QT/superset2
1
0
Fork 0
mirror of https://github.com/apache/superset.git synced 2026-05-22 00:05:15 +00:00
Code Issues Packages Projects Releases Wiki Activity
19,974 Commits 465 Branches 545 Tags
6d691b5070aa3d032d2db72cbfe5d7c3c49b878e
Commit Graph

1004 Commits

Author SHA1 Message Date
Amin Ghadersohi
6d691b5070 fix(mcp): address remaining code review findings for RBAC tool visibility 
- app.py: clarify execute_sql requires SQL Lab access (not write access)
  in both the instructions preamble and Permission Awareness section
- auth.py: add log_denial param to check_tool_permission() to suppress
  noisy WARNING logs during tools/list scanning; downgrade "No authenticated
  user found" from ERROR to DEBUG in _setup_user_context
- middleware.py: fail completely closed (return []) on credential failures
  instead of returning tools with no class_permission_name, which could
  include protect=True tools requiring auth; remove _public_tools_only helper
- server.py: catch PermissionError (invalid API key) in addition to
  ValueError in _tool_allowed_for_current_user
- tests: add tests for fail-closed branches (PermissionError, bad ValueError,
  and no-auth-configured ValueError in RBACToolVisibilityMiddleware)
 2026-05-15 00:14:15 +00:00
Amin Ghadersohi
3993a04eb0 fix(mcp): address code review findings for RBAC tool visibility 
- Fail closed (return only public tools) when credentials are invalid
  (PermissionError from bad API key, ValueError from unknown dev username);
  fail open only when no auth source is configured at all
- Extract _get_app_context_manager() to module level in auth.py so
  RBACToolVisibilityMiddleware reuses the same context-selection logic as
  mcp_auth_hook, preventing external g.user from being shadowed
- Add RBACToolVisibilityMiddleware to __main__.py stdio entry point via
  build_middleware_list() to keep all transports in sync
- Fix stale patch targets in test_tool_search_transform.py: update
  superset.mcp_service.server.user_can_view_data_model_metadata →
  superset.mcp_service.privacy.user_can_view_data_model_metadata
- Qualify write tool listings in instructions with "(requires write access)"
  and add a permissions preamble so read-only users are not confused by
  tools they cannot call

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-14 23:29:19 +00:00
Amin Ghadersohi
042db32ba4 fix(mcp): hide write tools from users without write permissions 
Phase 1: MCPPermissionDeniedError falls through to GlobalErrorHandlerMiddleware's
generic "Internal error" branch (500-style response) because it doesn't subclass
PermissionError. Fixed by adding it to _USER_ERROR_TYPES and an explicit elif
branch in _handle_error() that converts it to a clean ToolError.

Phase 2: Add RBACToolVisibilityMiddleware that intercepts tools/list and removes
tools the calling user lacks permission to execute. Add
is_tool_visible_to_current_user() to auth.py as the single source of truth for
tool visibility, shared by both the new middleware and the existing tool-search
transform. Register the middleware inside StructuredContentStripperMiddleware so
it filters full tool objects before outputSchema stripping. Fail open: if user
resolution fails, all tools are returned (call-time RBAC still enforces).

