QT/superset2
1
0
Fork 0
mirror of https://github.com/apache/superset.git synced 2026-05-21 15:55:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
19,974 Commits 472 Branches 545 Tags
6d691b5070aa3d032d2db72cbfe5d7c3c49b878e
Commit Graph

19974 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Amin Ghadersohi
6d691b5070 fix(mcp): address remaining code review findings for RBAC tool visibility 
- app.py: clarify execute_sql requires SQL Lab access (not write access)
  in both the instructions preamble and Permission Awareness section
- auth.py: add log_denial param to check_tool_permission() to suppress
  noisy WARNING logs during tools/list scanning; downgrade "No authenticated
  user found" from ERROR to DEBUG in _setup_user_context
- middleware.py: fail completely closed (return []) on credential failures
  instead of returning tools with no class_permission_name, which could
  include protect=True tools requiring auth; remove _public_tools_only helper
- server.py: catch PermissionError (invalid API key) in addition to
  ValueError in _tool_allowed_for_current_user
- tests: add tests for fail-closed branches (PermissionError, bad ValueError,
  and no-auth-configured ValueError in RBACToolVisibilityMiddleware)
 2026-05-15 00:14:15 +00:00
Amin Ghadersohi
3993a04eb0 fix(mcp): address code review findings for RBAC tool visibility 
- Fail closed (return only public tools) when credentials are invalid
  (PermissionError from bad API key, ValueError from unknown dev username);
  fail open only when no auth source is configured at all
- Extract _get_app_context_manager() to module level in auth.py so
  RBACToolVisibilityMiddleware reuses the same context-selection logic as
  mcp_auth_hook, preventing external g.user from being shadowed
- Add RBACToolVisibilityMiddleware to __main__.py stdio entry point via
  build_middleware_list() to keep all transports in sync
- Fix stale patch targets in test_tool_search_transform.py: update
  superset.mcp_service.server.user_can_view_data_model_metadata →
  superset.mcp_service.privacy.user_can_view_data_model_metadata
- Qualify write tool listings in instructions with "(requires write access)"
  and add a permissions preamble so read-only users are not confused by
  tools they cannot call

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-14 23:29:19 +00:00
Amin Ghadersohi
042db32ba4 fix(mcp): hide write tools from users without write permissions 
Phase 1: MCPPermissionDeniedError falls through to GlobalErrorHandlerMiddleware's
generic "Internal error" branch (500-style response) because it doesn't subclass
PermissionError. Fixed by adding it to _USER_ERROR_TYPES and an explicit elif
branch in _handle_error() that converts it to a clean ToolError.

Phase 2: Add RBACToolVisibilityMiddleware that intercepts tools/list and removes
tools the calling user lacks permission to execute. Add
is_tool_visible_to_current_user() to auth.py as the single source of truth for
tool visibility, shared by both the new middleware and the existing tool-search
transform. Register the middleware inside StructuredContentStripperMiddleware so
it filters full tool objects before outputSchema stripping. Fail open: if user
resolution fails, all tools are returned (call-time RBAC still enforces).

Also update server instructions to note write tools require write permissions.
