gkneighb commented on code in PR #41842:
URL: https://github.com/apache/superset/pull/41842#discussion_r3575513358


##########
superset/mcp_service/chart/schemas.py:
##########
@@ -2725,6 +2725,35 @@ class ChartFiltersInfo(BaseModel):
     )
 
 
+class RestoreChartRequest(BaseModel):
+    """Request schema for restore_chart."""
+
+    identifier: int | str = Field(
+        ...,
+        description=(
+            "Chart identifier - numeric ID or UUID string (charts have no 
slug)."
+        ),
+    )

Review Comment:
   Fixed in the latest push — boolean identifiers rejected on both restore 
request schemas with tests, mirroring the delete tools.



##########
superset/mcp_service/chart/tool/restore_chart.py:
##########
@@ -0,0 +1,177 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+"""
+MCP tool: restore_chart
+"""
+
+import logging
+from typing import Any
+
+from fastmcp import Context
+from sqlalchemy.exc import SQLAlchemyError
+from superset_core.mcp.decorators import tool, ToolAnnotations
+
+from superset.commands.chart.exceptions import (
+    ChartForbiddenError,
+    ChartNotFoundError,
+)
+from superset.commands.exceptions import CommandException
+from superset.extensions import event_logger
+from superset.mcp_service.chart.schemas import (
+    RestoreChartRequest,
+    RestoreChartResponse,
+)
+from superset.mcp_service.utils import (
+    escape_llm_context_delimiters,
+    sanitize_for_llm_context,
+)
+
+logger = logging.getLogger(__name__)
+
+
+def _find_chart_for_restore(identifier: int | str) -> Any | None:
+    """Resolve a chart by numeric ID or UUID, including soft-deleted rows.
+
+    Both bypasses mirror ``BaseRestoreCommand.validate``'s own lookup:
+    ``skip_visibility_filter`` unhides the soft-deleted row, and
+    ``skip_base_filter`` keeps an editor's own trash reachable even when the
+    entity's RBAC base_filter has no editorship leg (a lost grant must not
+    hide a row from the one audience that can restore it). The restore
+    audience is enforced by ``RestoreChartCommand`` via
+    ``raise_for_editorship``.
+    """
+    from superset.daos.chart import ChartDAO
+
+    return ChartDAO.find_by_id_or_uuid(
+        str(identifier),
+        skip_base_filter=True,
+        skip_visibility_filter=True,
+    )
+
+
+def _rollback() -> None:
+    from superset import db
+
+    try:
+        db.session.rollback()  # pylint: disable=consider-using-transaction
+    except SQLAlchemyError:
+        logger.warning("Database rollback failed during restore_chart error 
handling")
+
+
+@tool(
+    tags=["mutate"],
+    class_permission_name="Chart",
+    annotations=ToolAnnotations(
+        title="Restore chart",
+        readOnlyHint=False,
+        destructiveHint=False,
+    ),
+)
+async def restore_chart(
+    request: RestoreChartRequest, ctx: Context
+) -> RestoreChartResponse:
+    """Restore a soft-deleted chart from trash.
+
+    Identify the chart by numeric ID or UUID string (NOT chart name). Only
+    charts that were soft-deleted (moved to trash while the ``SOFT_DELETE``
+    feature flag was enabled) can be restored; permanently deleted charts are
+    unrecoverable. The caller must be an editor of the chart (owners and
+    Admins qualify).
+
+    Example:
+    ```json
+    {"identifier": 123}
+    ```
+
+    Returns success with the restored chart's id/name, or an error. When the
+    caller lacks permission, ``permission_denied`` is true — do not retry; ask
+    the user.
+    """
+    await ctx.info("Restoring chart: identifier=%s" % (request.identifier,))
+
+    try:
+        chart = _find_chart_for_restore(request.identifier)
+    except SQLAlchemyError:
+        _rollback()
+        logger.exception("Chart lookup failed during restore_chart")
+        return RestoreChartResponse(
+            success=False,
+            error="Chart lookup failed due to a database error.",
+            error_type="LookupFailed",
+        )
+    if not chart:
+        safe_id = escape_llm_context_delimiters(str(request.identifier)[:200])
+        msg = f"No chart found with identifier: {safe_id}."
+        return RestoreChartResponse(success=False, error=msg, 
error_type="NotFound")
+
+    chart_id = chart.id
+    # Chart names are user-controlled; wrap before composing response text so
+    # a hostile name cannot inject prompt content into the tool output.
+    chart_name = sanitize_for_llm_context(chart.slice_name, 
field_path=("slice_name",))
+
+    if chart.deleted_at is None:
+        return RestoreChartResponse(
+            success=False,
+            error=(
+                f"Chart '{chart_name}' (id={chart_id}) is not in trash; "
+                "nothing to restore."
+            ),
+            error_type="NotDeleted",
+        )
+
+    try:
+        from superset.commands.chart.restore import RestoreChartCommand
+
+        with event_logger.log_context(action="mcp.restore_chart"):
+            RestoreChartCommand(str(chart.uuid)).run()

Review Comment:
   Fixed in the latest push — try/except moved inside log_context so failed 
restore attempts are audited, mirroring the delete tools.



