rusackas opened a new pull request, #40631: URL: https://github.com/apache/superset/pull/40631
### SUMMARY The MCP service authenticates tool calls via JWT/API key, but its user-resolution path (`_setup_user_context` → `get_user_from_request`) never checked `User.active`. Flask-Login enforces `is_active` for web sessions, but the MCP path bypasses that — so a user whose account had been **deactivated** could keep making MCP tool calls (data queries, chart/dashboard operations, retaining RBAC permissions) for as long as they held a valid token. This adds an `is_active` check immediately after the user is resolved: an inactive account raises `ValueError`, which the existing fail-closed handler in `_setup_user_context` converts into a denied request (and clears `g.user` so audit logs don't misattribute the denied call). The check is factored into a small `_reject_if_inactive` helper, applied across all resolution paths (JWT, dev-username, `g.user` fallback) at the single choke point. ### TESTING INSTRUCTIONS ``` pytest tests/unit_tests/mcp_service/test_auth_user_resolution.py ``` New tests: - `test_setup_user_context_rejects_disabled_user` — a user with `active=False` raises `ValueError` and `g.user` is cleared. - `test_setup_user_context_allows_active_user` — an active user authenticates normally. ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration - [ ] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
