Re: [PR] fix: Support metric macro for embedded users [superset]

[via GitHub]

korbit-ai[bot] commented on code in PR #35508:
URL: https://github.com/apache/superset/pull/35508#discussion_r2404920078


##########
superset/jinja_context.py:
##########
@@ -1086,7 +1086,13 @@ def metric_macro(
     if not dataset_id:
         dataset_id = get_dataset_id_from_context(metric_key)
 
-    dataset = DatasetDAO.find_by_id(dataset_id)
+    # Embedded user access is validated at the dashboard level, so we bypass
+    # the regular DAO filter for them
+    dataset = (
+        DatasetDAO.find_by_id(dataset_id)
+        if not security_manager.is_guest_user()
+        else DatasetDAO.find_by_id(dataset_id, skip_base_filter=True)
+    )

Review Comment:
   ### Authorization Logic Mixed with Data Access <sub>![category 
Design](https://img.shields.io/badge/Design-0d9488)</sub>
   
   <details>
     <summary>Tell me more</summary>
   
   ###### What is the issue?
   The code duplicates the DatasetDAO.find_by_id call with different parameters 
based on user type, violating the DRY principle and mixing authorization logic 
with data access.
   
   
   ###### Why this matters
   This pattern makes the code harder to maintain and test, as authorization 
logic is scattered across the codebase rather than being centralized. It also 
makes it more difficult to modify the authorization behavior consistently.
   
   ###### Suggested change ∙ *Feature Preview*
   Extract the authorization logic into the DAO layer or a dedicated security 
service:
   ```python
   # In DatasetDAO or SecurityService
   def find_dataset_by_id(dataset_id: int) -> Dataset:
       skip_base_filter = security_manager.is_guest_user()
       return DatasetDAO.find_by_id(dataset_id, 
skip_base_filter=skip_base_filter)
   
   # In metric_macro
   dataset = find_dataset_by_id(dataset_id)
   ```
   
   
   ###### Provide feedback to improve future suggestions
   [![Nice 
Catch](https://img.shields.io/badge/👍%20Nice%20Catch-71BC78)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/2e0d2d01-316d-402f-a739-2b15f1b27450/upvote)
 
[![Incorrect](https://img.shields.io/badge/👎%20Incorrect-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/2e0d2d01-316d-402f-a739-2b15f1b27450?what_not_true=true)
  [![Not in 
Scope](https://img.shields.io/badge/👎%20Out%20of%20PR%20scope-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/2e0d2d01-316d-402f-a739-2b15f1b27450?what_out_of_scope=true)
 [![Not in coding 
standard](https://img.shields.io/badge/👎%20Not%20in%20our%20standards-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/2e0d2d01-316d-402f-a739-2b15f1b27450?what_not_in_standard=true)
 
[![Other](https://img.shields.io/badge/👎%20Other-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/2e0d2d01-316d-402f-a739-2b15f1b27450)
   </details>
   
   <sub>
   
   💬 Looking for more details? Reply to this comment to chat with Korbit.
   </sub>
   
   <!--- korbi internal id:8a2e7f3b-0642-4d56-9911-c4a274e80bfb -->
   
   
   [](8a2e7f3b-0642-4d56-9911-c4a274e80bfb)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org