(superset) 07/29: fix(security): drop redundant explicit ApiKey perm creation

Tue, 26 May 2026 17:00:51 -0700 

This is an automated email from the ASF dual-hosted git repository.

aminghadersohi pushed a commit to branch work-pr-39604
in repository https://gitbox.apache.org/repos/asf/superset.git

commit 85da5d227a4ef8729efde0d7baeb2eef22972173
Author: Amin Ghadersohi <[email protected]>
AuthorDate: Fri May 8 14:47:58 2026 -0400

    fix(security): drop redundant explicit ApiKey perm creation
    
    ``superset init`` calls ``appbuilder.add_permissions(update_perms=True)``
    before ``sync_role_definitions()`` (cli/main.py:84), which forces FAB to
    walk all registered baseviews — including ``ApiKeyApi`` (registered when
    ``FAB_API_KEY_ENABLED=True``) — and create their PVMs via
    ``add_permissions_view``. The explicit ``add_permission_view_menu`` calls
    in ``create_custom_permissions`` were redundant.
    
    With ``"ApiKey"`` already in ``ADMIN_ONLY_VIEW_MENUS``, the role
    predicate ``_is_admin_only`` gates the auto-created PVMs to Admin.
    
    Per Daniel Gaspar's review: "Adding ApiKey to ADMIN_ONLY_VIEW_MENUS
    should just work when FAB_API_KEY_ENABLED is True".
---
 superset/security/manager.py | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/superset/security/manager.py b/superset/security/manager.py
index 19a8cf8c522..5da6e9ced97 100644
--- a/superset/security/manager.py
+++ b/superset/security/manager.py
@@ -1426,15 +1426,6 @@ class SupersetSecurityManager(  # pylint: 
disable=too-many-public-methods
         self.add_permission_view_menu("can_tag", "Chart")
         self.add_permission_view_menu("can_tag", "Dashboard")
 
-        # API Key permissions (FAB's ApiKeyApi blueprint).
-        # Superset uses AppBuilder(update_perms=False) so FAB skips
-        # permission creation during blueprint registration. Create them
-        # explicitly here so that ``superset init`` picks them up and
-        # sync_role_definitions assigns them to the Admin role.
-        if current_app.config.get("FAB_API_KEY_ENABLED", False):
-            for perm in ("can_list", "can_create", "can_get", "can_delete"):
-                self.add_permission_view_menu(perm, "ApiKey")
-
     def create_missing_perms(self) -> None:
         """
         Creates missing FAB permissions for datasources, schemas and metrics.

Reply via email to