codeant-ai-for-open-source[bot] commented on PR #38407:
URL: https://github.com/apache/superset/pull/38407#issuecomment-4030145236
## **Sequence Diagram**
This PR adds RBAC metadata to MCP tools and enforces Flask-AppBuilder-style
permission checks via the MCP auth hook before any tool runs, returning an
explicit permission error when access is denied.
```mermaid
sequenceDiagram
participant ToolDecorator
participant ToolFunction as MCP Tool
participant Client
participant MCPServer as MCP Server
participant AuthHook as Auth Hook
participant RBAC as Security Manager
ToolDecorator->>ToolFunction: Attach class and method permission metadata
Client->>MCPServer: Invoke MCP tool
MCPServer->>AuthHook: Call tool through auth hook
AuthHook->>AuthHook: Load user and read tool permission metadata
AuthHook->>RBAC: Check can_action on resource
alt Permission granted
RBAC-->>AuthHook: Access allowed
AuthHook->>ToolFunction: Execute tool
ToolFunction-->>Client: Return tool result
else Permission denied
RBAC-->>AuthHook: Access denied
AuthHook-->>Client: MCPPermissionDeniedError
end
```
---
*Generated by [CodeAnt AI](https://codeant.ai)*
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
