GitHub user dosubot[bot] added a comment to the discussion: how to use superset user as guest user in order to hide queries
<!-- Answer --> Superset only applies guest user restrictions (like hiding queries) when a user is authenticated with a guest token. Just loading Superset in an iframe or logging in as a regular/anonymous user does not trigger these restrictions—even if you’re not using the embedded SDK. The embedded dashboard view in Superset logs users in as anonymous users, not guest users, so queries and other sensitive info are not hidden by default in this scenario ([source](https://github.com/apache/superset/blob/master/superset/embedded/view.py)). To get guest user behavior (with queries hidden) without the embedded SDK, you need to manually implement the guest token flow: generate a guest token on your backend (by POSTing to `/security/guest_token`), pass it to the iframe (for example, via `postMessage`), and have the embedded Superset frontend receive and use it for authentication ([source](https://github.com/apache/superset-embedded-sdk/README.md), [source](https://github.com/apache/superset/blob/master/superset-frontend/src/embedded/index.tsx)). This is essentially what the embedded SDK automates, but you can replicate it yourself if you don’t want to use the SDK. There’s no built-in config or code change in Superset to automatically treat iframe users as guest users without using the guest token mechanism. If you want to proceed manually, check out the guest token API and the frontend code that listens for the guest token in the embedded dashboard ([source](https://github.com/apache/superset/blob/master/superset-frontend/src/embedded/index.tsx)). <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/2841799c-0205-45d3-8c28-e16f72a360f4?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/2841799c-0205-45d3-8c28-e16f72a360f4?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/2841799c-0205-45d3-8c28-e16f72a360f4?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/2841799c-0205-45d3-8c28-e16f72a360f4?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/2841799c-0205-45d3-8c28-e16f72a360f4?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/2841799c-0205-45d3-8c28-e16f72a360f4?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/2841799c-0205-45d3-8c28-e16f72a360f4?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)& nbsp;[](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/35943) GitHub link: https://github.com/apache/superset/discussions/35943#discussioncomment-14863289 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
