Re: [PR] fix(embedded): resolve guest user permissions in user_view_menu_names [superset]

Tue, 19 May 2026 19:05:38 -0700 


bito-code-review[bot] commented on code in PR #39197:
URL: https://github.com/apache/superset/pull/39197#discussion_r3270816305


##########
superset/security/manager.py:
##########
@@ -958,6 +958,30 @@ def can_access_table(self, database: "Database", table: 
"Table") -> bool:
         return True
 
     def user_view_menu_names(self, permission_name: str) -> set[str]:
+        # Guest users (embedded dashboards) have is_anonymous=False but no
+        # database identity, so querying by user_id returns nothing. Instead,
+        # resolve permissions directly from the roles attached to the guest
+        # token (typically the Public role).
+        if self.is_guest_user():
+            role_ids = [
+                role.id for role in g.user.roles if role and role.id is not 
None
+            ]
+            if not role_ids:
+                return set()
+            base_query = (
+                self.session.query(self.viewmenu_model.name)
+                .join(self.permissionview_model)
+                .join(self.permission_model)
+                .join(assoc_permissionview_role)
+                .join(self.role_model)
+            )

Review Comment:
   <div>
   
   
   <div id="suggestion">
   <div id="issue"><b>Semantic duplication in diff</b></div>
   <div id="fix">
   
   The `base_query` definition is duplicated in both the guest user branch 
(lines 971-977) and the non-guest user branch (lines 985-991). This creates 
maintenance risk where changes to the query structure must be made in two 
places, increasing divergence potential.
   </div>
   
   
   <details>
   <summary>
   <b>Code suggestion</b>
   </summary>
   <blockquote>Check the AI-generated fix before applying</blockquote>
   <div id="code">
   
   
   ```
    --- superset/security/manager.py (lines 960-991) ---
    960:     def user_view_menu_names(self, permission_name: str) -> set[str]:
    961:         # Guest users (embedded dashboards) have is_anonymous=False 
but no
    962:         # database identity, so querying by user_id returns nothing. 
Instead,
    963:         # resolve permissions directly from the roles attached to the 
guest
    964:         # token (typically the Public role).
    965:         base_query = (
    966:             self.session.query(self.viewmenu_model.name)
    967:             .join(self.permissionview_model)
    968:             .join(self.permission_model)
    969:             .join(assoc_permissionview_role)
    970:             .join(self.role_model)
    971:         )
    972: 
    973:         if self.is_guest_user():
    974:             role_ids = [
    975:                 role.id for role in g.user.roles if role and role.id 
is not None
    976:             ]
    977:             if not role_ids:
    978:                 return set()
    979:             view_menu_names = (
    980:                 
base_query.filter(self.role_model.id.in_(role_ids)).filter(
    981:                     self.permission_model.name == permission_name
    982:                 )
    983:             ).all()
    984:             return {s.name for s in view_menu_names}
    985: 
    986:         if not g.user.is_anonymous:
    987:             user_id = get_user_id()
    988: 
    989:             user_roles_filter = or_(
    990:                 exists().where(
    991:                     (assoc_user_role.c.user_id == user_id)
    992:                     & (assoc_user_role.c.role_id == self.role_model.id)
    993:                     & (self.permission_model.name == permission_name)
    994:                 ),
    995:                     (assoc_user_group.c.user_id == user_id)
    996:                     & (assoc_user_group.c.group_id == 
self.group_model.id)
    997:                     & (assoc_group_role.c.group_id == 
self.group_model.id)
    998:                     & (assoc_group_role.c.role_id == 
self.role_model.id)
    999:                     & (self.permission_model.name == permission_name)
    1000:                 ),
    1001:             )
    1002: 
    1003:             view_menu_names = 
base_query.filter(user_roles_filter).all()
    1004:             return {s.name for s in view_menu_names}
    1005: 
    1006:         # Properly treat anonymous user
    1007:         if public_role := self.get_public_role():
    1008:             # filter by public role
    1009:             view_menu_names = (
    1010:                 base_query.filter(self.role_model.id == 
public_role.id).filter(
    1011:                     self.permission_model.name == permission_name
    1012:                 )
    1013:             ).all()
    1014:             return {s.name for s in view_menu_names}
    1015:         return set()
   ```
   
   </div>
   </details>
   
   
   
   </div>
   
   
   
   
   <small><i>Code Review Run #2d20fb</i></small>
   </div>
   
   ---
   Should Bito avoid suggestions like this for future reviews? (<a 
href=https://alpha.bito.ai/home/ai-agents/review-rules>Manage Rules</a>)
   - [ ] Yes, avoid them



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to