Files
superset2/tests/integration_tests/sql_lab
Evan 63603ec369 fix(sqllab): keep RLS schema probe out of the session + always run the schema gate
Addresses review feedback on the cost-estimate security-parity path:

- The transient Query built to resolve the per-query schema joined the
  session via the `database` backref's `cascade="all, delete-orphan"`.
  With no `client_id` (nullable=False) it autoflushed into an IntegrityError
  the moment `apply_rls` issued its own session query, 500-ing every
  RLS-enabled estimate that references a table. Mirror the probe pattern in
  `SupersetSecurityManager.raise_for_access`: set `client_id`/`user_id` and
  `db.session.expunge` the probe.
- `get_default_schema_for_query` was skipped whenever the caller pinned a
  schema, bypassing the engine's per-query gate (e.g. Postgres rejecting
  `SET search_path`) that the executor runs unconditionally. Always resolve
  through it; an explicit schema still wins as the RLS predicate target.

Unit tests patch the session (so they can't see the autoflush); add an
integration test exercising a real session + real `apply_rls` that would
have caught the regression, and flip the explicit-schema test to assert the
gate now runs.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-10 14:59:51 -07:00
..