codeant-ai-for-open-source[bot] commented on code in PR #40958: URL: https://github.com/apache/superset/pull/40958#discussion_r3482429213
########## superset/mcp_service/dashboard/tool/remove_chart_from_dashboard.py: ########## @@ -0,0 +1,447 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +""" +MCP tool: remove_chart_from_dashboard + +This tool removes a chart from an existing dashboard. It is the inverse of +add_chart_to_existing_dashboard: it deletes the chart's CHART component(s) +from position_json (pruning ROW/COLUMN containers that become empty), +removes the chart from the dashboard's slices relationship, and cleans +stale references to the chart from json_metadata (expanded_slices, +timed_refresh_immune_slices, filter_scopes). +""" + +import logging +from typing import Any, Dict + +from fastmcp import Context +from sqlalchemy.exc import SQLAlchemyError +from superset_core.mcp.decorators import tool, ToolAnnotations + +from superset.commands.exceptions import CommandException +from superset.extensions import event_logger +from superset.mcp_service.dashboard.schemas import ( + DashboardInfo, + RemoveChartFromDashboardRequest, + RemoveChartFromDashboardResponse, + serialize_chart_summary, +) +from superset.mcp_service.privacy import user_can_view_data_model_metadata +from superset.mcp_service.utils.url_utils import get_superset_base_url +from superset.utils import json + +logger = logging.getLogger(__name__) + +# Container types that should be deleted once they have no children left. +# TAB/TABS/GRID/ROOT containers are intentionally kept even when empty — +# deleting a TAB would silently change the dashboard's visible structure. +_PRUNABLE_TYPES = ("ROW", "COLUMN") + + +def _find_chart_keys(layout: Dict[str, Any], chart_id: int) -> list[str]: + """Return all layout keys of CHART components referencing *chart_id*. + + A chart can legitimately appear more than once in a layout (e.g. under + multiple tabs), so all occurrences are returned. + """ + # Accept both int and string chartId — position_json is user/frontend-authored + # and imported or hand-edited layouts may store chartId as a string. + return [ + key + for key, node in layout.items() + if isinstance(node, dict) + and node.get("type") == "CHART" + and (node.get("meta") or {}).get("chartId") in (chart_id, str(chart_id)) + ] + + +def _find_parent_key(layout: Dict[str, Any], component_key: str) -> str | None: + """Find the component whose children list contains *component_key*. + + The reverse lookup scans children lists instead of trusting the + ``parents`` metadata on the node, which can be stale in hand-edited or + programmatically generated layouts. + """ + for key, node in layout.items(): + if not isinstance(node, dict): + continue + children = node.get("children") + if isinstance(children, list) and component_key in children: + return key + return None + + +def _remove_component_and_prune( + layout: Dict[str, Any], component_key: str +) -> list[str]: + """Remove *component_key* from the layout and prune empty containers. + + Walks up the parent chain deleting ROW/COLUMN containers that become + empty as a result of the removal, so no orphaned wrapper nodes are left + behind. Returns the list of removed layout keys. + """ + removed: list[str] = [] + parent_key = _find_parent_key(layout, component_key) + + layout.pop(component_key, None) + removed.append(component_key) + + child_key = component_key + while parent_key is not None: + parent = layout.get(parent_key) + if not isinstance(parent, dict): + break + children = parent.get("children") + if isinstance(children, list): + parent["children"] = [c for c in children if c != child_key] + if parent.get("type") in _PRUNABLE_TYPES and not parent.get("children"): + grandparent_key = _find_parent_key(layout, parent_key) + layout.pop(parent_key, None) + removed.append(parent_key) + child_key = parent_key + parent_key = grandparent_key + else: + break + + return removed + + +def _remove_chart_from_layout(layout: Dict[str, Any], chart_id: int) -> list[str]: + """Remove every CHART component for *chart_id* from the layout. + + Returns all removed layout keys (charts plus pruned containers). + """ + removed: list[str] = [] + for chart_key in _find_chart_keys(layout, chart_id): + # The chart key may already be gone if it shared a pruned container. + if chart_key in layout: + removed.extend(_remove_component_and_prune(layout, chart_key)) + return removed + + +def _remove_id_from_list(values: Any, chart_id: int) -> tuple[Any, bool]: + """Return (new_list, changed) with *chart_id* removed from a list of IDs. + + Handles both int and str representations since json_metadata is + user/frontend-authored and not strictly typed. + """ + if not isinstance(values, list): + return values, False + filtered = [v for v in values if v != chart_id and v != str(chart_id)] + return filtered, len(filtered) != len(values) + + +def _clean_json_metadata(metadata: Dict[str, Any], chart_id: int) -> bool: + """Remove stale references to *chart_id* from a json_metadata dict. + + Cleans ``expanded_slices`` (dict keyed by chart ID), ``filter_scopes`` + (dict keyed by filter chart ID, with per-column ``immune`` ID lists), + and ``timed_refresh_immune_slices`` (list of chart IDs). Mutates + *metadata* in place and returns True when anything changed. + """ + changed = False + chart_key = str(chart_id) + + expanded_slices = metadata.get("expanded_slices") + if isinstance(expanded_slices, dict) and chart_key in expanded_slices: + del expanded_slices[chart_key] + changed = True + + immune_slices, immune_changed = _remove_id_from_list( + metadata.get("timed_refresh_immune_slices"), chart_id + ) + if immune_changed: + metadata["timed_refresh_immune_slices"] = immune_slices + changed = True + + filter_scopes = metadata.get("filter_scopes") + if isinstance(filter_scopes, dict): + if chart_key in filter_scopes: + del filter_scopes[chart_key] + changed = True + for column_scopes in filter_scopes.values(): + if not isinstance(column_scopes, dict): + continue + for column_config in column_scopes.values(): + if not isinstance(column_config, dict): + continue + immune, immune_changed = _remove_id_from_list( + column_config.get("immune"), chart_id + ) + if immune_changed: + column_config["immune"] = immune + changed = True + + return changed + + +def _find_and_authorize_dashboard( + dashboard_id: int, +) -> tuple[Any, RemoveChartFromDashboardResponse | None]: + """Return (dashboard, None) on success or (None, error_response) on failure. + + Handles both the not-found case and the ownership check so the main tool + function doesn't need two separate branches for these pre-conditions. + """ + from superset import security_manager + from superset.daos.dashboard import DashboardDAO + from superset.exceptions import SupersetSecurityException + + dashboard = DashboardDAO.find_by_id(dashboard_id) + if not dashboard: + return None, RemoveChartFromDashboardResponse( + dashboard=None, + dashboard_url=None, + error=( + f"Dashboard with ID {dashboard_id} not found." + " Use list_dashboards to get valid dashboard IDs." + ), + ) + + try: + security_manager.raise_for_ownership(dashboard) + except SupersetSecurityException: + return None, RemoveChartFromDashboardResponse( + dashboard=None, + dashboard_url=None, + permission_denied=True, + error=( + f"You don't have permission to edit dashboard " + f"'{dashboard.dashboard_title}' (ID: {dashboard_id}). " + "Inform the user and do not attempt a workaround without " + "their confirmation." + ), + ) + + return dashboard, None + + +@tool( + tags=["mutate"], + class_permission_name="Dashboard", + method_permission_name="write", + annotations=ToolAnnotations( + title="Remove chart from dashboard", + readOnlyHint=False, + destructiveHint=True, + ), +) +def remove_chart_from_dashboard( # noqa: C901 — complexity is structural (layout traversal + multi-step authorization), not accidental + request: RemoveChartFromDashboardRequest, ctx: Context +) -> RemoveChartFromDashboardResponse: + """ + Remove a chart from an existing dashboard. + + Deletes the chart's layout component(s) from the dashboard (all + occurrences, including under tabs), prunes rows/columns left empty by + the removal, detaches the chart from the dashboard, and cleans stale + chart references from dashboard metadata (expanded_slices, + timed_refresh_immune_slices, filter_scopes). The chart itself is NOT + deleted and remains available to other dashboards. + """ + try: + from superset import db + from superset.commands.dashboard.update import UpdateDashboardCommand + + # Validate dashboard exists and user has edit permission + with event_logger.log_context( + action="mcp.remove_chart_from_dashboard.validation" + ): + dashboard, auth_error = _find_and_authorize_dashboard(request.dashboard_id) + if auth_error is not None: + return auth_error + + # Remove the chart from the layout tree + with event_logger.log_context(action="mcp.remove_chart_from_dashboard.layout"): + try: + current_layout = json.loads(dashboard.position_json or "{}") + except (json.JSONDecodeError, TypeError): + current_layout = {} + if not isinstance(current_layout, dict): + current_layout = {} + + remaining_slices = [ + slc for slc in dashboard.slices if slc.id != request.chart_id + ] + chart_in_slices = len(remaining_slices) != len(dashboard.slices) + + removed_keys = _remove_chart_from_layout(current_layout, request.chart_id) + + if not removed_keys and not chart_in_slices: + return RemoveChartFromDashboardResponse( + dashboard=None, + dashboard_url=None, + error=( + f"Chart {request.chart_id} is not in dashboard " + f"{request.dashboard_id}. Use get_dashboard_info to " + "see which charts the dashboard contains." + ), + ) + + # Update the dashboard + with event_logger.log_context( + action="mcp.remove_chart_from_dashboard.db_write" + ): + update_data: dict[str, Any] = { + "position_json": json.dumps(current_layout), + "slices": remaining_slices, # Pass ORM objects, not IDs + } + + # Clean stale chart references from json_metadata. When anything + # changed, route the full metadata blob through the command's + # json_metadata path, including the new layout under "positions" + # so DashboardDAO.set_dash_metadata takes its legacy branch that + # preserves (and re-scopes) filter_scopes; without "positions" + # that DAO method drops filter_scopes entirely. + try: + metadata = json.loads(dashboard.json_metadata or "{}") + except (json.JSONDecodeError, TypeError): + metadata = None + if isinstance(metadata, dict) and _clean_json_metadata( + metadata, request.chart_id + ): + metadata["positions"] = current_layout + update_data["json_metadata"] = json.dumps(metadata) Review Comment: **Suggestion:** Adding `positions` into `json_metadata` before calling `UpdateDashboardCommand` causes `DashboardDAO.set_dash_metadata` to recompute `dashboard.slices` from the layout and overwrite the explicit `slices` update. In out-of-sync dashboards, this can silently drop charts unrelated to the requested removal. Avoid routing metadata cleanup through the `positions` branch, or use a metadata update path that does not reset the slices relationship. [logic error] <details> <summary><b>Severity Level:</b> Major ⚠️</summary> ```mdx - ❌ remove_chart_from_dashboard detaches unrelated charts from dashboard. - ⚠️ DashboardInfo.charts omits charts still logically attached. - ⚠️ Downstream MCP tools see incomplete dashboard chart lists. ``` </details> <details> <summary><b>Steps of Reproduction ✅ </b></summary> ```mdx 1. Create a dashboard record via normal Superset flows so it appears in `DashboardDAO.find_by_id` (see `superset/daos/dashboard.py:205`), with `dashboard.position_json` matching `_simple_grid_layout()` from `tests/unit_tests/mcp_service/dashboard/tool/test_remove_chart_from_dashboard.py:141-168` (charts 10 and 20 in layout) and `dashboard.slices` containing three Slice objects with ids `[10, 20, 30]` so chart 30 is attached to the dashboard but not present in the layout. 2. Set `dashboard.json_metadata` so it contains stale references to chart 10, for example the metadata dict in `test_json_metadata_cleanup` at `tests/unit_tests/mcp_service/dashboard/tool/test_remove_chart_from_dashboard.py:269-277` but extended to also include references to chart 30 (e.g. `filter_scopes["30"]`), ensuring `_clean_json_metadata()` at `remove_chart_from_dashboard.py:149-190` will return True when chart 10 is removed. 3. From any FastMCP client, call the `remove_chart_from_dashboard` tool (registered in `superset/mcp_service/app.py:8-16`) as shown in `_call_remove` at `tests/unit_tests/mcp_service/dashboard/tool/test_remove_chart_from_dashboard.py:5-14`, passing `dashboard_id=<the dashboard id>` and `chart_id=10`. The tool loads the dashboard in `_find_and_authorize_dashboard()` (`remove_chart_from_dashboard.py:193-231`), parses the layout and removes chart 10 (`_remove_chart_from_layout` at lines 124-135), computes `remaining_slices = [slc for slc in dashboard.slices if slc.id != request.chart_id]` (lines 278-281, so `[20, 30]`), and then executes the json_metadata cleanup block at lines 311-319 where `_clean_json_metadata` returns True and `metadata["positions"] = current_layout` plus `update_data["json_metadata"]` are set. 4. When `UpdateDashboardCommand` is constructed and run with `update_data` at `remove_chart_from_dashboard.py:321-322`, `UpdateDashboardCommand.run()` in `superset/commands/dashboard/update.py:14-35` calls `DashboardDAO.update` and then `DashboardDAO.set_dash_metadata(dashboard, data=json.loads(self._properties.get("json_metadata", "{}")))`. Inside `set_dash_metadata` (`superset/daos/dashboard.py:204-240`), the presence of `positions` causes it to compute `slice_ids` only from the layout's CHART components (now `[20]`), load `current_slices` from the database, and assign `dashboard.slices = current_slices` at line 224, silently dropping chart 30 from the dashboard's slices relationship even though it was unrelated to the remove request and still present in `remaining_slices` before the metadata step. Re-fetching the dashboard in `remove_chart_from_dashboard.py:337-347` then exposes this reduced slice set in the returned `DashboardInfo.charts`, confirming the unintended removal. ``` </details> [](https://app.codeant.ai/fix-in-ide?tool=cursor&prompt_id=7033b49811a24b40ab4297e7a947be28&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset) [](https://app.codeant.ai/fix-in-ide?tool=vscode-claude&prompt_id=7033b49811a24b40ab4297e7a947be28&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset) *(Use Cmd/Ctrl + Click for best experience)* <details> <summary><b>Prompt for AI Agent 🤖 </b></summary> ```mdx This is a comment left during a code review. **Path:** superset/mcp_service/dashboard/tool/remove_chart_from_dashboard.py **Line:** 315:319 **Comment:** *Logic Error: Adding `positions` into `json_metadata` before calling `UpdateDashboardCommand` causes `DashboardDAO.set_dash_metadata` to recompute `dashboard.slices` from the layout and overwrite the explicit `slices` update. In out-of-sync dashboards, this can silently drop charts unrelated to the requested removal. Avoid routing metadata cleanup through the `positions` branch, or use a metadata update path that does not reset the slices relationship. Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise. Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix ``` </details> <a href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40958&comment_hash=8616def360ab6c553e01ef1f363271550cee9037cadcc360d0686b0d0615a8a7&reaction=like'>👍</a> | <a href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40958&comment_hash=8616def360ab6c553e01ef1f363271550cee9037cadcc360d0686b0d0615a8a7&reaction=dislike'>👎</a> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
