Skip to content

feat(user_info): include Groups in user data payload when include_perms is True and show Groups on user_info page#39450

Open
declan-zhao wants to merge 3 commits intoapache:masterfrom
declan-zhao:feat/add-groups
Open

feat(user_info): include Groups in user data payload when include_perms is True and show Groups on user_info page#39450
declan-zhao wants to merge 3 commits intoapache:masterfrom
declan-zhao:feat/add-groups

Conversation

@declan-zhao
Copy link
Copy Markdown
Contributor

@declan-zhao declan-zhao commented Apr 17, 2026
edited
Loading

SUMMARY

Currently, Group info (which Groups a user belongs to) is missing on the user_info page. This change includes Groups in payload when include_perms is True and show Groups on user_info page.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

Before

image

After

image

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@bito-code-review
Copy link
Copy Markdown
Contributor

bito-code-review bot commented Apr 17, 2026
edited
Loading

Code Review Agent Run #3159fe

Actionable Suggestions - 0
Review Details
  • Files reviewed - 9 · Commit Range: 6130832..6130832
    • superset-frontend/src/SqlLab/reducers/getInitialState.test.ts
    • superset-frontend/src/dashboard/util/permissionUtils.test.ts
    • superset-frontend/src/pages/ChartCreation/ChartCreation.test.tsx
    • superset-frontend/src/pages/SqlLab/SqlLab.test.tsx
    • superset-frontend/src/pages/UserInfo/UserInfo.test.tsx
    • superset-frontend/src/pages/UserInfo/index.tsx
    • superset-frontend/src/types/bootstrapTypes.ts
    • superset/views/utils.py
    • tests/integration_tests/users/api_tests.py
  • Files skipped - 0
  • Tools
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful
    • Eslint (Linter) - ✔︎ Successful
    • MyPy (Static Code Analysis) - ✔︎ Successful
    • Astral Ruff (Static Code Analysis) - ✔︎ Successful
Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

@dosubot dosubot bot added api Related to the REST API change:frontend Requires changing the frontend global:users Related to users and roles labels Apr 17, 2026
codeant-ai-for-open-source[bot]
codeant-ai-for-open-source bot reviewed Apr 17, 2026
View reviewed changes
Comment thread superset/views/utils.py Outdated
roles, permissions = get_permissions(user)
payload["roles"] = roles
payload["permissions"] = permissions
payload["groups"] = [group.name for group in user.groups or []]
Copy link
Copy Markdown
Contributor

@codeant-ai-for-open-source codeant-ai-for-open-source bot Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Accessing user.groups unconditionally can raise an AttributeError for anonymous users created with AnonymousUserMixin (for example in embedded/dashboard routes), because those objects don't define a groups attribute. This will cause SPA bootstrap to fail at runtime. Use a safe attribute lookup and default to an empty list. [null pointer]

Severity Level: Critical 🚨 
- ❌ Login view (`/login`) SPA bootstrap fails for anonymous users.
- ❌ Registration views using `render_app_template` error for anonymous sessions.
- ❌ Any anonymous SPA route using `get_spa_payload` crashes on bootstrap.
- ⚠️ Frontend cannot reliably read `groups` from user payload.
Suggested change
payload["groups"] = [group.name for group in user.groups or []]
payload["groups"] = [
group.name for group in (getattr(user, "groups", None) or [])
]
Steps of Reproduction ✅ 
1. Start Superset with this PR code and ensure authentication is enabled so
unauthenticated visitors are represented by `AnonymousUserMixin` (see
`superset/security/manager.py:2858-2865`, where `get_anonymous_user` returns
`AnonymousUserMixin()`).

2. In a fresh browser session (not logged in), navigate to the login URL handled by
`SupersetAuthView.login` in `superset/views/auth.py:34-56`. Because `g.user` is anonymous
(`is_authenticated` is False), the view executes `return super().render_app_template()`.

3. `render_app_template` in `BaseSupersetView` (`superset/views/base.py:15-38`) calls
`get_spa_template_context(entry, extra_bootstrap_data, **template_kwargs)`, which in turn
calls `get_spa_payload(extra_bootstrap_data)` (`superset/views/base.py:30-46`).

