codeant-ai-for-open-source[bot] commented on code in PR #40958: URL: https://github.com/apache/superset/pull/40958#discussion_r3477009042
########## superset/mcp_service/dashboard/tool/remove_chart_from_dashboard.py: ########## @@ -0,0 +1,439 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +""" +MCP tool: remove_chart_from_dashboard + +This tool removes a chart from an existing dashboard. It is the inverse of +add_chart_to_existing_dashboard: it deletes the chart's CHART component(s) +from position_json (pruning ROW/COLUMN containers that become empty), +removes the chart from the dashboard's slices relationship, and cleans +stale references to the chart from json_metadata (expanded_slices, +timed_refresh_immune_slices, filter_scopes). +""" + +import logging +from typing import Any, Dict + +from fastmcp import Context +from sqlalchemy.exc import SQLAlchemyError +from superset_core.mcp.decorators import tool, ToolAnnotations + +from superset.commands.exceptions import CommandException +from superset.extensions import event_logger +from superset.mcp_service.dashboard.schemas import ( + DashboardInfo, + RemoveChartFromDashboardRequest, + RemoveChartFromDashboardResponse, + serialize_chart_summary, +) +from superset.mcp_service.privacy import user_can_view_data_model_metadata +from superset.mcp_service.utils.url_utils import get_superset_base_url +from superset.utils import json + +logger = logging.getLogger(__name__) + +# Container types that should be deleted once they have no children left. +# TAB/TABS/GRID/ROOT containers are intentionally kept even when empty — +# deleting a TAB would silently change the dashboard's visible structure. +_PRUNABLE_TYPES = ("ROW", "COLUMN") + + +def _find_chart_keys(layout: Dict[str, Any], chart_id: int) -> list[str]: + """Return all layout keys of CHART components referencing *chart_id*. + + A chart can legitimately appear more than once in a layout (e.g. under + multiple tabs), so all occurrences are returned. + """ + return [ + key + for key, node in layout.items() + if isinstance(node, dict) + and node.get("type") == "CHART" + and (node.get("meta") or {}).get("chartId") == chart_id + ] Review Comment: **Suggestion:** Chart matching in layout is strict `int == int`, so CHART nodes whose `meta.chartId` is a string (e.g. `"10"` from imported/hand-edited layouts) are not removed. This can return a false "not in dashboard" error or leave stale CHART components in `position_json` while removing the slice relationship. Compare against both numeric and string forms when matching layout chart IDs. [logic error] <details> <summary><b>Severity Level:</b> Major ⚠️</summary> ```mdx - ❌ Dashboards can retain stale CHART nodes after removal. - ⚠️ Tool may falsely report chart not in dashboard. ``` </details> <details> <summary><b>Steps of Reproduction ✅ </b></summary> ```mdx 1. Create or modify a dashboard record so that its `position_json` contains CHART nodes like those built by `_chart_node` in `tests/unit_tests/mcp_service/dashboard/tool/test_remove_chart_from_dashboard.py:129–136`, but with `meta.chartId` stored as the string `"10"` instead of integer `10` (e.g. by hand-editing JSON or importing legacy data). 2. Ensure the dashboard has no corresponding slice for that chart (e.g. use `_mock_dashboard` at lines 96–126 with `slices=[]` and `position_json=json.dumps(custom_layout))`, and patch `DashboardDAO.find_by_id` as done in tests like `test_chart_not_in_dashboard` (lines 60–75) so this dashboard is returned to the tool. 3. Invoke the MCP tool via the async client helper `_call_remove` (lines 254–260) with `chart_id=10`, which routes into `remove_chart_from_dashboard` at `superset/mcp_service/dashboard/tool/remove_chart_from_dashboard.py:242` and parses the layout with `json.loads(dashboard.position_json or "{}")` at lines 269–270. 4. Inside `_find_chart_keys` (lines 56–68), each CHART node's `(node.get("meta") or {}).get("chartId")` evaluates to `"10"` (string), which is not equal to the integer `chart_id` 10, so the list comprehension at lines 62–68 returns no layout keys; `_remove_chart_from_layout` (lines 122–132) yields `removed_keys == []`, `chart_in_slices` is False (no slices), and the tool hits the `if not removed_keys and not chart_in_slices` branch at lines 281–290, returning a `"Chart 10 is not in dashboard"` error even though CHART components for that chart remain in `position_json`, leaving layout and slices state inconsistent and misinforming the caller. ``` </details> [](https://app.codeant.ai/fix-in-ide?tool=cursor&prompt_id=34d57b8e29f044cabffdd4219889a3b6&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset) [](https://app.codeant.ai/fix-in-ide?tool=vscode-claude&prompt_id=34d57b8e29f044cabffdd4219889a3b6&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset) *(Use