This is an automated email from the ASF dual-hosted git repository.

aminghadersohi pushed a commit to branch mcp-rbac-tool-visibility
in repository https://gitbox.apache.org/repos/asf/superset.git

commit 0753d9c3bb90cdf9c104bea089e877057774862d
Author: Amin Ghadersohi <[email protected]>
AuthorDate: Mon May 18 19:56:33 2026 +0000

    fix(mcp): fix two failing unit tests for RBAC tool visibility
    
    - Restore "Available tools:" section header in app.py instructions so
      test_get_default_instructions_declares_data_boundary can find it
    - Revert fail-open change in _tool_allowed_for_current_user: tool-search
      should stay fail-closed (hide protected tools) when no user is resolved;
      only RBACToolVisibilityMiddleware.on_list_tools is fail-open for the
      no-auth-configured case
    
    Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
---
 superset/mcp_service/app.py    |  2 +-
 superset/mcp_service/server.py | 10 ++--------
 2 files changed, 3 insertions(+), 9 deletions(-)

diff --git a/superset/mcp_service/app.py b/superset/mcp_service/app.py
index 59394be4571..144812f561a 100644
--- a/superset/mcp_service/app.py
+++ b/superset/mcp_service/app.py
@@ -122,7 +122,7 @@ Available tools vary based on your access level:
 If a tool does not appear in the tool list, the current user lacks the
 necessary access — do NOT attempt to call it.
 
-Tool capabilities (subject to your access level):
+Available tools:
 
 Dashboard Management:
 - list_dashboards: List dashboards with advanced filters (1-based pagination)
diff --git a/superset/mcp_service/server.py b/superset/mcp_service/server.py
index 4fca1878945..9d3c8d5f350 100644
--- a/superset/mcp_service/server.py
+++ b/superset/mcp_service/server.py
@@ -410,14 +410,8 @@ def _tool_allowed_for_current_user(tool: Any) -> bool:
         if not getattr(g, "user", None):
             try:
                 g.user = get_user_from_request()
-            except ValueError as exc:
-                if "No authenticated user found" in str(exc):
-                    # No auth source configured → fail open, consistent with
-                    # RBACToolVisibilityMiddleware's tools/list behavior
-                    return True
-                return False  # bad credentials → fail closed
-            except PermissionError:
-                return False  # invalid API key → fail closed
+            except (ValueError, PermissionError):
+                return False
 
         return is_tool_visible_to_current_user(tool)
     except (AttributeError, RuntimeError, ValueError):

Reply via email to