GitHub user dosubot[bot] added a comment to the discussion: Custom SecurityManager issues with /embedded view
<!-- Answer --> The error message mentions CSRF, but **this is actually a permissions issue, not a CSRF token problem**. The [`/superset/log/` endpoint is already exempt from CSRF protection](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/config.py#L269-L274) by default. The redirect to `/login/` happens because your guest role lacks the required permission to access the logging endpoint. [The fix is to grant the **"can log on Superset"** permission to your guest role](https://github.com/apache/superset/issues/36186#issuecomment-3552821071): 1. Go to **Settings → Roles → [Your guest role]** (usually configured via `GUEST_ROLE_NAME`) 2. Edit permissions and add **"can log on Superset"** 3. Restart Superset This is needed because the [frontend uses `navigator.sendBeacon`](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset-frontend/src/middleware/loggerMiddleware.js#L48-L55) to send logs, which passes the guest token in the FormData body (not headers). The `@has_access` decorator on the endpoint then checks permissions, and without "can log on Superset", it redirects to login. If you want to disable logging entirely for embedded dashboards instead, you could potentially configure `LOG_ACTIONS = False` or create a custom view that returns a 204 No Content response. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/c888a83b-1d18-4533-aeba-d38a14745e47?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/c888a83b-1d18-4533-aeba-d38a14745e47?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/c888a83b-1d18-4533-aeba-d38a14745e47?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/c888a83b-1d18-4533-aeba-d38a14745e47?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/c888a83b-1d18-4533-aeba-d38a14745e47?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/c888a83b-1d18-4533-aeba-d38a14745e47?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/c888a83b-1d18-4533-aeba-d38a14745e47?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=The%20error%20message%20mentions%20CSRF%2C%20but%20%2A%2Athis%20is%20actually%20a%20permissions%20issue%2C%20not%20a%20CSRF%20token%20problem%2A%2A.%20The%20%5B%60/superset/log/%60%20endpoint%20is%20already%20exempt%20from%20CSRF%20protection%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/config.py%23L269-L274%29%20by%20default.%0A%0AThe%20redirect%20to%20%60/login/%60%20happens%20because%20your%20guest%20role%20lacks%20the%20required%20permission%20to%20access%20the%20logging%20endpoint.%20%5BThe%20fix%20is%20to%20grant%20the%20%2A%2A%22can%20log%20on%20Superset%22%2A%2A%20permission%20to%20your%20guest%20role%5D%28https%3A//github.com/apache/superset/issues/36186%23issuecomment-3552821071%29%3A%0A%0A 1.%20Go%20to%20%2A%2ASettings%20%E2%86%92%20Roles%20%E2%86%92%20%5BYour%20guest%20role%5D%2A%2A%20%28usually%20configured%20via%20%60GUEST_ROLE_NAME%60%29%0A2.%20Edit%20permissions%20and%20add%20%2A%2A%22can%20log%20on%20Superset%22%2A%2A%0A3.%20Restart%20Superset%0A%0AThis%20is%20needed%20because%20the%20%5Bfrontend%20uses%20%60navigator.sendBeacon%60%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset-frontend/src/middleware/loggerMiddleware.js%23L48-L55%29%20to%20send%20logs%2C%20which%20passes%20the%20guest%20token%20in%20the%20FormData%20body%20%28not%20headers%29.%20The%20%60%40has_access%60%20decorator%20on%20the%20endpoint%20then%20checks%20permissions%2C%20and%20without%20%22can%20log%20on%20Superset%22%2C%20it%20redirects%20to%20login.%0A%0AIf%20you%20want%20to%20disable%20logging%20entirely%20for%20embedded%20dashboards%20instead%2C%20you%20could%20potentially%20configure%20%60LOG_ACTIONS%20%3D%20False%60%20or%20create%20a%20cu stom%20view%20that%20returns%20a%20204%20No%20Content%20response.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/38467) GitHub link: https://github.com/apache/superset/discussions/38467#discussioncomment-16021255 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