Cmd/Ctrl + Click for best experience)* <details> <summary><b>Prompt for AI Agent 🤖 </b></summary> ```mdx This is a comment left during a code review. **Path:** superset/mcp_service/dashboard/tool/remove_chart_from_dashboard.py **Line:** 62:68 **Comment:** *Logic Error: Chart matching in layout is strict `int == int`, so CHART nodes whose `meta.chartId` is a string (e.g. `"10"` from imported/hand-edited layouts) are not removed. This can return a false "not in dashboard" error or leave stale CHART components in `position_json` while removing the slice relationship. Compare against both numeric and string forms when matching layout chart IDs. Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise. Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix ``` </details> <a href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40958&comment_hash=dcf9ad3ee321f82087330f2395d49b31f9621e1299f3f08f29439dee0a047855&reaction=like'>👍</a> | <a href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40958&comment_hash=dcf9ad3ee321f82087330f2395d49b31f9621e1299f3f08f29439dee0a047855&reaction=dislike'>👎</a> ########## superset/mcp_service/dashboard/tool/remove_chart_from_dashboard.py: ########## @@ -0,0 +1,439 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +""" +MCP tool: remove_chart_from_dashboard + +This tool removes a chart from an existing dashboard. It is the inverse of +add_chart_to_existing_dashboard: it deletes the chart's CHART component(s) +from position_json (pruning ROW/COLUMN containers that become empty), +removes the chart from the dashboard's slices relationship, and cleans +stale references to the chart from json_metadata (expanded_slices, +timed_refresh_immune_slices, filter_scopes). +""" + +import logging +from typing import Any, Dict + +from fastmcp import Context +from sqlalchemy.exc import SQLAlchemyError +from superset_core.mcp.decorators import tool, ToolAnnotations + +from superset.commands.exceptions import CommandException +from superset.extensions import event_logger +from superset.mcp_service.dashboard.schemas import ( + DashboardInfo, + RemoveChartFromDashboardRequest, + RemoveChartFromDashboardResponse, + serialize_chart_summary, +) +from superset.mcp_service.privacy import user_can_view_data_model_metadata +from superset.mcp_service.utils.url_utils import get_superset_base_url +from superset.utils import json + +logger = logging.getLogger(__name__) + +# Container types that should be deleted once they have no children left. +# TAB/TABS/GRID/ROOT containers are intentionally kept even when empty — +# deleting a TAB would silently change the dashboard's visible structure. +_PRUNABLE_TYPES = ("ROW", "COLUMN") + + +def _find_chart_keys(layout: Dict[str, Any], chart_id: int) -> list[str]: + """Return all layout keys of CHART components referencing *chart_id*. + + A chart can legitimately appear more than once in a layout (e.g. under + multiple tabs), so all occurrences are returned. + """ + return [ + key + for key, node in layout.items() + if isinstance(node, dict) + and node.get("type") == "CHART" + and (node.get("meta") or {}).get("chartId") == chart_id + ] + + +def _find_parent_key(layout: Dict[str, Any], component_key: str) -> str | None: + """Find the component whose children list contains *component_key*. + + The reverse lookup scans children lists instead of trusting the + ``parents`` metadata on the node, which can be stale in hand-edited or + programmatically generated layouts. + """ + for key, node in layout.items(): + if not isinstance(node, dict): + continue + children = node.get("children") + if isinstance(children, list) and component_key in children: + return key + return None + + +def _remove_component_and_prune( + layout: Dict[str, Any], component_key: str +) -> list[str]: + """Remove *component_key* from the layout and prune empty containers. + + Walks up the parent chain deleting ROW/COLUMN containers that become + empty as a result of the removal, so no orphaned wrapper nodes are left + behind. Returns the list of removed layout keys. + """ + removed: list[str] = [] + parent_key = _find_parent_key(layout, component_key) + + layout.pop(component_key, None) + removed.append(component_key) + + child_key = component_key + while parent_key is not None: + parent = layout.get(parent_key) + if not isinstance(parent, dict): + break + children = parent.get("children") + if isinstance(children, list): + parent["children"] = [c for c in children if c != child_key] + if parent.get("type") in _PRUNABLE_TYPES and not