kgabryje opened a new pull request, #38601:
URL: https://github.com/apache/superset/pull/38601
### SUMMARY
Fixes a bug where global guest RLS rules (without a `dataset` ID) for
embedded users were being incorrectly applied to the inner physical tables of
virtual datasets, in addition to the outer query. When the RLS clause
referenced a column that didn't exist on all inner tables (e.g., a virtual
dataset with JOINs), this caused SQL errors like `column "channel_name" does
not exist`.
**Root cause:** `get_sqla_row_level_filters()` unconditionally includes
guest RLS on every call. For virtual datasets, it's called twice:
1. Inner tables via `get_from_clause()` → `apply_rls()` →
`get_predicates_for_table()`
2. Outer query via `get_sqla_query()` (line 3213 in helpers.py)
Global guest RLS matches ALL datasets, so it was applied to both inner
tables and the outer query — causing errors when inner tables didn't have the
filtered column.
**Fix:** Add an `include_guest_rls` parameter (default `True`, fully
backward-compatible) threaded through `get_sqla_row_level_filters()` →
`get_predicates_for_table()` → `apply_rls()`. In `get_from_clause()`, pass
`include_guest_rls=False` so inner tables only get role-based RLS. Guest RLS is
applied once at the outer virtual dataset query level.
Fixes #37359
Fixes #37551
### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
N/A — backend-only change.
**Before:** Embedded dashboard with virtual dataset (JOIN) and global guest
RLS → SQL error: `column "channel_name" does not exist`
**After:** Guest RLS applied only to the outer query where virtual dataset
columns are available → query succeeds.
### TESTING INSTRUCTIONS
1. Create a virtual dataset with a JOIN (e.g., `Slack Members and Channels`
from examples)
2. Add a chart using this dataset to a dashboard, enable embedded mode
3. Generate a guest token with a global RLS rule (no `dataset` ID): `{"rls":
[{"clause": "channel_name = 'general'"}]}`
4. Access the dashboard with the guest token
5. Verify the chart renders without SQL errors
### ADDITIONAL INFORMATION
- [x] Has associated issue: #37359, #37551
- [x] Required feature flags: `EMBEDDED_SUPERSET`
- [ ] Changes UI
- [ ] Includes DB Migration
- [ ] Introduces new feature or API
- [ ] Removes existing feature or API
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
