This is an automated email from the ASF dual-hosted git repository.

hainenber pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/superset.git


The following commit(s) were added to refs/heads/master by this push:
     new b8c0171976d test(rls): assert related/subjects honors search filter 
for roles (#31466) (#41969)
b8c0171976d is described below

commit b8c0171976d37c91efdc6cbf42e148ffd244589b
Author: Evan Rusackas <[email protected]>
AuthorDate: Sun Jul 12 06:22:39 2026 -0700

    test(rls): assert related/subjects honors search filter for roles (#31466) 
(#41969)
    
    Co-authored-by: Claude Code <[email protected]>
---
 .../security/row_level_security_tests.py           | 51 ++++++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/tests/integration_tests/security/row_level_security_tests.py 
b/tests/integration_tests/security/row_level_security_tests.py
index e2f46ae0dcf..ac5fbce4453 100644
--- a/tests/integration_tests/security/row_level_security_tests.py
+++ b/tests/integration_tests/security/row_level_security_tests.py
@@ -492,6 +492,57 @@ class TestRowLevelSecurityWithRelatedAPI(SupersetTestCase):
         assert data["count"] > 0
         assert len(result) > 0
 
+    def test_rls_subjects_related_api_honors_filter_31466(self):
+        """
+        Regression for #31466: with more than 100 roles the RLS picker could
+        not see or select roles beyond the first (default) page of 100 because
+        the ``related/roles`` endpoint silently ignored the search ``filter``
+        term. The RLS subject/role picker now lives at ``related/subjects``,
+        and this test asserts the search term actually narrows the result to
+        matching subjects, so any role remains reachable by name regardless of
+        how many roles exist.
+        """
+        self.login(ADMIN_USERNAME)
+
+        # A role label that cannot collide with the built-in roles/subjects
+        # (Admin, Public, Alpha, Gamma, sql_lab, ...).
+        unique_marker = "zzz_rls_31466"
+        role_name = f"{unique_marker}_special_role"
+        role = security_manager.add_role(role_name)
+        db.session.commit()
+        subject = _subject_for_role(role)
+        db.session.commit()
+
+        # Ensure ROLE-type subjects are visible in the RLS picker (the scenario
+        # from #31466, where roles drive RLS). This is what the original
+        # ``related/roles`` endpoint used to serve unconditionally.
+        original_types = self.app.config.get("SUBJECTS_RELATED_TYPES_RLS")
+        self.app.config["SUBJECTS_RELATED_TYPES_RLS"] = [SubjectType.ROLE]
+        try:
+            params = rison.dumps({"filter": unique_marker, "page": 0, 
"page_size": 100})
+            rv = self.client.get(
+                f"/api/v1/rowlevelsecurity/related/subjects?q={params}"
+            )
+            assert rv.status_code == 200
+            data = json.loads(rv.data.decode("utf-8"))
+            received = {r["text"] for r in data["result"]}
+
+            # The role must be findable via the search term ...
+            assert role_name in received
+            # ... and the filter must narrow the result to matching subjects
+            # only. If the search term were ignored (the #31466 bug), other
+            # roles that do not contain the marker would leak through and this
+            # assertion would fail.
+            assert all(unique_marker in text for text in received), (
+                "related/subjects ignored the filter term and returned "
+                f"non-matching subjects: {sorted(received)}"
+            )
+        finally:
+            self.app.config["SUBJECTS_RELATED_TYPES_RLS"] = original_types
+            db.session.delete(subject)
+            db.session.delete(role)
+            db.session.commit()
+
     @pytest.mark.usefixtures("load_birth_names_dashboard_with_slices")
     @pytest.mark.usefixtures("load_energy_table_with_slice")
     @mock.patch(

Reply via email to