parent.get("children"): + grandparent_key = _find_parent_key(layout, parent_key) + layout.pop(parent_key, None) + removed.append(parent_key) + child_key = parent_key + parent_key = grandparent_key + else: + break + + return removed + + +def _remove_chart_from_layout(layout: Dict[str, Any], chart_id: int) -> list[str]: + """Remove every CHART component for *chart_id* from the layout. + + Returns all removed layout keys (charts plus pruned containers). + """ + removed: list[str] = [] + for chart_key in _find_chart_keys(layout, chart_id): + # The chart key may already be gone if it shared a pruned container. + if chart_key in layout: + removed.extend(_remove_component_and_prune(layout, chart_key)) + return removed + + +def _remove_id_from_list(values: Any, chart_id: int) -> tuple[Any, bool]: + """Return (new_list, changed) with *chart_id* removed from a list of IDs. + + Handles both int and str representations since json_metadata is + user/frontend-authored and not strictly typed. + """ + if not isinstance(values, list): + return values, False + filtered = [v for v in values if v != chart_id and v != str(chart_id)] + return filtered, len(filtered) != len(values) + + +def _clean_json_metadata(metadata: Dict[str, Any], chart_id: int) -> bool: + """Remove stale references to *chart_id* from a json_metadata dict. + + Cleans ``expanded_slices`` (dict keyed by chart ID), ``filter_scopes`` + (dict keyed by filter chart ID, with per-column ``immune`` ID lists), + and ``timed_refresh_immune_slices`` (list of chart IDs). Mutates + *metadata* in place and returns True when anything changed. + """ + changed = False + chart_key = str(chart_id) + + expanded_slices = metadata.get("expanded_slices") + if isinstance(expanded_slices, dict) and chart_key in expanded_slices: + del expanded_slices[chart_key] + changed = True + + immune_slices, immune_changed = _remove_id_from_list( + metadata.get("timed_refresh_immune_slices"), chart_id + ) + if immune_changed: + metadata["timed_refresh_immune_slices"] = immune_slices + changed = True + + filter_scopes = metadata.get("filter_scopes") + if isinstance(filter_scopes, dict): + if chart_key in filter_scopes: + del filter_scopes[chart_key] + changed = True + for column_scopes in filter_scopes.values(): + if not isinstance(column_scopes, dict): + continue + for column_config in column_scopes.values(): + if not isinstance(column_config, dict): + continue + immune, immune_changed = _remove_id_from_list( + column_config.get("immune"), chart_id + ) + if immune_changed: + column_config["immune"] = immune + changed = True + + return changed + + +def _find_and_authorize_dashboard( + dashboard_id: int, +) -> tuple[Any, RemoveChartFromDashboardResponse | None]: + """Return (dashboard, None) on success or (None, error_response) on failure. + + Handles both the not-found case and the ownership check so the main tool + function doesn't need two separate branches for these pre-conditions. + """ + from superset import security_manager + from superset.daos.dashboard import DashboardDAO + from superset.exceptions import SupersetSecurityException + + dashboard = DashboardDAO.find_by_id(dashboard_id) + if not dashboard: + return None, RemoveChartFromDashboardResponse( + dashboard=None, + dashboard_url=None, + error=( + f"Dashboard with ID {dashboard_id} not found." + " Use list_dashboards to get valid dashboard IDs." + ), + ) + + try: + security_manager.raise_for_ownership(dashboard) + except SupersetSecurityException: + return None, RemoveChartFromDashboardResponse( + dashboard=None, + dashboard_url=None, + permission_denied=True, + error=( + f"You don't have permission to edit dashboard " + f"'{dashboard.dashboard_title}' (ID: {dashboard_id}). " + "Inform the user and do not attempt a workaround without " + "their confirmation." + ), + ) + + return dashboard, None + + +@tool( + tags=["mutate"], + class_permission_name="Dashboard", + method_permission_name="write", + annotations=ToolAnnotations( + title="Remove chart from dashboard", + readOnlyHint=False, + destructiveHint=True, + ), +) +def remove_chart_from_dashboard( # noqa: C901 — complexity is structural (layout traversal + multi-step authorization), not accidental + request: RemoveChartFromDashboardRequest, ctx: Context +) -> RemoveChartFromDashboardResponse: + """ + Remove a chart from an existing dashboard. + + Deletes the chart's layout component(s) from the dashboard (all + occurrences, including under tabs), prunes rows/columns left empty by + the removal, detaches the chart from the dashboard, and cleans stale + chart references from dashboard metadata (expanded_slices, + timed_refresh_immune_slices, filter_scopes). The chart