Also update server instructions to note write tools require write permissions.
 2026-05-14 23:28:09 +00:00
Evan Rusackas
4e09889607 test(datasets): regression coverage for #16141 (export with same table name, different schemas) (#40123) 
Co-authored-by: Superset Dev <dev@superset.apache.org>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-14 11:08:23 -07:00
Richard Fogaca Nienkotter
8fa5a75c70 fix(mcp): apply cached adhoc filters to chart retrieval (#40099) 2026-05-14 14:21:54 -03:00
Mafi
144dae7c43 fix(dashboard): use datasetUuid instead of datasetId in display controls export/import (SC-104655) (#40008) 
Co-authored-by: Matt Fitzgerald <matt.fitzgerald@preset.io>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-14 10:18:57 -07:00
Sandesh Devaraju
823eb905d3 fix(mcp): JSON-serialize order_by_cols and support sort direction (#39952) 
Co-authored-by: Amin Ghadersohi <amin.ghadersohi@gmail.com>
 2026-05-14 11:19:37 -04:00
Mehmet Salih Yavuz
8b0e63b58c fix(rls): prevent double-apply when converting physical dataset to virtual (#39725) 
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-14 18:05:48 +03:00
Mafi
01224007da fix(mixed-timeseries): preserve all-NaN metric columns after pivot when Jinja evaluates to NULL (#40005) 
Co-authored-by: Matt Fitzgerald <matt.fitzgerald@preset.io>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-14 07:46:34 -03:00
Richard Fogaca Nienkotter
2a1dcb79e3 fix(mcp): expose table chart type labels in chart responses (#40060) 2026-05-13 16:38:31 -03:00
Richard Fogaca Nienkotter
c59ab8bffd feat(mcp): add data boundary instruction to harden against prompt injection (#40080) 2026-05-13 09:40:44 -03:00
Richard Fogaca Nienkotter
fa06989ed7 fix(mcp): return requested update chart previews (#40077) 2026-05-12 21:23:49 -03:00
Igor Khrol
3363b48180 fix(spark): register Spark SQLAlchemy dialect so spark:// URIs resolve to SparkEngineSpec (#38299) 
Co-authored-by: Joe Li <joe@preset.io>
 2026-05-12 12:33:17 -04:00
Amin Ghadersohi
460992d89b fix(mcp): improve not-found errors to suggest corresponding list_* tools (#39919) 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
 2026-05-12 02:38:10 -04:00
Amin Ghadersohi
85935b0b88 fix(mcp): handle SSL connection drop during pre-call session teardown (#39917) 2026-05-12 02:32:14 -04:00
Maxime Beauchemin
d90d3a2dea fix(importexport): honor overwrite flag on /api/v1/assets/import (#39502) 
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
 2026-05-11 10:24:42 -07:00
Evan Rusackas
26ef4b7ed3 fix(sqla): pass catalog and schema to get_sqla_engine in values_for_column (#38681) 
Co-authored-by: Superset Dev <dev@superset.apache.org>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Claude <claude@anthropic.com>
 2026-05-11 09:54:48 -07:00
Oleg Ovcharuk
d83b0c5ce3 feat: support creating datasets for schema-less databases (#39433) 
Co-authored-by: codeant-ai-for-open-source[bot] <244253245+codeant-ai-for-open-source[bot]@users.noreply.github.com>
 2026-05-11 08:30:13 -04:00
Maxime Beauchemin
d023fe1703 fix(trino/presto): use equality for boolean filters to support computed columns (#39500) 2026-05-08 16:10:27 -07:00
Amin Ghadersohi
547660dcc4 fix(mcp): ASCII chart crashes with NaN when dataset contains null values (#39916) 2026-05-08 17:35:15 -04:00
Amin Ghadersohi
cfb0b6e811 fix(mcp): clarify request wrapper in list_datasets, list_charts, list_dashboards (#39920) 2026-05-08 16:01:07 -04:00
Amin Ghadersohi
ff7dc53853 fix(mcp): get_chart_sql drops x_axis on echarts_timeseries_* and only renders one query for mixed_timeseries (#39865) 2026-05-08 15:29:28 -04:00
Beto Dealmeida
4311a15eb2 feat(sqlglot): Vertica dialect (#39969) 2026-05-08 14:34:34 -03:00
Vitor Avila
ad5e3170dd fix: OpenSearch dialect identifier delimiters (#39953) 2026-05-07 16:19:27 -03:00
