fix(auth): guest token takes priority over active session for embedded dashboards

[michael-s-molina]

User description

SUMMARY

When a user has an active Superset session (e.g. they are logged in as themselves in another tab) and visits an embedded dashboard that uses a guest token, their session identity was silently taking precedence over the guest token identity. This caused 403 errors for users whose real account does not have access to the embedded dashboard's underlying datasets.

Root cause: Flask-Login's _load_user() checks the session first. If a _user_id is found in the session, it loads that user and sets g._login_user, then stops — the request_loader (where guest token auth lives) is never reached. Flask-Login's _get_user() only calls _load_user() if g._login_user is not already set, so preemptively setting it before the session is consulted is the correct fix.

Fix: Register a before_request hook in create_login_manager that checks for a guest token on every request. If a valid token is found, it sets g._login_user to the guest user before Flask-Login runs. Since _get_user() short-circuits when g._login_user is already set, the session is never consulted for requests that carry a guest token.

# Flask-Login's _get_user() in utils.py
def _get_user():
    if has_request_context():
        if "_login_user" not in g:   # short-circuits if already set
            current_app.login_manager._load_user()
        return g._login_user

The existing request_loader (request_loader method) is kept as-is; it still handles the case where there is no active session at all.

TESTING INSTRUCTIONS

1. Log in to Superset with a regular user account.
2. In the same browser session, open an embedded dashboard that uses a guest token for a different user identity.
3. Before fix: API calls for the embedded dashboard are made as your real logged-in user. If your account lacks access to the dashboard's datasets, you get a 403.
4. After fix: API calls are made as the guest user from the token regardless of the active session.

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

---

CodeAnt-AI Description

Guest tokens now take priority over an active Superset session for embedded dashboards

What Changed

• Embedded dashboards use the guest token identity even when the browser already has an active Superset login
• Users no longer get blocked by their own account permissions when viewing an embedded dashboard meant for a guest user
• Added coverage for the case where a session cookie and guest token are both present

Impact

✅ Fewer embedded dashboard access errors
✅ Fewer 403s for logged-in users viewing shared dashboards
✅ Clearer embedded dashboard access behavior

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[bito-code-review]

Code Review Agent Run #c56ccc

Actionable Suggestions - 0

Review Details

• Files reviewed - 2 · Commit Range: 0de1884..0de1884

  • superset/security/manager.py
  • tests/integration_tests/security/guest_token_security_tests.py
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.36%. Comparing base (16f5a2a) to head (0de1884).
⚠️ Report is 38 commits behind head on master.

❌ Your project status has failed because the head coverage (99.85%) is below the target coverage (100.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #38950      +/-   ##
==========================================
- Coverage   65.54%   64.36%   -1.19%     
==========================================
  Files        1823     2536     +713     
  Lines       73154   130716   +57562     
  Branches    23437    30317    +6880     
==========================================
+ Hits        47951    84138   +36187     
- Misses      25203    45115   +19912     
- Partials        0     1463    +1463     

Flag	Coverage Δ
hive	40.20% <50.00%> (?)
mysql	61.15% <100.00%> (?)
postgres	61.24% <100.00%> (?)
presto	40.21% <50.00%> (?)
python	62.84% <100.00%> (?)
sqlite	60.86% <100.00%> (?)
unit	100.00% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[netlify]

✅ Deploy Preview for superset-docs-preview ready!

Name	Link
🔨 Latest commit	0de1884
🔍 Latest deploy log	https://app.netlify.com/projects/superset-docs-preview/deploys/69ca611e65261a0008439e6b
😎 Deploy Preview	https://deploy-preview-38950--superset-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.