 2026-05-14 23:28:09 +00:00
JUST.in DO IT
2b71d964cc fix(sqllab): missing estimate action button (#40101) 2026-05-14 14:43:07 -07:00
dependabot[bot]
f02e5b7e83 chore(deps-dev): bump babel-jest from 30.3.0 to 30.4.1 in /superset-frontend (#40090) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-14 13:52:53 -07:00
dependabot[bot]
5fa9657528 chore(deps): update @ant-design/icons requirement from ^6.2.2 to ^6.2.3 in /superset-frontend/packages/superset-ui-core (#40092) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: sadpandajoe <jcli38@gmail.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-14 13:52:37 -07:00
dependabot[bot]
d853930840 chore(deps): bump react-syntax-highlighter from 16.1.0 to 16.1.1 in /superset-frontend (#40107) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-14 13:52:14 -07:00
Evan Rusackas
4e09889607 test(datasets): regression coverage for #16141 (export with same table name, different schemas) (#40123) 
Co-authored-by: Superset Dev <dev@superset.apache.org>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-14 11:08:23 -07:00
Evan Rusackas
672e9a1477 fix(docs): tighten onBrokenLinks to throw and fix surfaced broken links (#40102) 
Co-authored-by: Claude Code <noreply@anthropic.com>
 2026-05-14 11:07:18 -07:00
Richard Fogaca Nienkotter
8fa5a75c70 fix(mcp): apply cached adhoc filters to chart retrieval (#40099) 2026-05-14 14:21:54 -03:00
Mafi
144dae7c43 fix(dashboard): use datasetUuid instead of datasetId in display controls export/import (SC-104655) (#40008) 
Co-authored-by: Matt Fitzgerald <matt.fitzgerald@preset.io>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-14 10:18:57 -07:00
Arpit Jain
62dc237014 chore(ci): add explicit permissions to additional workflows (#40067) 2026-05-14 23:24:46 +07:00
Sandesh Devaraju
823eb905d3 fix(mcp): JSON-serialize order_by_cols and support sort direction (#39952) 
Co-authored-by: Amin Ghadersohi <amin.ghadersohi@gmail.com>
 2026-05-14 11:19:37 -04:00
Alexandru Soare
966e97989b chore(mcp): Standardize error response shapes across chart tools (#39905) 2026-05-14 18:07:31 +03:00
Mehmet Salih Yavuz
8b0e63b58c fix(rls): prevent double-apply when converting physical dataset to virtual (#39725) 
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-14 18:05:48 +03:00
dependabot[bot]
64dae07675 chore(deps): bump markdown-to-jsx from 9.7.16 to 9.8.0 in /superset-frontend (#40111) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-14 21:39:48 +07:00
Evan Rusackas
e56883baef fix(ci): handle schedule event in change_detector and actually trigger all-changed (#40105) 
Co-authored-by: Claude Code <noreply@anthropic.com>
 2026-05-14 21:39:07 +07:00
Mehmet Salih Yavuz
a62bf2b0bb fix: chart rendering race condition and homepage connection reset (#40065) 
Co-authored-by: Geidō <60598000+geido@users.noreply.github.com>
 2026-05-14 17:10:11 +03:00
Mafi
01224007da fix(mixed-timeseries): preserve all-NaN metric columns after pivot when Jinja evaluates to NULL (#40005) 
Co-authored-by: Matt Fitzgerald <matt.fitzgerald@preset.io>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-14 07:46:34 -03:00
Evan Rusackas
d1e9a5df06 chore(docs): clean up version-cutting tooling and finish developer_portal rename (#39837) 
Co-authored-by: Claude Code <noreply@anthropic.com>
 2026-05-13 20:14:52 -07:00
dependabot[bot]
48530cb888 chore(deps-dev): bump @babel/register from 7.28.6 to 7.29.3 in /superset-frontend (#39818) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-13 19:17:21 -07:00
dependabot[bot]
676979643f chore(deps-dev): bump @babel/preset-env from 7.29.3 to 7.29.5 in /superset-frontend (#39934) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-13 16:11:01 -07:00
dependabot[bot]
21e62d594e chore(deps-dev): bump wait-on from 9.0.6 to 9.0.10 in /superset-frontend (#40087) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-13 16:09:03 -07:00
dependabot[bot]
5bad4f55fb chore(deps-dev): bump @playwright/test from 1.59.1 to 1.60.0 in /superset-frontend (#40088) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-13 16:01:26 -07:00
dependabot[bot]
17a5f69339 chore(deps): bump chrono-node from 2.9.0 to 2.9.1 in /superset-frontend (#39939) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-13 15:59:36 -07:00
dependabot[bot]
d690aa7eb4 chore(deps): bump immer from 11.1.4 to 11.1.7 in /superset-frontend (#39941) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-13 15:58:20 -07:00
dependabot[bot]
d6c458abd4 chore(deps-dev): bump oxlint from 1.62.0 to 1.63.0 in /superset-frontend (#39937) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Claude <claude@anthropic.com>
