rusackas commented on PR #39946: URL: https://github.com/apache/superset/pull/39946#issuecomment-4748918715
Thanks @mike-lmctl, this nails the right bug and the repro in #39834 is super clear. Two things before this can move, though. It's conflicting with current `master` now and needs a rebase. The part I want to think through: `can_access` is about the hottest authz primitive we have (~44 call sites), and putting `verify_jwt_in_request()` plus a `g.user` write inside it means every Bearer request that lands there with an anonymous `g.user` re-verifies the token and mutates request state as a side effect. That feels like a lot of surface for a list-filter fix. Could we hydrate the JWT user once earlier in the request lifecycle (a `before_request`/auth hook, closer to where FAB resets `g.user`) rather than from inside the permission check? Curious whether you tried that route and hit a wall. Thoughts? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