Amin Ghadersohi
9b520312a1 fix(mcp): use tiktoken for response-size-guard token estimation (#39912) 2026-05-07 11:51:31 -04:00
Amin Ghadersohi
9ac4711ac8 fix(mcp): prevent DetachedInstanceError in get_chart_preview (#39921) 2026-05-07 11:44:11 -04:00
Enzo Martellucci
b5186d1c65 fix(reports): keep body sized so standalone screenshots don't time out (#39944) 2026-05-07 12:26:50 +02:00
bdonovan1
5b5dd01028 fix(sqla): parenthesize calculated column expressions in WHERE clause (#39793) 
Co-authored-by: Brian Donovan <briand@netflix.com>
Co-authored-by: Vitor Avila <96086495+Vitor-Avila@users.noreply.github.com>
 2026-05-06 19:45:27 -03:00
Enzo Martellucci
9aaa12c7d4 fix(reports): preserve urlParams in multi-tab report fan-out (#39884) 2026-05-06 16:29:45 +02:00
Alexandru Soare
adfbbf1433 fix(sql): quote identifiers in transpile_to_dialect to fix case-sensitive column filters (#39521) 2026-05-06 10:53:09 +03:00
Vitor Avila
3745e37182 fix(OAuth2): Support OAuth2 exception with legacy endpoint (#39897) 2026-05-05 21:21:48 -03:00
Amin Ghadersohi
4a21a5365f fix(mcp): validate column refs in generate_explore_link, update_chart_preview, and update_chart (#39797) 2026-05-05 19:12:31 -04:00
Richard Fogaca Nienkotter
9459bc7bf4 fix(mcp): warn on invalid chart preview form data key (#39891) 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
 2026-05-05 16:40:00 -03:00
Beto Dealmeida
cb53745d43 feat: semantic layer extension (#37815) 2026-05-05 12:07:46 -04:00
Beto Dealmeida
5325b87e73 fix(clickhouse): prevent expensive table scan (#39867) 2026-05-04 19:39:10 -04:00
Sam Firke
c2725e86f3 fix(markdown): Allow "target" attribute (#39868) 2026-05-04 18:27:43 -04:00
Amin Ghadersohi
673634f7af fix(mcp): point get_dataset_info url to explore view instead of legacy tablemodelview edit (#39838) 2026-05-04 13:39:05 -04:00
Amin Ghadersohi
28239c18d4 feat(mcp): warn when execute_sql template_params used with templating disabled (#39858) 2026-05-04 12:14:44 -04:00
jesperct
d8dd2d99b3 fix(time-comparison): use chart row_limit instead of instance config in offset queries (#39490) 2026-05-01 16:24:59 -07:00
Elizabeth Thompson
98eaaaa6d6 fix(mcp): clear stale thread-local DB session in sync tool wrapper (#39798) 
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-01 09:24:48 -07:00
Amin Ghadersohi
957b298ae1 fix(mcp): add default request parameter to list_charts and list_dashboards (#39730) 2026-04-30 18:04:39 -04:00
Amin Ghadersohi
f29d82b3b1 feat(mcp): add query_dataset tool to query datasets using semantic layer (#39727) 2026-04-30 18:03:41 -04:00
Vitor Avila
3f550f166f fix(GSheets OAuth2): Re-add UnauthenticatedError (#39785) 2026-04-30 18:57:00 -03:00
Vitor Avila
86eb6176d1 fix: Enforce per-user caching on legacy API endpoint (#39789) 2026-04-30 18:04:33 -03:00
Luiz Otavio
df396aa6e9 fix(drill-to-detail): drill to detail by correctly filtering by metric (#39766) 
Co-authored-by: Michael S. Molina <michael.s.molina@gmail.com>
 2026-04-30 08:40:16 -03:00
Enzo Martellucci
e4fe08ab9e feat(mcp): add generate_bug_report tool with PII sanitization (#39595) 
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-30 12:47:14 +02:00
Richard Fogaca Nienkotter
c2b9272f4c fix(mcp): sanitize read path output for LLM context (#39738) 2026-04-29 19:06:19 -03:00
Enzo Martellucci
e3e834bbf7 fix(mcp): fall back to title match when dashboard slug lookup misses (#39567) 
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-29 23:03:16 +02:00
Elizabeth Thompson
8d17c34068 feat(mcp): restore self-lookup via created_by_me flag (#39638) 
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-29 11:03:28 -07:00
Richard Fogaca Nienkotter
549aff7cf9 fix(mcp): clarify chart preview URL metadata (#39731) 2026-04-29 12:37:40 -03:00