codeant-ai-for-open-source[bot] commented on code in PR #40026:
URL: https://github.com/apache/superset/pull/40026#discussion_r3220026344
##########
superset/security/api.py:
##########
@@ -171,6 +171,19 @@ def guest_token(self) -> Response:
try:
body = guest_token_create_schema.load(request.json)
self.appbuilder.sm.validate_guest_token_resources(body["resources"])
+ # Verify requesting user has access to each specified resource
+ for resource in body["resources"]:
+ if resource["type"] == GuestTokenResourceType.DASHBOARD.value:
+ from superset.models.embedded_dashboard import
EmbeddedDashboard # noqa: PLC0415
+ embedded = (
+ db.session.query(EmbeddedDashboard)
+ .filter_by(uuid=resource["id"])
+ .one_or_none()
+ )
+ if embedded and not
self.appbuilder.sm.can_access_dashboard(
+ embedded.dashboard
+ ):
+ raise ForbiddenError()
Review Comment:
**🔴 Architect Review — CRITICAL**
The authorization check in the guest token endpoint only enforces
`can_access_dashboard` when the resource ID resolves to an `EmbeddedDashboard`
UUID; if a dashboard resource is specified by legacy dashboard ID, `embedded`
is `None` and no access check is performed. Since
`validate_guest_token_resources` still accepts dashboard IDs and
`has_guest_access` still honors them, a user with `can_grant_guest_token` can
mint guest tokens for dashboards they cannot access by using dashboard IDs.
**Suggestion:** For each dashboard resource, resolve a concrete `Dashboard`
object using the same dual-path logic as `validate_guest_token_resources`
(dashboard ID or embedded UUID), and always enforce `can_access_dashboard` on
that resolved dashboard; add an integration test ensuring that a caller without
access submitting a dashboard ID receives 403.
[Fix in
Cursor](https://app.codeant.ai/fix-in-ide?tool=cursor&prompt=This%20is%20an%20%2A%2AArchitect%20%2F%20Logical%20Review%2A%2A%20comment%20left%20during%20a%20code%20review.%20These%20reviews%20are%20first-class%2C%20important%20findings%20%E2%80%94%20not%20optional%20suggestions.%20Do%20NOT%20dismiss%20this%20as%20a%20%27big%20architectural%20change%27%20just%20because%20the%20title%20says%20architect%20review%3B%20most%20of%20these%20can%20be%20resolved%20with%20a%20small%2C%20localized%20fix%20once%20the%20intent%20is%20understood.%0A%0A%2A%2APath%3A%2A%2A%20superset%2Fsecurity%2Fapi.py%0A%2A%2ALine%3A%2A%2A%20175%3A186%0A%2A%2AComment%3A%2A%2A%0A%09%2ACRITICAL%3A%20The%20authorization%20check%20in%20the%20guest%20token%20endpoint%20only%20enforces%20%60can_access_dashboard%60%20when%20the%20resource%20ID%20resolves%20to%20an%20%60EmbeddedDashboard%60%20UUID%3B%20if%20a%20dashboard%20resource%20is%20specified%20by%20legacy%20dashboard%20ID%2C%20%60embedded%60%20is%20%60No
ne%60%20and%20no%20access%20check%20is%20performed.%20Since%20%60validate_guest_token_resources%60%20still%20accepts%20dashboard%20IDs%20and%20%60has_guest_access%60%20still%20honors%20them%2C%20a%20user%20with%20%60can_grant_guest_token%60%20can%20mint%20guest%20tokens%20for%20dashboards%20they%20cannot%20access%20by%20using%20dashboard%20IDs.%0A%0AValidate%20the%20correctness%20of%20the%20flagged%20issue.%20If%20correct%2C%20How%20can%20I%20resolve%20this%3F%20If%20you%20propose%20a%20fix%2C%20implement%20it%20and%20please%20make%20it%20concise.%0AIf%20a%20suggested%20approach%20is%20provided%20above%2C%20use%20it%20as%20the%20authoritative%20instruction.%20If%20no%20explicit%20code%20suggestion%20is%20given%2C%20you%20MUST%20still%20draft%20and%20apply%20your%20own%20minimal%2C%20localized%20fix%20%E2%80%94%20do%20not%20punt%20back%20with%20%27no%20suggestion%20provided%2C%20review%20manually%27.%20Keep%20the%20change%20as%20small%20as%20possible%3A%20add%20a%20guard%20clause%2C%
20gate%20on%20a%20loading%20state%2C%20reorder%20an%20await%2C%20wrap%20in%20a%20conditional%2C%20etc.%20Do%20not%20refactor%20surrounding%20code%20or%20expand%20scope%20beyond%20the%20finding.%0AOnce%20fix%20is%20implemented%2C%20also%20check%20other%20comments%20on%20the%20same%20PR%2C%20and%20ask%20user%20if%20the%20user%20wants%20to%20fix%20the%20rest%20of%20the%20comments%20as%20well.%20if%20said%20yes%2C%20then%20fetch%20all%20the%20comments%20validate%20the%20correctness%20and%20implement%20a%20minimal%20fix%0A)
| [Fix in VSCode