itself is NOT + deleted and remains available to other dashboards. + """ + try: + from superset import db + from superset.commands.dashboard.update import UpdateDashboardCommand + + # Validate dashboard exists and user has edit permission + with event_logger.log_context( + action="mcp.remove_chart_from_dashboard.validation" + ): + dashboard, auth_error = _find_and_authorize_dashboard(request.dashboard_id) + if auth_error is not None: + return auth_error + + # Remove the chart from the layout tree + with event_logger.log_context(action="mcp.remove_chart_from_dashboard.layout"): + try: + current_layout = json.loads(dashboard.position_json or "{}") + except (json.JSONDecodeError, TypeError): + current_layout = {} + + remaining_slices = [ + slc for slc in dashboard.slices if slc.id != request.chart_id + ] + chart_in_slices = len(remaining_slices) != len(dashboard.slices) + + removed_keys = _remove_chart_from_layout(current_layout, request.chart_id) Review Comment: **Suggestion:** `position_json` is parsed but never validated to be a dict. If a dashboard row contains valid JSON that is not an object (for example `"[]"` from legacy/malformed data), `_remove_chart_from_layout` will call `.items()` on a non-dict and raise an uncaught exception, causing a 500 instead of a structured tool error. Validate `current_layout` with `isinstance(..., dict)` and fall back to `{}` before passing it to layout helpers. [type error] <details> <summary><b>Severity Level:</b> Major ⚠️</summary> ```mdx - ❌ MCP remove_chart_from_dashboard crashes on non-dict layout JSON. - ⚠️ Agents cannot reliably recover from bad dashboard layouts. ``` </details> <details> <summary><b>Steps of Reproduction ✅ </b></summary> ```mdx 1. In `tests/unit_tests/mcp_service/dashboard/tool/test_remove_chart_from_dashboard.py` use the existing `_mock_dashboard` helper at lines 96–126 to construct a dashboard with `position_json="[]"` (a JSON list string) and at least one chart slice, mirroring how `position_json` is used in real dashboards. 2. Patch `superset.daos.dashboard.DashboardDAO.find_by_id` in a new test similarly to `test_chart_not_in_dashboard` (lines 60–75) so that `remove_chart_from_dashboard` receives this mocked dashboard when invoked via the MCP client helper `_call_remove` (lines 254–260). 3. Call the MCP tool `"remove_chart_from_dashboard"` through `Client.call_tool` in the test (lines 254–259), which routes to `remove_chart_from_dashboard` in `superset/mcp_service/dashboard/tool/remove_chart_from_dashboard.py:242`. 4. During execution, the tool parses `dashboard.position_json` at lines 269–272 (`current_layout = json.loads(dashboard.position_json or "{}")`), producing a Python list; `_remove_chart_from_layout(current_layout, request.chart_id)` at line 279 then calls `_find_chart_keys` (lines 56–68), which executes `layout.items()` on the list and raises `AttributeError`, an uncaught exception not handled by the outer `except (CommandException, SQLAlchemyError, KeyError, ValueError)` block at lines 171–185, resulting in a 500/uncaught tool error instead of a structured `RemoveChartFromDashboardResponse`. ``` </details> [](https://app.codeant.ai/fix-in-ide?tool=cursor&prompt_id=8b1ce88546c1411f827776404efadecd&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset) [](https://app.codeant.ai/fix-in-ide?tool=vscode-claude&prompt_id=8b1ce88546c1411f827776404efadecd&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset) *(Use Cmd/Ctrl + Click for best experience)* <details> <summary><b>Prompt for AI Agent 🤖 </b></summary> ```mdx This is a comment left during a code review. **Path:** superset/mcp_service/dashboard/tool/remove_chart_from_dashboard.py **Line:** 269:279 **Comment:** *Type Error: `position_json` is parsed but never validated to be a dict. If a dashboard row contains valid JSON that is not an object (for example `"[]"` from legacy/malformed data), `_remove_chart_from_layout` will call `.items()` on a non-dict and raise an uncaught exception, causing a 500 instead of a structured tool error. Validate `current_layout` with `isinstance(..., dict)` and fall back to `{}` before passing it to layout helpers. Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise. Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix ``` </details> <a href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40958&comment_hash=f95334dd0db70c628565d76faeea74fc0e159a68017f8273700424cd44865183&reaction=like'>👍</a> | <a href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40958&comment_hash=f95334dd0db70c628565d76faeea74fc0e159a68017f8273700424cd44865183&reaction=dislike'>👎</a> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
