Thanks for your sharing.

Helpful resources

Announcements
PBI_User Group Leader_768x460.jpg

Manage your user group events

Check out the News & Announcements to learn more.

MBAS on Demand

2021 Release Wave 2 Plan

Power Platform release plan for the 2021 release wave 2 describes all new features releasing from October 2021 through March 2022.

Get Ready for Power BI Dev Camp

Microsoft named a Leader in The Forrester Wave

Microsoft received the highest score of any vendor in both the strategy and current offering categories.

R2 (Green) 768 x 460px.png

Microsoft Dynamics 365 & Power Platform User Professionals

DynamicsCon is a FREE, 4 half-day virtual learning experience for 11,000+ Microsoft Business Application users and professionals.