GitHub user rsaleev created a discussion: Custon SecurityManager issues with
/embedded view
@dosu
```
def before_request(self):
log.debug(f"Request session: {session.items()}")
log.debug(f"Request headers: {request.headers}")
if request.path and any(
request.path.startswith(path) for path in self.PUBLIC_PATHS
):
log.debug(f"🟢 Public path allowed: {request.path}")
return
if request.endpoint and request.endpoint in self.PUBLIC_ENDPOINTS:
log.debug(f"🟢 Allowing endpoint: {request.endpoint}")
return
if self.user_is_guest():
return self._handle_guest_request()
logged_in = self.auth_user_logged_in()
if logged_in:
return
log.warning(f"🔐 Unauthenticated API access: {request.endpoint}")
if request.path.startswith("/api/"):
return jsonify({"error": "Authentication required"}), 301
return redirect(url_for("KeycloakOAuthView.login",
provider=DEFAULT_PROVIDER))
```
/embedded set as public path to bypass any logic and use that is implemented in
EmbeddedView, but then error occusres in BaseView logic, since user is set from
AnonymousMixin
```
2026-03-06 07:52:20,275:WARNING:superset.views.error_handling:Exception
Traceback (most recent call last):
File "/app/.venv/lib/python3.12/site-packages/flask/app.py", line 1484, in
full_dispatch_request
rv = self.dispatch_request()
^^^^^^^^^^^^^^^^^^^^^^^
File "/app/.venv/lib/python3.12/site-packages/flask/app.py", line 1469, in
dispatch_request
return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/superset/utils/log.py", line 302, in wrapper
value = f(*args, add_extra_log_payload=log, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/superset/embedded/view.py", line 83, in embedded
"common": common_bootstrap_payload(),
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/superset/views/base.py", line 456, in common_bootstrap_payload
**cached_common_bootstrap_data(utils.get_user_id(), get_locale()),
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/.venv/lib/python3.12/site-packages/flask_caching/__init__.py",
line 899, in decorated_function
rv = self._call_fn(f, *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/.venv/lib/python3.12/site-packages/flask_caching/__init__.py",
line 185, in _call_fn
return ensure_sync(fn)(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/superset/views/base.py", line 445, in cached_common_bootstrap_data
"menu_data": menu_data(g.user),
^^^^^^
File "/app/.venv/lib/python3.12/site-packages/flask/ctx.py", line 54, in
__getattr__
raise AttributeError(name) from None
AttributeError: user
```
Do I need to manually assign AnonymousMixin user or change base view to
`def menu_data(user: User|None) -> dict[str, Any]:`
then in method
`"user_is_anonymous": True if not user else False,`
since user object is None
```
bootstrap_data = {
"application_root": app.config["APPLICATION_ROOT"],
"static_assets_prefix": app.config["STATIC_ASSETS_PREFIX"],
"conf": frontend_config,
"locale": language,
"d3_format": app.config.get("D3_FORMAT"),
"d3_time_format": app.config.get("D3_TIME_FORMAT"),
"currencies": app.config.get("CURRENCIES"),
"deckgl_tiles": app.config.get("DECKGL_BASE_MAP"),
"feature_flags": get_feature_flags(),
"extra_sequential_color_schemes":
app.config["EXTRA_SEQUENTIAL_COLOR_SCHEMES"],
"extra_categorical_color_schemes": app.config[
"EXTRA_CATEGORICAL_COLOR_SCHEMES"
],
"menu_data": menu_data(getattr(g, "user", None)),
}
```
for
`@cache_manager.cache.memoize(timeout=60)
def cached_common_bootstrap_data( # pylint: disable=unused-argument
user_id: int | None, locale: Locale | None
) -> dict[str, Any]:`
Before it worked fine until SDK client was upgraded to current version.
X-GuestToken not sent with /embedded request so logic is changed
GitHub link: https://github.com/apache/superset/discussions/38467
----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
