QT/superset2
1
0
Fork 0
mirror of https://github.com/apache/superset.git synced 2026-05-29 11:45:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(mcp): delegate load_user_with_relationships to SecurityManager.find_user_with_relationships

Browse Source 
Fixes a gap identified in code review: the standalone load_user_with_relationships()
in auth.py duplicated SecurityManager.find_user() logic but dropped two FAB behaviors:
- auth_username_ci (case-insensitive username lookup)
- MultipleResultsFound guard (username uniqueness not guaranteed at DB level in all FAB versions)
It also hard-coded User/Group models instead of sm.user_model.

Changes:
- Add SupersetSecurityManager.find_user_with_relationships() to security/manager.py,
  mirroring FAB's find_user() (auth_username_ci, MultipleResultsFound handling,
  self.user_model) and adding eager loading of roles and group.roles via joinedload
- Simplify load_user_with_relationships() in auth.py to a thin delegate to the
  new method, removing the duplicated query logic and raw Group/User imports
- Add regression test asserting find_user_with_relationships() exists on the SM

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Amin Ghadersohi
2026-05-13 22:10:36 +00:00
parent 202b19951a
commit d8db1c9230
3 changed files with 80 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
tests/unit_tests/mcp_service/test_auth_api_key.py
View File

@@ -351,3 +351,17 @@ def test_security_manager_has_expected_api_key_methods(app: SupersetApp) -> None
"auth._resolve_user_from_api_key() references this method by name — "
"update auth.py if the FAB API changed."
)
def test_security_manager_has_find_user_with_relationships(app: SupersetApp) -> None:
"""Regression test: verify SupersetSecurityManager.find_user_with_relationships
exists. load_user_with_relationships() in auth.py delegates to it — a rename
or removal would silently break MCP user resolution at runtime."""
with app.app_context():
from superset import security_manager
assert hasattr(security_manager, "find_user_with_relationships"), (
"SupersetSecurityManager is missing 'find_user_with_relationships'. "
"auth.load_user_with_relationships() delegates to this method — "
"update auth.py if the method was renamed or removed."
)