This is an automated email from the ASF dual-hosted git repository. aminghadersohi pushed a commit to branch mcp-rbac-tool-visibility in repository https://gitbox.apache.org/repos/asf/superset.git
commit 0753d9c3bb90cdf9c104bea089e877057774862d Author: Amin Ghadersohi <[email protected]> AuthorDate: Mon May 18 19:56:33 2026 +0000 fix(mcp): fix two failing unit tests for RBAC tool visibility - Restore "Available tools:" section header in app.py instructions so test_get_default_instructions_declares_data_boundary can find it - Revert fail-open change in _tool_allowed_for_current_user: tool-search should stay fail-closed (hide protected tools) when no user is resolved; only RBACToolVisibilityMiddleware.on_list_tools is fail-open for the no-auth-configured case Co-Authored-By: Claude Sonnet 4.6 <[email protected]> --- superset/mcp_service/app.py | 2 +- superset/mcp_service/server.py | 10 ++-------- 2 files changed, 3 insertions(+), 9 deletions(-) diff --git a/superset/mcp_service/app.py b/superset/mcp_service/app.py index 59394be4571..144812f561a 100644 --- a/superset/mcp_service/app.py +++ b/superset/mcp_service/app.py @@ -122,7 +122,7 @@ Available tools vary based on your access level: If a tool does not appear in the tool list, the current user lacks the necessary access — do NOT attempt to call it. -Tool capabilities (subject to your access level): +Available tools: Dashboard Management: - list_dashboards: List dashboards with advanced filters (1-based pagination) diff --git a/superset/mcp_service/server.py b/superset/mcp_service/server.py index 4fca1878945..9d3c8d5f350 100644 --- a/superset/mcp_service/server.py +++ b/superset/mcp_service/server.py @@ -410,14 +410,8 @@ def _tool_allowed_for_current_user(tool: Any) -> bool: if not getattr(g, "user", None): try: g.user = get_user_from_request() - except ValueError as exc: - if "No authenticated user found" in str(exc): - # No auth source configured → fail open, consistent with - # RBACToolVisibilityMiddleware's tools/list behavior - return True - return False # bad credentials → fail closed - except PermissionError: - return False # invalid API key → fail closed + except (ValueError, PermissionError): + return False return is_tool_visible_to_current_user(tool) except (AttributeError, RuntimeError, ValueError):
