dosubot[bot] commented on issue #35939: URL: https://github.com/apache/superset/issues/35939#issuecomment-3475719071
<!-- Answer --> This issue is almost always caused by the remote user middleware assigning a user object to `g.user` that is not a fully loaded SQLAlchemy User model with roles eagerly loaded from the database. Superset’s permission checks for admin-only views like "List Users" require that the user object (on `g.user`) has a complete `.roles` relationship; if roles are missing or not loaded, access is denied—even if `active` and `is_authenticated` are `True` and the user appears to have the Admin role in logs. This is a silent failure and won’t show up in logs by default [reference](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/manager.py). To debug, add a log statement in your middleware or just before the permission check to print out the user object and its roles, for example: ```python import logging logging.warning("User: %r, roles: %r", g.user, getattr(g.user, "roles", None)) ``` If `roles` is empty or not a list of Role objects, you need to fetch the user from the database on every request, making sure to eager-load roles. For example: ```python from superset.extensions import db, security_manager user = db.session.query(security_manager.user_model).filter_by(username=username).first() # Optionally: db.session.refresh(user) ``` Make sure your middleware always sets `g.user` to this fully loaded user object, not a stub or partial object. This pattern is required for all custom/remote user setups in Superset 5.0.0 [reference](https://github.com/apache/superset/discussions/33877). Also, after any upgrade or role mapping change, run `superset init` to sync permissions and roles in the database [reference](https://github.com/apache/superset/blob/master/docs/docs/configuration/configuring-superset.mdx). If you’re using external authentication (OIDC, LDAP, etc.), double-check your `AUTH_ROLES_MAPPING` and `AUTH_ROLES_SYNC_AT_LOGIN` settings to ensure the Admin role is actually assigned in the backend database, not just in the frontend or session [reference](https://github.com/apache/superset/discussions/34659). Let me know if you want a code snippet for a robust remote user loader! <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/092c2eec-8f6c-41bf-9119-251dd28ba909?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/092c2eec-8f6c-41bf-9119-251dd28ba909?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/092c2eec-8f6c-41bf-9119-251dd28ba909?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/092c2eec-8f6c-41bf-9119-251dd28ba909?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/092c2eec-8f6c-41bf-9119-251dd28ba909?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/092c2eec-8f6c-41bf-9119-251dd28ba909?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/092c2eec-8f6c-41bf-9119-251dd28ba909?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=githu b) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/35939) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