4. `get_spa_payload` constructs the SPA bootstrap payload and sets `"user":
bootstrap_user_data(g.user, include_perms=True)`. Inside `bootstrap_user_data`
(`superset/views/utils.py:107-138`), the anonymous branch runs, and with
`include_perms=True` it reaches line 136: `payload["groups"] = [group.name for group in
user.groups or []]`. Since the anonymous user instance (`AnonymousUserMixin`) has no
`groups` attribute, this line raises `AttributeError: 'AnonymousUserMixin' object has no
attribute 'groups'`, causing SPA bootstrap (and thus the login page) to fail with HTTP
500.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖 
This is a comment left during a code review.

**Path:** superset/views/utils.py
**Line:** 136:136
**Comment:**
	*Null Pointer: Accessing `user.groups` unconditionally can raise an `AttributeError` for anonymous users created with `AnonymousUserMixin` (for example in embedded/dashboard routes), because those objects don't define a `groups` attribute. This will cause SPA bootstrap to fail at runtime. Use a safe attribute lookup and default to an empty list.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
👍 | 👎

@github-actions github-actions bot removed the api Related to the REST API label Apr 17, 2026
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 17, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.49%. Comparing base (be68040) to head (2d6ae79).

Additional details and impacted files 
@@           Coverage Diff           @@
##           master   #39450   +/-   ##
=======================================
  Coverage   64.49%   64.49%           
=======================================
  Files        2557     2557           
  Lines      133191   133193    +2     
  Branches    30935    30936    +1     
=======================================
+ Hits        85897    85899    +2     
  Misses      45804    45804           
  Partials     1490     1490
Flag Coverage Δ
hive 39.87% <100.00%> (+<0.01%) ⬆️
javascript 66.32% <100.00%> (+<0.01%) ⬆️
mysql 60.50% <100.00%> (+<0.01%) ⬆️
postgres 60.58% <100.00%> (+<0.01%) ⬆️
presto 41.66% <100.00%> (+<0.01%) ⬆️
python 62.16% <100.00%> (+<0.01%) ⬆️
sqlite 60.21% <100.00%> (+<0.01%) ⬆️
unit 100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@declan-zhao declan-zhao changed the title feat(user_info): include Groups in payload and show Groups on user_info page feat(user_info): include Groups in payload when include_perms is True and show Groups on user_info page Apr 17, 2026
@declan-zhao declan-zhao changed the title feat(user_info): include Groups in payload when include_perms is True and show Groups on user_info page feat(user_info): include Groups in user data payload when include_perms is True and show Groups on user_info page Apr 17, 2026
@bito-code-review
Copy link
Copy Markdown
Contributor

bito-code-review bot commented Apr 17, 2026
edited
Loading

Code Review Agent Run #c558e8

Actionable Suggestions - 0
Additional Suggestions - 1
  • superset/views/utils.py - 1
    • Logic Error: Incorrect None Handling · Line 136-138
      The change from `user.groups or []` to `getattr(user, "groups", [])` alters behavior when `user.groups` exists but is `None`. The original handles `None` by using an empty list, but the new code will raise `TypeError` when iterating over `None`. Use `(getattr(user, "groups", None) or [])` to match the original defensive logic.
      Code suggestion 
       @@ -136,3 +136,3 @@
-        payload["groups"] = [
-            group.name for group in getattr(user, "groups", [])
-        ]
+        payload["groups"] = [
+            group.name for group in (getattr(user, "groups", None) or [])
+        ]
Review Details
  • Files reviewed - 1 · Commit Range: 6130832..2d6ae79
    • superset/views/utils.py
  • Files skipped - 0
  • Tools
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful
    • MyPy (Static Code Analysis) - ✔︎ Successful
    • Astral Ruff (Static Code Analysis) - ✔︎ Successful
Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@codeant-ai-for-open-source codeant-ai-for-open-source[bot] codeant-ai-for-open-source[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

change:frontend Requires changing the frontend global:users Related to users and roles size/S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@declan-zhao