mike-lmctl opened a new pull request, #39946:
URL: https://github.com/apache/superset/pull/39946
Fixes #39834.
Bearer-authenticated API requests can pass FAB authorization while Superset's
database and dataset list filters still evaluate permissions with an
anonymous
`g.user`. This resolves the JWT user before those permission filters run, so
the
list results match the authenticated user instead of falling back to public
access.
I added focused regression coverage for database and dataset list requests
using
a fresh client with only an `Authorization: Bearer` header. I also covered an
invalid Bearer token so it returns 401 instead of an internal error.
Tests run:
- Targeted integration tests for JWT database and dataset list requests,
invalid
Bearer handling, and the login endpoint
- `uvx ruff check` on the changed files
- `git diff --check`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
