Re: [PR] feat(security): per-dashboard guest token revocation [superset]

Tue, 02 Jun 2026 21:50:00 -0700 


rusackas commented on code in PR #40699:
URL: https://github.com/apache/superset/pull/40699#discussion_r3345993851


##########
superset/dashboards/api.py:
##########
@@ -2134,6 +2135,56 @@ def delete_embedded(self, dashboard: Dashboard) -> 
Response:
         DeleteEmbeddedDashboardCommand(dashboard).run()
         return self.response(200, message="OK")
 
+    @expose("/<id_or_slug>/embedded/revoke", methods=("POST",))
+    @protect()
+    @safe
+    @permission_name("set_embedded")
+    @statsd_metrics
+    @event_logger.log_this_with_context(
+        action=lambda self, *args, **kwargs: (
+            f"{self.__class__.__name__}.revoke_embedded"
+        ),
+        log_to_statsd=False,
+    )
+    @with_dashboard
+    def revoke_embedded(self, dashboard: Dashboard) -> Response:
+        """Revoke outstanding guest tokens for the dashboard's embedded config.
+        ---
+        post:
+          summary: Revoke active guest sessions for the dashboard
+          description: >-
+            Rejects guest tokens for this dashboard that were issued before 
now,
+            terminating outstanding embedded guest sessions without affecting
+            other dashboards.
+          parameters:
+          - in: path
+            schema:
+              type: string
+            name: id_or_slug
+            description: The dashboard id or slug
+          responses:
+            200:
+              description: Successfully revoked active guest tokens
+              content:
+                application/json:
+                  schema:
+                    type: object
+                    properties:
+                      message:
+                        type: string
+            401:
+              $ref: '#/components/responses/401'
+            404:
+              $ref: '#/components/responses/404'
+            500:
+              $ref: '#/components/responses/500'
+        """
+        if not dashboard.embedded:
+            return self.response_404()

Review Comment:
   Good consistency point — fixed in 0811472335. `revoke_embedded` is now an 
idempotent no-op returning 200 when the dashboard has no embedded config, 
mirroring `delete_embedded`, instead of returning 404. Removed the 404 from the 
OpenAPI responses and added a test 
(`test_revoke_endpoint_no_embedded_config_is_noop_200`).



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to