vikash7485 opened a new pull request, #38309:
URL: https://github.com/apache/superset/pull/38309
## Summary
Fixes a regression in Superset v6 where `GET
/api/v1/dashboard/{id}/datasets` returns 403 Forbidden for requests
authenticated with a valid guest token, breaking embedded dashboard rendering.
## Root Cause
`get_datasets` did not catch `DashboardAccessDeniedError` or
`DashboardNotFoundError`, unlike the sibling endpoints `get_charts` and
`get_tabs`. Access errors in `DashboardDAO.get_datasets_for_dashboard` →
`raise_for_access()` propagated as unhandled exceptions rather than clean HTTP
responses.
Additionally, the guest token JWT configuration (`GUEST_TOKEN_JWT_ALGO`,
`GUEST_TOKEN_JWT_SECRET`) is independent of Flask-JWT-Extended's
`JWT_ALGORITHM`. The warning log now surfaces this explicitly when token
parsing fails.
## Changes
- `superset/dashboards/api.py`: catch `DashboardAccessDeniedError` → 403 and
`DashboardNotFoundError` → 404 in `get_datasets`, matching `get_charts` and
`get_tabs`
- `superset/security/manager.py`: improve guest token parse failure log to
call out JWT algorithm misconfiguration
- `tests/integration_tests/dashboards/api_tests.py`: add regression test
using real `X-GuestToken` header (prior test mocked `is_guest_user`)
- `UPDATING.md`: document independent guest token JWT config under 6.0.0
## Testing
```bash
pytest tests/integration_tests/dashboards/api_tests.py -k "datasets" -xvs
```
Fixes #38185
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