##########
superset/mcp_service/dashboard/tool/restore_dashboard.py:
##########
@@ -0,0 +1,185 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+"""
+MCP tool: restore_dashboard
+"""
+
+import logging
+from typing import Any
+
+from fastmcp import Context
+from sqlalchemy.exc import SQLAlchemyError
+from superset_core.mcp.decorators import tool, ToolAnnotations
+
+from superset.commands.dashboard.exceptions import (
+    DashboardForbiddenError,
+    DashboardNotFoundError,
+)
+from superset.commands.exceptions import CommandException
+from superset.extensions import event_logger
+from superset.mcp_service.dashboard.schemas import (
+    RestoreDashboardRequest,
+    RestoreDashboardResponse,
+)
+from superset.mcp_service.utils import (
+    escape_llm_context_delimiters,
+    sanitize_for_llm_context,
+)
+
+logger = logging.getLogger(__name__)
+
+
+def _find_dashboard_for_restore(identifier: int | str) -> Any | None:
+    """Resolve a dashboard by numeric ID or UUID, including soft-deleted rows.
+
+    Both bypasses mirror ``BaseRestoreCommand.validate``'s own lookup:
+    ``skip_visibility_filter`` unhides the soft-deleted row, and
+    ``skip_base_filter`` keeps an editor's own trash reachable even when the
+    entity's RBAC base_filter has no editorship leg (a lost grant must not
+    hide a row from the one audience that can restore it). The restore
+    audience is enforced by ``RestoreDashboardCommand`` via
+    ``raise_for_editorship``.
+    """
+    from superset.daos.dashboard import DashboardDAO
+
+    return DashboardDAO.find_by_id_or_uuid(
+        str(identifier),
+        skip_base_filter=True,
+        skip_visibility_filter=True,
+    )
+
+
+def _rollback() -> None:
+    from superset import db
+
+    try:
+        db.session.rollback()  # pylint: disable=consider-using-transaction
+    except SQLAlchemyError:
+        logger.warning(
+            "Database rollback failed during restore_dashboard error handling"
+        )
+
+
+@tool(
+    tags=["mutate"],
+    class_permission_name="Dashboard",
+    annotations=ToolAnnotations(
+        title="Restore dashboard",
+        readOnlyHint=False,
+        destructiveHint=False,
+    ),
+)
+async def restore_dashboard(
+    request: RestoreDashboardRequest, ctx: Context
+) -> RestoreDashboardResponse:
+    """Restore a soft-deleted dashboard from trash.
+
+    Identify the dashboard by numeric ID or UUID string (slug lookup does not
+    cover trashed dashboards). Only dashboards that were soft-deleted (moved
+    to trash while the ``SOFT_DELETE`` feature flag was enabled) can be
+    restored; permanently deleted dashboards are unrecoverable. The caller
+    must be an editor of the dashboard (owners and Admins qualify).
+
+    Example:
+    ```json
+    {"identifier": 42}
+    ```
+
+    Returns success with the restored dashboard's id/title, or an error. When
+    the caller lacks permission, ``permission_denied`` is true — do not retry;
+    ask the user.
+    """
+    await ctx.info("Restoring dashboard: identifier=%s" % 
(request.identifier,))
+
+    try:
+        dashboard = _find_dashboard_for_restore(request.identifier)
+    except SQLAlchemyError:
+        _rollback()
+        logger.exception("Dashboard lookup failed during restore_dashboard")
+        return RestoreDashboardResponse(
+            success=False,
+            error="Dashboard lookup failed due to a database error.",
+            error_type="LookupFailed",
+        )
+    if not dashboard:
+        safe_id = escape_llm_context_delimiters(str(request.identifier)[:200])
+        msg = f"No dashboard found with identifier: {safe_id}."
+        return RestoreDashboardResponse(success=False, error=msg, 
error_type="NotFound")
+
+    dashboard_id = dashboard.id
+    # Dashboard titles are user-controlled; wrap before composing response
+    # text so a hostile title cannot inject prompt content into the output.
+    dashboard_name = sanitize_for_llm_context(
+        dashboard.dashboard_title, field_path=("dashboard_title",)
+    )
+
+    if dashboard.deleted_at is None:
+        return RestoreDashboardResponse(
+            success=False,
+            error=(
+                f"Dashboard '{dashboard_name}' (id={dashboard_id}) is not in "
+                "trash; nothing to restore."
+            ),
+            error_type="NotDeleted",
+        )
+
+    try:
+        from superset.commands.dashboard.restore import RestoreDashboardCommand
+
+        with event_logger.log_context(action="mcp.restore_dashboard"):
+            RestoreDashboardCommand(str(dashboard.uuid)).run()

Review Comment:
   Fixed in the latest push — same restructure as restore_chart.