 2026-05-13 15:57:30 -07:00
dependabot[bot]
c233bf6171 chore(deps-dev): bump baseline-browser-mapping from 2.10.24 to 2.10.29 in /superset-frontend (#39903) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-13 15:56:30 -07:00
dependabot[bot]
992f561ab9 chore(deps): bump mapbox-gl from 3.23.0 to 3.23.1 in /superset-frontend (#39879) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-13 15:55:54 -07:00
Joe Li
d7fa9301cc fix(dashboard): restore top-level tab drop target for dashboards with content (#39423) 
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-05-13 15:31:29 -07:00
Elizabeth Thompson
958d4aa3de fix(export): fix double app-root prefix in chart/drill-detail export URLs (#39710) 
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-13 15:17:13 -07:00
Richard Fogaca Nienkotter
2a1dcb79e3 fix(mcp): expose table chart type labels in chart responses (#40060) 2026-05-13 16:38:31 -03:00
Michael S. Molina
817814d4f6 chore: Bump core packages to 0.1.0 (#40029) 2026-05-13 16:32:19 -03:00
Jean-Baptiste Braun
1a7a14c357 fix(explore): remove leftover debug console.log in ZoomConfigControl (#39991) 
Co-authored-by: Claude Code <noreply@anthropic.com>
 2026-05-13 10:55:29 -07:00
dependabot[bot]
85c4411041 chore(deps-dev): bump @babel/plugin-transform-modules-systemjs from 7.25.0 to 7.29.4 in /superset-embedded-sdk (#39983) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-13 10:10:38 -07:00
Mayank Aggarwal
a50de459ae fix(dashboard): restore spacing for charts inside Tabs layout (#38729) 2026-05-13 09:44:05 -07:00
dependabot[bot]
6216e57490 chore(deps): bump react-syntax-highlighter from 16.1.0 to 16.1.1 in /superset-frontend (#39698) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Claude <claude@anthropic.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-13 09:35:42 -07:00
dependabot[bot]
cdddb99e9a chore(deps): bump yeoman-generator from 8.1.2 to 8.2.2 in /superset-frontend (#39880) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-13 09:34:42 -07:00
dependabot[bot]
803fed28b8 chore(deps): update react requirement from ^19.2.5 to ^19.2.6 in /superset-frontend/plugins/legacy-plugin-chart-chord (#39929) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Claude <claude@anthropic.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-13 09:34:26 -07:00
dependabot[bot]
8074ae2e38 chore(deps): bump fast-uri from 3.1.0 to 3.1.2 in /superset-frontend/cypress-base (#39974) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-13 09:34:11 -07:00
dependabot[bot]
577085eece chore(deps-dev): bump fast-uri from 3.0.1 to 3.1.2 in /superset-embedded-sdk (#39978) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-13 09:33:57 -07:00
dependabot[bot]
5d40d8aeac chore(deps): bump actions/dependency-review-action from 4.9.0 to 5.0.0 (#40016) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-13 09:33:14 -07:00
dependabot[bot]
b4cb780e74 chore(deps): update ace-builds requirement from ^1.43.6 to ^1.44.0 in /superset-frontend/packages/superset-ui-core (#40017) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Claude <claude@anthropic.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-13 09:32:35 -07:00
dependabot[bot]
aebc6fbf34 chore(deps-dev): bump @types/node from 25.6.0 to 25.7.0 in /superset-websocket (#40052) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-13 09:32:19 -07:00
dependabot[bot]
9e749da93c chore(deps): bump ws from 8.20.0 to 8.20.1 in /superset-websocket (#40085) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-13 09:32:05 -07:00
dependabot[bot]
2c7e418d7b chore(deps): bump @ant-design/icons from 6.2.2 to 6.2.3 in /docs (#40086) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-13 09:31:51 -07:00
dependabot[bot]
6a1305fe53 chore(deps): update zod requirement from ^4.4.1 to ^4.4.3 in /superset-frontend/plugins/plugin-chart-echarts (#40091) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-05-13 09:12:39 -07:00
Amin Ghadersohi
726d83d758 fix(mcp): remove stale created_by_fk filter references from MCP privacy layer (#39955) 2026-05-13 11:27:10 -04:00
jesperct
6cebba49ca fix(AlertReportModal): TypeError when pasting text into the Alerts content form search field (#39298) 
Co-authored-by: codeant-ai-for-open-source[bot] <244253245+codeant-ai-for-open-source[bot]@users.noreply.github.com>
 2026-05-13 17:38:55 +03:00
Luiz Otavio
940779ad5f feat(event-log): add event logging for embedded Superset (#40083) 2026-05-13 09:59:48 -03:00