codeant-ai-for-open-source[bot] commented on PR #38407:
URL: https://github.com/apache/superset/pull/38407#issuecomment-4047821803
## **Sequence Diagram**
This PR adds RBAC metadata to MCP tools and enforces permission checks
before tool execution. The flow now mirrors Flask AppBuilder permissions, with
optional bypass via configuration and explicit denial errors when access is
missing.
```mermaid
sequenceDiagram
participant Developer
participant ToolDecorator
participant AuthHook
participant SecurityManager
participant MCPTool
Developer->>ToolDecorator: Register tool with class permission and
optional method permission
ToolDecorator->>AuthHook: Attach permission metadata and wrap tool
AuthHook->>AuthHook: Resolve current user and RBAC enabled flag
AuthHook->>SecurityManager: Check can access for configured action and
resource
alt Permission granted or RBAC disabled or no class permission
AuthHook->>MCPTool: Execute requested tool
MCPTool-->>AuthHook: Return tool result
else Permission denied
AuthHook-->>Developer: Raise MCPPermissionDeniedError
end
```
---
*Generated by [CodeAnt AI](https://codeant.ai)*
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
