dosubot[bot] commented on issue #36598: URL: https://github.com/apache/superset/issues/36598#issuecomment-3648361796
<!-- Greeting --> Hi @charlymarchiaro! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the superset team. <!-- Answer --> You're right—embedding fails because the GuestUser class inherits is_active from AnonymousUserMixin, which always returns False. Flask-Login treats users with is_active=False as inactive, so API calls for embedded dashboards get a 403 error. Overriding is_active in GuestUser to return True fixes this, letting Flask-Login treat the guest as an active, authenticated user and allowing embedding to work as expected. This change is safe: access control is still enforced by the roles and resources in the guest token, so it doesn't grant extra permissions beyond what's intended. There isn't any official documentation or prior issue about this, so overriding is_active in GuestUser is the recommended workaround for now. Reference: [GuestUser implementation](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/guest_token.py#L56-L90), [SupersetSecurityManager logic](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/manager.py#L48-L2790). <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/3143484c-8c6c-4fdd-a8f3-93437024228c?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/3143484c-8c6c-4fdd-a8f3-93437024228c?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/3143484c-8c6c-4fdd-a8f3-93437024228c?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/3143484c-8c6c-4fdd-a8f3-93437024228c?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/3143484c-8c6c-4fdd-a8f3-93437024228c?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/3143484c-8c6c-4fdd-a8f3-93437024228c?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/3143484c-8c6c-4fdd-a8f3-93437024228c?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=You%27re%20right%E2%80%94embedding%20fails%20because%20the%20GuestUser%20class%20inherits%20is_active%20from%20AnonymousUserMixin%2C%20which%20always%20returns%20False.%20Flask-Login%20treats%20users%20with%20is_active%3DFalse%20as%20inactive%2C%20so%20API%20calls%20for%20embedded%20dashboards%20get%20a%20403%20error.%20Overriding%20is_active%20in%20GuestUser%20to%20return%20True%20fixes%20this%2C%20letting%20Flask-Login%20treat%20the%20guest%20as%20an%20active%2C%20authenticated%20user%20and%20allowing%20embedding%20to%20work%20as%20expected.%20This%20change%20is%20safe%3A%20access%20control%20is%20still%20enforced%20by%20the%20roles%20and%20resources%20in%20the%20guest%20token%2C%20so%20it%20doesn%27t%20grant%20extra%20permissions%20beyond%20what %27s%20intended.%20There%20isn%27t%20any%20official%20documentation%20or%20prior%20issue%20about%20this%2C%20so%20overriding%20is_active%20in%20GuestUser%20is%20the%20recommended%20workaround%20for%20now.%20%0A%0AReference%3A%20%5BGuestUser%20implementation%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/guest_token.py%23L56-L90%29%2C%20%5BSupersetSecurityManager%20logic%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/manager.py%23L48-L2790%29.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/36598) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
