dosubot[bot] commented on issue #36186: URL: https://github.com/apache/superset/issues/36186#issuecomment-3552821071
<!-- Greeting --> Hi @akerkau! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the superset team. <!-- Answer --> The 302 redirect from `/superset/log` to `/login` happens because the `/superset/log` endpoint requires authentication via the `@has_access` decorator. In embedded mode, if the request doesn't include a valid guest token (or session cookie) that maps to a role with the necessary permissions, Superset treats the request as unauthenticated and redirects to `/login`—which in your setup leads to a 403 since `/login` is restricted. This is not a CSRF issue: `/superset/log` is already exempt from CSRF checks by default. To resolve this, make sure that: - The embedded SDK sends the guest token (using the `X-GuestToken` header) with all requests, including those to `/superset/log`. - The role specified by `GUEST_ROLE_NAME` (in your case, `"Embedded"`) has the necessary permissions to access the `Superset` view and the `log` endpoint. You may need to grant the "can access on Superset" or similar permissions to your embedded/guest role in Superset's security settings. If the guest token is missing or the role lacks permissions, the request will always redirect to `/login` regardless of CSRF settings. You do not need to expose `/login`—just ensure the guest token flow and permissions are correct for embedded users. For more details, see the relevant code and discussion [here](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/views/core.py#L865-L871) and [here](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/manager.py#L241-L2816). <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/dc59c4a0-33f0-4e58-8d85-fba633202027?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/dc59c4a0-33f0-4e58-8d85-fba633202027?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/dc59c4a0-33f0-4e58-8d85-fba633202027?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/dc59c4a0-33f0-4e58-8d85-fba633202027?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/dc59c4a0-33f0-4e58-8d85-fba633202027?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/dc59c4a0-33f0-4e58-8d85-fba633202027?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/dc59c4a0-33f0-4e58-8d85-fba633202027?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=githu b) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/36186) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
