feat(security): Add config-based extension hooks for permission overr…

[alexandrusoare]

SUMMARY

Adds config-based extension hooks to Superset's permission system, following the existing EXTRA_DYNAMIC_QUERY_FILTERS pattern. These hooks allow deployments to inject custom permission logic without modifying core files.

All hooks are no-ops by default — zero behavioral change without explicit configuration.

Hooks added:

Config key	Location	Purpose
EXTRA_ACCESS_QUERY_FILTERS["charts"]	ChartFilter.apply()	Inject additional OR conditions for chart visibility
EXTRA_ACCESS_QUERY_FILTERS["dashboards"]	DashboardAccessFilter.apply()	Inject additional OR conditions for dashboard visibility
EXTRA_RAISE_FOR_ACCESS_BYPASS	raise_for_access()	Bypass permission checks (including datasource) for externally authorized users
EXTRA_OWNERSHIP_CHECKS	raise_for_ownership()	Allow edit/delete for users authorized by external systems
EXTRA_OWNER_AUTO_ADD_SKIP	populate_owner_list()	Prevent auto-adding users as owners when they have external edit access
EXTRA_OWNERS_RESOLVER	Slice.data, ChartRestApi.get(), DashboardRestApi.get()	Inject additional users into the owners array in API responses

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[codecov]

Codecov Report

❌ Patch coverage is 61.53846% with 20 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.03%. Comparing base (6967057) to head (7609dc0).
⚠️ Report is 34 commits behind head on master.

Files with missing lines	Patch %	Lines
superset/charts/filters.py	50.00%	3 Missing and 1 partial ⚠️
superset/dashboards/filters.py	42.85%	3 Missing and 1 partial ⚠️
superset/commands/utils.py	50.00%	1 Missing and 2 partials ⚠️
superset/security/manager.py	76.92%	1 Missing and 2 partials ⚠️
superset/charts/api.py	33.33%	1 Missing and 1 partial ⚠️
superset/commands/explore/get.py	50.00%	1 Missing and 1 partial ⚠️
superset/dashboards/api.py	0.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #40707      +/-   ##
==========================================
- Coverage   64.03%   64.03%   -0.01%     
==========================================
  Files        2663     2664       +1     
  Lines      143619   143835     +216     
  Branches    33030    33081      +51     
==========================================
+ Hits        91973    92111     +138     
- Misses      50044    50106      +62     
- Partials     1602     1618      +16     

Flag	Coverage Δ
hive	39.74% <40.38%> (+0.07%)	⬆️
mysql	58.41% <61.53%> (+0.02%)	⬆️
postgres	58.48% <61.53%> (+0.02%)	⬆️
presto	41.33% <40.38%> (+0.06%)	⬆️
python	59.95% <61.53%> (+0.01%)	⬆️
sqlite	58.11% <61.53%> (+0.02%)	⬆️
unit	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[netlify]

✅ Deploy Preview for superset-docs-preview ready!

Name	Link
🔨 Latest commit	fd5387b
🔍 Latest deploy log	https://app.netlify.com/projects/superset-docs-preview/deploys/6a21416615a6dc0008b2ed3b
😎 Deploy Preview	https://deploy-preview-40707--superset-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.