feat(mcp): restore self-lookup via created_by_me flag (#39638)

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

tests/unit_tests/mcp_service/database/tool/test_database_tools.py

@@ -43,15 +43,16 @@ get_database_info_module = importlib.import_module(
 class TestDatabaseFilterSchema:
     """Tests for DatabaseFilter schema — filterable columns."""
 
-    def test_created_by_fk_is_valid_filter_column(self):
-        """created_by_fk must be accepted as a filter column."""
-        f = DatabaseFilter(col="created_by_fk", opr="eq", value=1)
-        assert f.col == "created_by_fk"
+    def test_created_by_fk_is_rejected_as_filter_column(self):
+        """created_by_fk is not a public filter column; use created_by_me instead."""
+        with pytest.raises(ValidationError):
+            DatabaseFilter(col="created_by_fk", opr="eq", value=1)
 
-    def test_changed_by_fk_is_valid_filter_column(self):
-        """changed_by_fk must be accepted as a filter column."""
-        f = DatabaseFilter(col="changed_by_fk", opr="eq", value=1)
-        assert f.col == "changed_by_fk"
+    def test_changed_by_fk_is_rejected_as_filter_column(self):
+        """changed_by_fk is not a public filter column; it exposes a user enumeration
+        vector (caller can probe which databases a given user ID has touched)."""
+        with pytest.raises(ValidationError):
+            DatabaseFilter(col="changed_by_fk", opr="eq", value=1)
 
     def test_invalid_filter_column_rejected(self):
         """Columns not in the Literal set must be rejected."""
@@ -269,11 +270,10 @@ async def test_list_databases_does_not_expose_user_directory_fields(
 
 
 def test_database_filter_rejects_user_directory_fields() -> None:
-    """Test user directory string fields cannot be used for database filters.
+    """Test user directory fields cannot be used for database filters.
 
-    created_by_fk / changed_by_fk are integer FK IDs and ARE valid filter
-    columns.  The user-directory *string* fields (created_by, created_by_name,
-    etc.) must still be rejected.
+    All FK columns (created_by_fk, changed_by_fk) and user-directory string
+    fields (created_by, created_by_name, etc.) must be rejected.
     """
     with pytest.raises(ValidationError, match="created_by_name"):
         ListDatabasesRequest(
@@ -281,6 +281,20 @@ def test_database_filter_rejects_user_directory_fields() -> None:
         )
 
 
+def test_database_filter_rejects_created_by_fk() -> None:
+    """created_by_fk is no longer a valid filter column; use created_by_me instead."""
+    with pytest.raises(ValidationError, match="created_by_fk"):
+        ListDatabasesRequest(
+            filters=[{"col": "created_by_fk", "opr": "eq", "value": 0}],
+        )
+
+
+def test_database_request_accepts_created_by_me() -> None:
+    """created_by_me=True is the correct way to filter by current user."""
+    request = ListDatabasesRequest(created_by_me=True)
+    assert request.created_by_me is True
+
+
 @patch("superset.daos.database.DatabaseDAO.list")
 @pytest.mark.asyncio
 async def test_list_databases_api_error(mock_list, mcp_server):