dosubot[bot] commented on issue #37359: URL: https://github.com/apache/superset/issues/37359#issuecomment-3783553596
<!-- Answer --> This regression happens because RLS is applied twice for guest users with embedded dashboards using virtual datasets: once by wrapping the underlying table in a subquery with RLS predicates (`apply_rls()`), and again by adding RLS filters to the outer query (`get_sqla_row_level_filters()`). This double application leads to SQL alias mismatches and errors, since the outer WHERE clause references an alias that doesn't exist after the subquery rewrite. The pattern is nearly identical to the previously fixed double time filter bug (PR #35890). There’s currently no config workaround except using physical datasets, which isn’t always practical. No open PR or issue addresses this regression yet, so a fix will likely require logic to prevent RLS from being applied twice in this scenario—potentially by detecting when RLS has already been pushed down into the subquery and skipping the outer filter application. You can review the relevant code and logic in [models/helpers.py](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/models/helpers.py#L1073-L2117) and [superset/utils/rls.py](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/utils/rls.py#L32-L115). <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/42b04683-9982-406d-8809-74837d2c8fe0?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/42b04683-9982-406d-8809-74837d2c8fe0?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/42b04683-9982-406d-8809-74837d2c8fe0?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/42b04683-9982-406d-8809-74837d2c8fe0?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/42b04683-9982-406d-8809-74837d2c8fe0?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/42b04683-9982-406d-8809-74837d2c8fe0?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/42b04683-9982-406d-8809-74837d2c8fe0?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=This%20regression%20happens%20because%20RLS%20is%20applied%20twice%20for%20guest%20users%20with%20embedded%20dashboards%20using%20virtual%20datasets%3A%20once%20by%20wrapping%20the%20underlying%20table%20in%20a%20subquery%20with%20RLS%20predicates%20%28%60apply_rls%28%29%60%29%2C%20and%20again%20by%20adding%20RLS%20filters%20to%20the%20outer%20query%20%28%60get_sqla_row_level_filters%28%29%60%29.%20This%20double%20application%20leads%20to%20SQL%20alias%20mismatches%20and%20errors%2C%20since%20the%20outer%20WHERE%20clause%20references%20an%20alias%20that%20doesn%27t%20exist%20after%20the%20subquery%20rewrite.%20The%20pattern%20is%20nearly%20identical%20to%20the%20previously%20fixed%20double%20time%20filter%20bug%20%28PR%20%2335890%29.%20There%E2%80% 99s%20currently%20no%20config%20workaround%20except%20using%20physical%20datasets%2C%20which%20isn%E2%80%99t%20always%20practical.%20No%20open%20PR%20or%20issue%20addresses%20this%20regression%20yet%2C%20so%20a%20fix%20will%20likely%20require%20logic%20to%20prevent%20RLS%20from%20being%20applied%20twice%20in%20this%20scenario%E2%80%94potentially%20by%20detecting%20when%20RLS%20has%20already%20been%20pushed%20down%20into%20the%20subquery%20and%20skipping%20the%20outer%20filter%20application.%20%20%0AYou%20can%20review%20the%20relevant%20code%20and%20logic%20in%20%5Bmodels/helpers.py%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/models/helpers.py%23L1073-L2117%29%20and%20%5Bsuperset/utils/rls.py%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/utils/rls.py%23L32-L115%29.) [](https://go.dosu. dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/37359) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
