GitHub user dosubot[bot] added a comment to the discussion: Custom SecurityManager issues with /embedded view
<!-- Answer --> The issue is that your custom `before_request` is bypassing the `/embedded` view's built-in authentication setup. The [`/embedded` view explicitly logs in an AnonymousUserMixin](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/embedded/view.py#L69-L72) to ensure `g.user` exists: ```python # Log in as an anonymous user, just for this view. login_user(AnonymousUserMixin(), force=True) ``` When you bypass authentication for `/embedded`, this `login_user()` call never happens, so `g.user` is never set, and [`menu_data(g.user)`](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/views/base.py#L375) fails with `AttributeError`. **Recommended fix**: Don't bypass authentication for `/embedded`. Remove it from your `PUBLIC_PATHS` and let the embedded view handle its own authentication. It's designed to work without a logged-in user. **Alternative**: If you must keep `/embedded` as a public path, set `g.user` before returning: ```python from flask_login import login_user, AnonymousUserMixin def before_request(self): if request.path and any( request.path.startswith(path) for path in self.PUBLIC_PATHS ): log.debug(f"🟢 Public path allowed: {request.path}") if request.path.startswith("/embedded"): login_user(AnonymousUserMixin(), force=True) # Ensure g.user is set return # ... rest of your logic ``` Regarding the X-GuestToken not being sent: **this is expected behavior**. The `/embedded` page load uses anonymous authentication—guest tokens are only used for subsequent API calls after the page loads. The bootstrap data includes the guest token header name so the frontend knows how to authenticate those API calls. If you upgraded to Superset 6.0, note that there were [significant authentication architecture changes](https://github.com/apache/superset/discussions/38199) that may require refactoring custom security managers to use `FLASK_APP_MUTATOR` patterns instead. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/231be243-b587-4a44-b113-b57ec09e3761?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/231be243-b587-4a44-b113-b57ec09e3761?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/231be243-b587-4a44-b113-b57ec09e3761?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/231be243-b587-4a44-b113-b57ec09e3761?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/231be243-b587-4a44-b113-b57ec09e3761?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/231be243-b587-4a44-b113-b57ec09e3761?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/231be243-b587-4a44-b113-b57ec09e3761?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=The%20issue%20is%20that%20your%20custom%20%60before_request%60%20is%20bypassing%20the%20%60/embedded%60%20view%27s%20built-in%20authentication%20setup.%20The%20%5B%60/embedded%60%20view%20explicitly%20logs%20in%20an%20AnonymousUserMixin%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/embedded/view.py%23L69-L72%29%20to%20ensure%20%60g.user%60%20exists%3A%0A%0A%60%60%60python%0A%23%20Log%20in%20as%20an%20anonymous%20user%2C%20just%20for%20this%20view.%0Alogin_user%28AnonymousUserMixin%28%29%2C%20force%3DTrue%29%0A%60%60%60%0A%0AWhen%20you%20bypass%20authentication%20for%20%60/embedded%60%2C%20this%20%60login_user%28%29%60%20call%20never%20happens%2C%20so%20%60g.user%60%20is%20never%20set%2C%20and%20%5B%60 menu_data%28g.user%29%60%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/views/base.py%23L375%29%20fails%20with%20%60AttributeError%60.%0A%0A%2A%2ARecommended%20fix%2A%2A%3A%20Don%27t%20bypass%20authentication%20for%20%60/embedded%60.%20Remove%20it%20from%20your%20%60PUBLIC_PATHS%60%20and%20let%20the%20embedded%20view%20handle%20its%20own%20authentication.%20It%27s%20designed%20to%20work%20without%20a%20logged-in%20user.%0A%0A%2A%2AAlternative%2A%2A%3A%20If%20you%20must%20keep%20%60/embedded%60%20as%20a%20public%20path%2C%20set%20%60g.user%60%20before%20returning%3A%0A%0A%60%60%60python%0Afrom%20flask_login%20import%20login_user%2C%20AnonymousUserMixin%0A%0Adef%20before_request%28self%29%3A%0A%20%20%20%20if%20request.path%20and%20any%28%0A%20%20%20%20%20%20%20%20request.path.startswith%28path%29%20for%20path%20in%20self.PUBLIC_PATHS%0A%20%20%20%20%29%3A%0A%20%20%20%20%20%20%20%20log.debug%28f%22%F0%9F%9F%A2%20Public%20path%20allowed%3 A%20%7Brequest.path%7D%22%29%0A%20%20%20%20%20%20%20%20if%20request.path.startswith%28%22/embedded%22%29%3A%0A%20%20%20%20%20%20%20%20%20%20%20%20login_user%28AnonymousUserMixin%28%29%2C%20force%3DTrue%29%20%20%23%20Ensure%20g.user%20is%20set%0A%20%20%20%20%20%20%20%20return%0A%20%20%20%20%23%20...%20rest%20of%20your%20logic%0A%60%60%60%0A%0ARegarding%20the%20X-GuestToken%20not%20being%20sent%3A%20%2A%2Athis%20is%20expected%20behavior%2A%2A.%20The%20%60/embedded%60%20page%20load%20uses%20anonymous%20authentication%E2%80%94guest%20tokens%20are%20only%20used%20for%20subsequent%20API%20calls%20after%20the%20page%20loads.%20The%20bootstrap%20data%20includes%20the%20guest%20token%20header%20name%20so%20the%20frontend%20knows%20how%20to%20authenticate%20those%20API%20calls.%0A%0AIf%20you%20upgraded%20to%20Superset%206.0%2C%20note%20that%20there%20were%20%5Bsignificant%20authentication%20architecture%20changes%5D%28https%3A//github.com/apache/superset/discussions/38199%29%20that%20may%20re quire%20refactoring%20custom%20security%20managers%20to%20use%20%60FLASK_APP_MUTATOR%60%20patterns%20instead.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/38467) GitHub link: https://github.com/apache/superset/discussions/38467#discussioncomment-16020149 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
