codeant-ai-for-open-source[bot] commented on code in PR #38495:
URL: https://github.com/apache/superset/pull/38495#discussion_r2908393930
##########
superset/security/manager.py:
##########
@@ -846,9 +846,13 @@ def get_table_access_error_msg(self, tables: set["Table"])
-> str:
:returns: The error message
"""
- quoted_tables = [f"`{table}`" for table in tables]
- return f"""You need access to the following tables: {",
".join(quoted_tables)},
- `all_database_access` or `all_datasource_access` permission"""
+ quoted_tables = [f'"{table}"' for table in tables]
+ return _(
+ "You need access to the following tables: %(tables)s, "
+ "'all_database_access' or 'all_datasource_access' permission"
+ ) % {
+ "tables": ", ".join(quoted_tables),
+ }
Review Comment:
**Suggestion:** Iterating directly over a set to build the table list
results in a nondeterministic ordering of table names in the error message,
which can lead to confusing UX and potentially flaky tests or string
comparisons; convert to a deterministic, sorted sequence before joining. [logic
error]
<details>
<summary><b>Severity Level:</b> Major ⚠️</summary>
```mdx
- ⚠️ Table-access error messages show tables in random, shifting order.
- ⚠️ Any tests comparing full message strings may become flaky.
```
</details>
```suggestion
quoted_tables = [f'"{table}"' for table in sorted(tables, key=str)]
return _(
"You need access to the following tables: %(tables)s, "
"'all_database_access' or 'all_datasource_access' permission"
) % {
"tables": ", ".join(quoted_tables),
}
```
<details>
<summary><b>Steps of Reproduction ✅ </b></summary>
```mdx
1. In `superset/security/manager.py`, note
`SupersetSecurityManager.get_table_access_error_msg()` (around line 841)
builds
`quoted_tables` from the `tables` parameter, which is a `set["Table"]`, by
iterating it
directly (lines 849–855).
2. In the same file, `SupersetSecurityManager.raise_for_access()` constructs
a `tables`
set via a set comprehension from `process_jinja_sql(...).tables` when
checking SQL access,
and builds a `denied` set which is passed to
`get_table_access_error_object(denied)`,
which in turn calls `get_table_access_error_msg(denied)`.
3. Run Superset and execute in SQL Lab a query that references at least two
SQL tables the
current user cannot access (e.g., a `JOIN` between two unauthorized tables),
so that
`raise_for_access(database=db, sql=..., ...)` is invoked and populates
`denied` with
multiple `Table` objects.
4. Inspect the returned `SupersetError` (e.g., from the SQL Lab API response
or server
logs): the message is produced at `superset/security/manager.py:849–855`,
and because it
iterates the `denied` set without sorting, the order of table names in `"You
need access
to the following tables: ..."` can differ between Python processes or runs
due to the
nondeterministic iteration order of sets.
```
</details>
<details>
<summary><b>Prompt for AI Agent 🤖 </b></summary>
```mdx
This is a comment left during a code review.
**Path:** superset/security/manager.py
**Line:** 849:855
**Comment:**
*Logic Error: Iterating directly over a set to build the table list
results in a nondeterministic ordering of table names in the error message,
which can lead to confusing UX and potentially flaky tests or string
comparisons; convert to a deterministic, sorted sequence before joining.
Validate the correctness of the flagged issue. If correct, How can I resolve
this? If you propose a fix, implement it and please make it concise.
```
</details>
<a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F38495&comment_hash=d7b911891aa04c3fe2dc799f57e3ad9f72cf97d80528ca0fc39ee230e97aa8fa&reaction=like'>👍</a>
| <a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F38495&comment_hash=d7b911891aa04c3fe2dc799f57e3ad9f72cf97d80528ca0fc39ee230e97aa8fa&reaction=dislike'>👎</a>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
