rusackas commented on PR #40026:
URL: https://github.com/apache/superset/pull/40026#issuecomment-4700687008
Thanks for the pass here, but I don't think the premise holds. The
`/guest_token/` endpoint isn't reachable by any authenticated user, it's gated
behind `@permission_name("grant_guest_token")`, which per SECURITY.md is the
trusted embedding-service role, not something Public/Gamma can call. And the
resources do get checked: line 185 already runs
`validate_guest_token_resources(body["resources"])` before a token is issued.
So the scenario as written isn't reachable. Closing this, but if you can point
to a specific role from the SECURITY.md capability matrix that reaches this
without `grant_guest_token`, please reopen with that and we'll dig in.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
