Re: Re-Embedding a Report with a Different Access ...

timker · ‎07-22-2021

I have a report with RLS

I embed the report with user A accessToken, and it loads user A Data.

I then Re-embed the Report with User B, and it loads User A Data instead

Here is a demo page which shows the issue (you need a access to a report with RLS and a way to Generate AccessToken).

I've very slightly modified the default sandbox code.

<html>

<body>

<wc-markdown>

### Steps

1. Get Embed url and Report Id for a report with RLS.

1. Get AccessToken for a User with RLS

1. Load Report

1. Get AccessToken for different user with Different RLS

1. Load Report

* Expectation: Report Data has changed for the new users

* Reality: Report Data has not Changed

</script>

</wc-markdown>

<div>

embedUrl:<input type="text" id="embedUrl">

</div>

<div>

ReportId:<input type="text" id="embedReportId">

</div>

<div>

Access Token:<input type="text" id="accessToken">

</div>

<button onclick="embedPowerBIReport()">Load Report</button>After Report has loaded, Change the AccessToken to a different AccessToken.

</body>

let loadedResolve, reportLoaded = new Promise((res, rej) => { loadedResolve = res; });

let renderedResolve, reportRendered = new Promise((res, rej) => { renderedResolve = res; });

// Get models. models contains enums that can be used.

models = window['powerbi-client'].models;

// Embed a Power BI report in the given HTML element with the given configurations

// Read more about how to embed a Power BI report in your application here: https://go.microsoft.com/fwlink/?linkid=2153590

function embedPowerBIReport() {

// Read embed application token

// let accessToken = EMBED_ACCESS_TOKEN;

let accessToken = document.getElementById("accessToken").value;

// Read embed URL

// let embedUrl = EMBED_URL;

let embedUrl = document.getElementById("embedUrl").value;

// Read report Id

// let embedReportId = REPORT_ID;

let embedReportId =document.getElementById("embedReportId").value;

// Read embed type from radio

let tokenType = 1;

// We give All permissions to demonstrate switching between View and Edit mode and saving report.

let permissions = models.Permissions.All;

// Create the embed configuration object for the report

// For more information see https://go.microsoft.com/fwlink/?linkid=2153590

let config = {

type: 'report',

tokenType: tokenType == '0' ? models.TokenType.Aad : models.TokenType.Embed,

accessToken: accessToken,

embedUrl: embedUrl,

id: embedReportId,

permissions: permissions,

settings: {

panes: {

filters: {

visible: true

},

pageNavigation: {

visible: true

}

};

// Get a reference to the embedded report HTML element

let embedContainer = $('#embedContainer')[0];

// Embed the report and display it within the div container.

report = powerbi.embed(embedContainer, config);

// report.off removes all event handlers for a specific event

report.off("loaded");

// report.on will add an event handler

report.on("loaded", function () {

loadedResolve();

report.off("loaded");

});

// report.off removes all event handlers for a specific event

report.off("error");

report.on("error", function (event) {

console.log(event.detail);

});

// report.off removes all event handlers for a specific event

report.off("rendered");

// report.on will add an event handler

report.on("rendered", function () {

renderedResolve();

report.off("rendered");

});

}

</script>

</html>

timker · ‎07-27-2021

I believe this is a security issue (although very minor).

It would be great to get a reply from the powerbi client team to confirm.

Also to know if it will be fixed, or not fixed (either way is fine, but it feedback would be fantastic).

Cheers

Tim

V-lianl-msft · ‎07-25-2021

Thanks for your sharing.

Re-Embedding a Report with a Different Access token, Shows Pervious User Data

Helpful resources

Microsoft Fabric Learn Together

Power BI Monthly Update - April 2024

Fabric Community Update - April 2024