[I] [6.0.0] Embedded dashboard (guest): sorting a table triggers “Data error: Guest user cannot modify chart payload” [superset]

[via GitHub]

HJulio opened a new issue, #37061:
URL: https://github.com/apache/superset/issues/37061

   ### Bug description
   
   ## Summary
   When viewing an **embedded dashboard** using a **guest token**, attempting 
to **sort a table chart by clicking a column header** causes the chart to fail 
with a **“Data error”** message. The error shown is:
   
   > Guest user cannot modify chart payload.
   
   This makes sorting unusable for guest users in embedded contexts.
   
   ## Environment
   - Superset version: 6.0.0
   - Deployment: Self-hosted 
   - Database: BigQuery
   - Browser: Chrome
   - Embedding method: Dashboard embedded via **guest token** (JWT)
   - Chart type: Table chart (in a dashboard)
   
   ## Steps to reproduce
   1. Generate a **guest token** for a role/user that has access to the 
embedded dashboard.
   2. Open the **embedded dashboard** as a guest user.
   3. Locate a **table chart** in the dashboard.
   4. Click on any **column header** to sort (ASC/DESC).
   
   ## Actual result
   - The chart displays a **Data error** popup / error state.
   - Error message: **“Guest user cannot modify chart payload.”**
   - Sorting does not work for guest users.
   
   ## Expected result
   Guest users should be able to sort table columns in embedded dashboards 
(client-side and/or server-side), without triggering permission errors.
   
   ## Additional notes
   - This happens consistently (100% repro) for guest users in embedded mode.
   - Sorting works as expected when logged in as a normal (non-guest) user.
   - Two screenshots will be attached:
     1) The embedded dashboard/table before sorting  
     2) The error after clicking a column header
   
   ### Server Side Exception
   ```
   2026-01-12 
16:57:48,567:WARNING:superset.views.error_handling:SupersetErrorException
   Traceback (most recent call last):
     File "/app/.venv/lib/python3.11/site-packages/flask/app.py", line 1484, in 
full_dispatch_request
       rv = self.dispatch_request()
            ^^^^^^^^^^^^^^^^^^^^^^^
     File "/app/.venv/lib/python3.11/site-packages/flask/app.py", line 1469, in 
dispatch_request
       return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     File 
"/app/.venv/lib/python3.11/site-packages/flask_appbuilder/security/decorators.py",
 line 109, in wraps
       return f(self, *args, **kwargs)
              ^^^^^^^^^^^^^^^^^^^^^^^^
     File "/app/superset/views/base_api.py", line 120, in wraps
       duration, response = time_function(f, self, *args, **kwargs)
                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     File "/app/superset/utils/core.py", line 1410, in time_function
       response = func(*args, **kwargs)
                  ^^^^^^^^^^^^^^^^^^^^^
     File "/app/superset/utils/log.py", line 304, in wrapper
       value = f(*args, **kwargs)
               ^^^^^^^^^^^^^^^^^^
     File "/app/superset/charts/data/api.py", line 239, in data
       command.validate()
     File "/app/superset/commands/chart/data/get_data_command.py", line 73, in 
validate
       self._query_context.raise_for_access()
     File "/app/superset/common/query_context.py", line 139, in raise_for_access
       self._processor.raise_for_access()
     File "/app/superset/common/query_context_processor.py", line 1246, in 
raise_for_access
       security_manager.raise_for_access(query_context=self._query_context)
     File "/app/superset/security/manager.py", line 2406, in raise_for_access
       raise SupersetSecurityException(
   superset.exceptions.SupersetSecurityException: Guest user cannot modify 
chart payload
   ```
   
   ## Attachments
   - Screenshot 1: (before sorting)
   - Screenshot 2: (error “Guest user cannot modify chart payload”)
   
   
   <img width="1279" height="397" alt="Image" 
src="https://github.com/user-attachments/assets/4c5f081b-f779-49b6-9488-bf3d45f7f26f";
 />
   
   <img width="1345" height="471" alt="Image" 
src="https://github.com/user-attachments/assets/2c7b2d93-2bc4-4b4e-b1dd-8702f76ad785";
 />
   
   
   ### Screenshots/recordings
   
   _No response_
   
   ### Superset version
   
   master / latest-dev
   
   ### Python version
   
   3.11
   
   ### Node version
   
   I don't know
   
   ### Browser
   
   Chrome
   
   ### Additional context
   
   _No response_
   
   ### Checklist
   
   - [x] I have searched Superset docs and Slack and didn't find a solution to 
my problem.
   - [x] I have searched the GitHub issue tracker and didn't find a similar bug 
report.
   - [x] I have checked Superset's logs for errors and if I found a relevant 
Python stacktrace, I included it here as text in the "additional context" 
section.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org