##########
superset/mcp_service/chart/tool/restore_chart.py:
##########
@@ -0,0 +1,177 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+"""
+MCP tool: restore_chart
+"""
+
+import logging
+from typing import Any
+
+from fastmcp import Context
+from sqlalchemy.exc import SQLAlchemyError
+from superset_core.mcp.decorators import tool, ToolAnnotations
+
+from superset.commands.chart.exceptions import (
+    ChartForbiddenError,
+    ChartNotFoundError,
+)
+from superset.commands.exceptions import CommandException
+from superset.extensions import event_logger
+from superset.mcp_service.chart.schemas import (
+    RestoreChartRequest,
+    RestoreChartResponse,
+)
+from superset.mcp_service.utils import (
+    escape_llm_context_delimiters,
+    sanitize_for_llm_context,
+)
+
+logger = logging.getLogger(__name__)
+
+
+def _find_chart_for_restore(identifier: int | str) -> Any | None:
+    """Resolve a chart by numeric ID or UUID, including soft-deleted rows.
+
+    Both bypasses mirror ``BaseRestoreCommand.validate``'s own lookup:
+    ``skip_visibility_filter`` unhides the soft-deleted row, and
+    ``skip_base_filter`` keeps an editor's own trash reachable even when the
+    entity's RBAC base_filter has no editorship leg (a lost grant must not
+    hide a row from the one audience that can restore it). The restore
+    audience is enforced by ``RestoreChartCommand`` via
+    ``raise_for_editorship``.
+    """
+    from superset.daos.chart import ChartDAO
+
+    return ChartDAO.find_by_id_or_uuid(
+        str(identifier),
+        skip_base_filter=True,
+        skip_visibility_filter=True,
+    )

Review Comment:
   Declining: this bypass was explicitly requested in the maintainer's review 
(see the reopened thread above) and matches BaseRestoreCommand.validate at 
HEAD, which passes skip_base_filter=True by design — its docstring explains a 
lost base_filter grant must not hide a row from the one audience that can 
restore it. The restore audience is enforced by raise_for_editorship in the 
command; a non-editor holding a valid identifier gets permission_denied, same 
as the REST restore endpoint.



##########
superset/mcp_service/dashboard/tool/restore_dashboard.py:
##########
@@ -0,0 +1,185 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+"""
+MCP tool: restore_dashboard
+"""
+
+import logging
+from typing import Any
+
+from fastmcp import Context
+from sqlalchemy.exc import SQLAlchemyError
+from superset_core.mcp.decorators import tool, ToolAnnotations
+
+from superset.commands.dashboard.exceptions import (
+    DashboardForbiddenError,
+    DashboardNotFoundError,
+)
+from superset.commands.exceptions import CommandException
+from superset.extensions import event_logger
+from superset.mcp_service.dashboard.schemas import (
+    RestoreDashboardRequest,
+    RestoreDashboardResponse,
+)
+from superset.mcp_service.utils import (
+    escape_llm_context_delimiters,
+    sanitize_for_llm_context,
+)
+
+logger = logging.getLogger(__name__)
+
+
+def _find_dashboard_for_restore(identifier: int | str) -> Any | None:
+    """Resolve a dashboard by numeric ID or UUID, including soft-deleted rows.
+
+    Both bypasses mirror ``BaseRestoreCommand.validate``'s own lookup:
+    ``skip_visibility_filter`` unhides the soft-deleted row, and
+    ``skip_base_filter`` keeps an editor's own trash reachable even when the
+    entity's RBAC base_filter has no editorship leg (a lost grant must not
+    hide a row from the one audience that can restore it). The restore
+    audience is enforced by ``RestoreDashboardCommand`` via
+    ``raise_for_editorship``.
+    """
+    from superset.daos.dashboard import DashboardDAO
+
+    return DashboardDAO.find_by_id_or_uuid(
+        str(identifier),
+        skip_base_filter=True,
+        skip_visibility_filter=True,
+    )

Review Comment:
   Declining: this bypass was explicitly requested in the maintainer's review 
(see the reopened thread above) and matches BaseRestoreCommand.validate at 
HEAD, which passes skip_base_filter=True by design — its docstring explains a 
lost base_filter grant must not hide a row from the one audience that can 
restore it. The restore audience is enforced by raise_for_editorship in the 
command; a non-editor holding a valid identifier gets permission_denied, same 
as the REST restore endpoint.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to