dosubot[bot] commented on issue #37695: URL: https://github.com/apache/superset/issues/37695#issuecomment-3853041068
<!-- Answer --> This happens because the Flask session is not always available in the context where SQL Lab executes queries or when you open a chart from SQL Lab. In these cases, Superset may use a test request context or run queries asynchronously, which can result in an empty Flask session—so any custom Jinja macro that depends on session data (like your `rls()` macro) will fail or return empty values. In contrast, chart and dashboard views usually have a full request context, so the session is populated as expected. For Row Level Security (RLS), Superset's built-in logic ties RLS enforcement to user roles and dataset filters managed by the security manager, not directly to the Flask session. In SQL Lab, RLS can be applied if the `RLS_IN_SQLLAB` feature flag is enabled, but this uses the security manager context, not session data. When you create a chart directly from SQL Lab without saving the query as a dataset, RLS is not enforced on the resulting chart—this is a known issue and a potential security risk, as discussed in [issue #33346](https://github.com/apache/superset/issues/33346) and related threads. The recommended workaround is to always save your SQL Lab query as a dataset before creating a chart to ensure RLS is applied. If you need dynamic RLS values, consider using Superset's built-in Jinja macros like `current_user_roles()` or `current_user_rls_rules()` that pull from the security manager, rather than relying on Flask session data, which is unreliable in SQL Lab contexts. There are ongoing efforts to unify SQL execution and security context handling across Superset, but for now, these inconsistencies remain ([discussion](https://github.com/apache/superset/discussions/33308), [unified API PR](https://github.com/apache/superset/pull/36529)). <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/b649ba19-84ba-4728-9c1e-055c293eadd2?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/b649ba19-84ba-4728-9c1e-055c293eadd2?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/b649ba19-84ba-4728-9c1e-055c293eadd2?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/b649ba19-84ba-4728-9c1e-055c293eadd2?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/b649ba19-84ba-4728-9c1e-055c293eadd2?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/b649ba19-84ba-4728-9c1e-055c293eadd2?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/b649ba19-84ba-4728-9c1e-055c293eadd2?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=This%20happens%20because%20the%20Flask%20session%20is%20not%20always%20available%20in%20the%20context%20where%20SQL%20Lab%20executes%20queries%20or%20when%20you%20open%20a%20chart%20from%20SQL%20Lab.%20In%20these%20cases%2C%20Superset%20may%20use%20a%20test%20request%20context%20or%20run%20queries%20asynchronously%2C%20which%20can%20result%20in%20an%20empty%20Flask%20session%E2%80%94so%20any%20custom%20Jinja%20macro%20that%20depends%20on%20session%20data%20%28like%20your%20%60rls%28%29%60%20macro%29%20will%20fail%20or%20return%20empty%20values.%20In%20contrast%2C%20chart%20and%20dashboard%20views%20usually%20have%20a%20full%20request%20context%2C%20so%20the%20session%20is%20populated%20as%20expected.%0A%0AFor%20Row%20Level%20Security%20%28RLS%29%2C %20Superset%27s%20built-in%20logic%20ties%20RLS%20enforcement%20to%20user%20roles%20and%20dataset%20filters%20managed%20by%20the%20security%20manager%2C%20not%20directly%20to%20the%20Flask%20session.%20In%20SQL%20Lab%2C%20RLS%20can%20be%20applied%20if%20the%20%60RLS_IN_SQLLAB%60%20feature%20flag%20is%20enabled%2C%20but%20this%20uses%20the%20security%20manager%20context%2C%20not%20session%20data.%20When%20you%20create%20a%20chart%20directly%20from%20SQL%20Lab%20without%20saving%20the%20query%20as%20a%20dataset%2C%20RLS%20is%20not%20enforced%20on%20the%20resulting%20chart%E2%80%94this%20is%20a%20known%20issue%20and%20a%20potential%20security%20risk%2C%20as%20discussed%20in%20%5Bissue%20%2333346%5D%28https%3A//github.com/apache/superset/issues/33346%29%20and%20related%20threads.%20The%20recommended%20workaround%20is%20to%20always%20save%20your%20SQL%20Lab%20query%20as%20a%20dataset%20before%20creating%20a%20chart%20to%20ensure%20RLS%20is%20applied.%0A%0AIf%20you%20need%20dynamic%20RLS% 20values%2C%20consider%20using%20Superset%27s%20built-in%20Jinja%20macros%20like%20%60current_user_roles%28%29%60%20or%20%60current_user_rls_rules%28%29%60%20that%20pull%20from%20the%20security%20manager%2C%20rather%20than%20relying%20on%20Flask%20session%20data%2C%20which%20is%20unreliable%20in%20SQL%20Lab%20contexts.%20There%20are%20ongoing%20efforts%20to%20unify%20SQL%20execution%20and%20security%20context%20handling%20across%20Superset%2C%20but%20for%20now%2C%20these%20inconsistencies%20remain%20%28%5Bdiscussion%5D%28https%3A//github.com/apache/superset/discussions/33308%29%2C%20%5Bunified%20API%20PR%5D%28https%3A//github.com/apache/superset/pull/36529%29%29.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/supers et/issues/37695) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
