bito-code-review[bot] commented on PR #40676:
URL: https://github.com/apache/superset/pull/40676#issuecomment-4665468921
<!-- Bito Reply -->
The flagged issue is correct. The current implementation of
`_is_guest_token_revoked` only attempts to resolve resources using
`EmbeddedDashboardDAO.find_by_id` with the resource ID, which assumes the ID is
already a UUID. If the resource ID is a legacy integer dashboard ID, the lookup
fails, and the revocation check is skipped.
To resolve this, I have updated `_is_guest_token_revoked` to implement a
fallback mechanism: it first attempts to resolve the resource as a dashboard
(using `Dashboard.get`), and if that fails, it proceeds to look up the resource
as an embedded dashboard (using `EmbeddedDashboardDAO.find_by_id`).
**superset/security/manager.py**
```
for resource in token.get("resources") or []:
if resource.get("type") !=
GuestTokenResourceType.DASHBOARD.value:
continue
# Fallback: try to resolve as dashboard ID, then embedded UUID
resource_id = str(resource.get("id"))
embedded = Dashboard.get(resource_id) or
EmbeddedDashboardDAO.find_by_id(resource_id)
revoked_before = getattr(embedded, "guest_token_revoked_before",
None)
if revoked_before is not None and issued_at < revoked_before:
return True
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
