GitHub user raunaksingwi created a discussion: Historical RLS Cache Regression (#9689) caught by Ravi in Seconds
Hey Superset community! :wave: I recently ran an experiment on a known historical regression in Superset. Back in April 2020, a small, reasonable-looking PR ([#9689](https://github.com/apache/superset/pull/9689)) was merged. It gated Row Level Security (RLS) behind the ENABLE_ROW_LEVEL_SECURITY flag and fixed serialization issues with annotation data sources. The regression it introduced: It made the rls key in query cache keys inconsistent across code paths. - In some files (e.g., viz.py), the rls part was only added if the flag was True. - In others (e.g., QueryContext), it was always included. This broke cache key determinism: same query + context could produce different keys depending on the path. Impact (in a multi-tenant prod setup with RLS + caching enabled): - Data leakage risk: Users with different RLS permissions could share cached results → restricted users see data they shouldn't. - Incorrect / inconsistent data: Charts show stale or wrong results across users/sessions. - Hard-to-debug issues: "Why do different users/teammates see different numbers?" The community fixed it fast ([#9705](https://github.com/apache/superset/pull/9705)) merged the next day, standardizing the rls key (always present, even empty) to restore consistency. For the experiment, I recreated the original [#9689](https://github.com/raunaksingwi/apache-superset/pull/1) diff in my [fork](https://github.com/raunaksingwi/apache-superset/pull/1) and ran an AI code review agent called [Ravi](https://ravi.app/) on it. [Ravi](https://ravi.app/) immediately caught the cache-key inconsistency + potential security risk, and suggested fixes (exactly what the community actually did). [Ravi](https://ravi.app/) is a GitHub app I built, focused on spotting correctness, security, perf, and architectural issues; completely free for open source projects. I'd be happy to share the recreation details, show how Ravi flagged it, or help anyone try it on their own PRs. Zero cost, just community feedback to improve it. Curious if others would find it useful for upcoming changes in the repo. Let me know! :rocket: Thanks, Raunak GitHub link: https://github.com/apache/superset/discussions/37094 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
