michael-s-molina opened a new pull request, #38950:
URL: https://github.com/apache/superset/pull/38950
### SUMMARY
When a user has an active Superset session (e.g. they are logged in as
themselves in another tab) and visits an embedded dashboard that uses a guest
token, their session identity was silently taking precedence over the guest
token identity. This caused 403 errors for users whose real account does not
have access to the embedded dashboard's underlying datasets.
**Root cause:** Flask-Login's `_load_user()` checks the session first. If a
`_user_id` is found in the session, it loads that user and sets
`g._login_user`, then stops — the `request_loader` (where guest token auth
lives) is never reached. Flask-Login's `_get_user()` only calls `_load_user()`
if `g._login_user` is not already set, so preemptively setting it before the
session is consulted is the correct fix.
**Fix:** Register a `before_request` hook in `create_login_manager` that
checks for a guest token on every request. If a valid token is found, it sets
`g._login_user` to the guest user before Flask-Login runs. Since `_get_user()`
short-circuits when `g._login_user` is already set, the session is never
consulted for requests that carry a guest token.
```python
# Flask-Login's _get_user() in utils.py
def _get_user():
if has_request_context():
if "_login_user" not in g: # short-circuits if already set
current_app.login_manager._load_user()
return g._login_user
```
The existing `request_loader` (`request_loader` method) is kept as-is; it
still handles the case where there is no active session at all.
### TESTING INSTRUCTIONS
1. Log in to Superset with a regular user account.
2. In the same browser session, open an embedded dashboard that uses a guest
token for a different user identity.
3. **Before fix:** API calls for the embedded dashboard are made as your
real logged-in user. If your account lacks access to the dashboard's datasets,
you get a 403.
4. **After fix:** API calls are made as the guest user from the token
regardless of the active session.
### ADDITIONAL INFORMATION
<!--- Check any relevant boxes with "x" -->
<!--- HINT: Include "Fixes #nnn" if you are fixing an existing issue -->
- [ ] Has associated issue:
- [ ] Required feature flags:
- [ ] Changes UI
- [ ] Includes DB Migration (follow approval process in
[SIP-59](https://github.com/apache/superset/issues/13351))
- [ ] Migration is atomic, supports rollback & is backwards-compatible
- [ ] Confirm DB migration upgrade and downgrade tested
- [ ] Runtime estimates and downtime expectations provided
- [ ] Introduces new feature or API
- [ ] Removes existing feature or API
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