Claude](https://app.codeant.ai/fix-in-ide?tool=vscode-claude&prompt=This%20is%20an%20%2A%2AArchitect%20%2F%20Logical%20Review%2A%2A%20comment%20left%20during%20a%20code%20review.%20These%20reviews%20are%20first-class%2C%20important%20findings%20%E2%80%94%20not%20optional%20suggestions.%20Do%20NOT%20dismiss%20this%20as%20a%20%27big%20architectural%20change%27%20just%20because%20the%20title%20says%20architect%20review%3B%20most%20of%20these%20can%20be%2
0resolved%20with%20a%20small%2C%20localized%20fix%20once%20the%20intent%20is%20understood.%0A%0A%2A%2APath%3A%2A%2A%20superset%2Fsecurity%2Fapi.py%0A%2A%2ALine%3A%2A%2A%20175%3A186%0A%2A%2AComment%3A%2A%2A%0A%09%2ACRITICAL%3A%20The%20authorization%20check%20in%20the%20guest%20token%20endpoint%20only%20enforces%20%60can_access_dashboard%60%20when%20the%20resource%20ID%20resolves%20to%20an%20%60EmbeddedDashboard%60%20UUID%3B%20if%20a%20dashboard%20resource%20is%20specified%20by%20legacy%20dashboard%20ID%2C%20%60embedded%60%20is%20%60None%60%20and%20no%20access%20check%20is%20performed.%20Since%20%60validate_guest_token_resources%60%20still%20accepts%20dashboard%20IDs%20and%20%60has_guest_access%60%20still%20honors%20them%2C%20a%20user%20with%20%60can_grant_guest_token%60%20can%20mint%20guest%20tokens%20for%20dashboards%20they%20cannot%20access%20by%20using%20dashboard%20IDs.%0A%0AValidate%20the%20correctness%20of%20the%20flagged%20issue.%20If%20correct%2C%20How%20can%20I%20resolve%20t
his%3F%20If%20you%20propose%20a%20fix%2C%20implement%20it%20and%20please%20make%20it%20concise.%0AIf%20a%20suggested%20approach%20is%20provided%20above%2C%20use%20it%20as%20the%20authoritative%20instruction.%20If%20no%20explicit%20code%20suggestion%20is%20given%2C%20you%20MUST%20still%20draft%20and%20apply%20your%20own%20minimal%2C%20localized%20fix%20%E2%80%94%20do%20not%20punt%20back%20with%20%27no%20suggestion%20provided%2C%20review%20manually%27.%20Keep%20the%20change%20as%20small%20as%20possible%3A%20add%20a%20guard%20clause%2C%20gate%20on%20a%20loading%20state%2C%20reorder%20an%20await%2C%20wrap%20in%20a%20conditional%2C%20etc.%20Do%20not%20refactor%20surrounding%20code%20or%20expand%20scope%20beyond%20the%20finding.%0AOnce%20fix%20is%20implemented%2C%20also%20check%20other%20comments%20on%20the%20same%20PR%2C%20and%20ask%20user%20if%20the%20user%20wants%20to%20fix%20the%20rest%20of%20the%20comments%20as%20well.%20if%20said%20yes%2C%20then%20fetch%20all%20the%20comments%20vali
date%20the%20correctness%20and%20implement%20a%20minimal%20fix%0A)
*(Use Cmd/Ctrl + Click for best experience)*
<details>
<summary><b>Prompt for AI Agent 🤖 </b></summary>
```mdx
This is an **Architect / Logical Review** comment left during a code review.
These reviews are first-class, important findings — not optional suggestions.
Do NOT dismiss this as a 'big architectural change' just because the title says
architect review; most of these can be resolved with a small, localized fix
once the intent is understood.
**Path:** superset/security/api.py
**Line:** 175:186
**Comment:**
*CRITICAL: The authorization check in the guest token endpoint only
enforces `can_access_dashboard` when the resource ID resolves to an
`EmbeddedDashboard` UUID; if a dashboard resource is specified by legacy
dashboard ID, `embedded` is `None` and no access check is performed. Since
`validate_guest_token_resources` still accepts dashboard IDs and
`has_guest_access` still honors them, a user with `can_grant_guest_token` can
mint guest tokens for dashboards they cannot access by using dashboard IDs.
Validate the correctness of the flagged issue. If correct, How can I resolve
this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative
instruction. If no explicit code suggestion is given, you MUST still draft and
apply your own minimal, localized fix — do not punt back with 'no suggestion
provided, review manually'. Keep the change as small as possible: add a guard
clause, gate on a loading state, reorder an await, wrap in a conditional, etc.
Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask
user if the user wants to fix the rest of the comments as well. if said yes,
then fetch all the comments validate the correctness and implement a minimal fix
```
</details>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
