bito-code-review[bot] commented on code in PR #36933:
URL: https://github.com/apache/superset/pull/36933#discussion_r2932180394
##########
superset/security/manager.py:
##########
@@ -3109,6 +3131,28 @@ def has_guest_access(self, dashboard: "Dashboard") ->
bool:
return True
return False
+ def has_guest_chart_permalink_access(self, datasource: Any) -> bool:
+ """
+ Check if a guest user has access to a datasource via a chart permalink
resource.
+
+ For embedded charts, the guest token contains chart_permalink
resources.
+ This grants datasource access when the user holds at least one
+ chart_permalink resource. The embedded chart page constrains the actual
+ query to the datasource specified in the permalink's formData.
+
+ TODO: For stricter security, resolve each permalink and compare the
+ datasource in its formData against the requested datasource. This would
+ prevent a guest user from crafting requests to other datasources.
+ """
+ user = self.get_current_guest_user_if_guest()
+ if not user or not isinstance(user, GuestUser):
+ return False
+
+ return any(
+ r.get("type") == GuestTokenResourceType.CHART_PERMALINK.value
+ for r in user.resources
+ )
Review Comment:
<!-- Bito Reply -->
Yes, the code in superset/security/manager.py matches your description. The
has_guest_chart_permalink_access method grants datasource access to guests with
any chart_permalink resource, as documented in the docstring and TODO for
performance reasons, with a planned stricter check.
**superset/security/manager.py**
```
def has_guest_chart_permalink_access(self, datasource: Any) -> bool:
"""
Check if a guest user has access to a datasource via a chart
permalink resource.
For embedded charts, the guest token contains chart_permalink
resources.
This grants datasource access when the user holds at least one
chart_permalink resource. The embedded chart page constrains the
actual
query to the datasource specified in the permalink's formData.
TODO: For stricter security, resolve each permalink and compare the
datasource in its formData against the requested datasource. This
would
prevent a guest user from crafting requests to other datasources.
"""
user = self.get_current_guest_user_if_guest()
if not user or not isinstance(user, GuestUser):
return False
return any(
r.get("type") == GuestTokenResourceType.CHART_PERMALINK.value
for r in user.resources
)
```
##########
superset/mcp_service/embedded_chart/tool/get_embeddable_chart.py:
##########
@@ -0,0 +1,286 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+"""
+MCP tool: get_embeddable_chart
+
+Creates an embeddable chart iframe with guest token authentication.
+This enables AI agents to generate charts that can be displayed in
+external applications via iframe.
+"""
+
+import logging
+from datetime import datetime, timedelta, timezone
+
+from fastmcp import Context
+from flask import g
+from superset_core.mcp.decorators import tool
+
+from superset.commands.exceptions import CommandException
+from superset.mcp_service.chart.chart_utils import (
+ map_config_to_form_data,
+ resolve_dataset,
+)
+from superset.mcp_service.embedded_chart.schemas import (
+ GetEmbeddableChartRequest,
+ GetEmbeddableChartResponse,
+)
+from superset.mcp_service.utils.schema_utils import parse_request
+from superset.mcp_service.utils.url_utils import get_superset_base_url
+from superset.security.guest_token import (
+ GuestTokenResource,
Review Comment:
<!-- Bito Reply -->
The circular import concern is incorrect. `superset.security.guest_token` is
a leaf module with no imports from `mcp_service`, so no circular dependency
exists. Moving these TypedDicts to `TYPE_CHECKING` saves negligible overhead
and isn't consistent with how the rest of Superset imports them.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
