bito-code-review[bot] commented on code in PR #38407:
URL: https://github.com/apache/superset/pull/38407#discussion_r2894954358
##########
superset/mcp_service/auth.py:
##########
@@ -294,6 +391,17 @@ def sync_wrapper(*args: Any, **kwargs: Any) -> Any:
)
return tool_func(*args, **kwargs)
+ # RBAC permission check
+ if not check_tool_permission(tool_func):
+ raise MCPPermissionDeniedError(
+ permission_name=getattr(
+ tool_func, METHOD_PERMISSION_ATTR, "read"
+ ),
Review Comment:
<!-- Bito Reply -->
The suggestion correctly fixes the error message to use the full FAB
permission string (e.g., 'can_read') instead of just the method name ('read'),
matching what security_manager.can_access checks. This aligns with the CodeAnt
comments on both async and sync wrappers.
**superset/mcp_service/auth.py**
```
permission_name=f"{PERMISSION_PREFIX}{getattr(tool_func,
METHOD_PERMISSION_ATTR, 'read')}",
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
