Skip to content

fix(security): Add active property to guest user #35454

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
msyavuz merged 1 commit into from
Oct 22, 2025
Merged

fix(security): Add active property to guest user #35454

msyavuz merged 1 commit into from
Oct 22, 2025

Conversation

@msyavuz
Copy link
Member

@msyavuz msyavuz commented Oct 2, 2025

SUMMARY

Fixes the error by adding a property for active on guest user.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

Embed a dashboard and see that there are no errors.

ADDITIONAL INFORMATION

  • Has associated issue: Fixes [6.0.0-RC2] 'GuestUser' object has no attribute 'active' #35284
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@msyavuz msyavuz changed the title fix(security): add active property to guest user fix(security): Add active property to guest user Oct 2, 2025
korbit-ai[bot]
korbit-ai bot approved these changes Oct 2, 2025
View reviewed changes
Copy link

@korbit-ai korbit-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've completed my review and didn't find any issues.

Files scanned
File Path Reviewed
superset/security/guest_token.py

Explore our documentation to understand the languages and file types we support and the files we ignore.

Check out our docs on how you can make Korbit work best for you and your team.

Loving Korbit!? Share us on LinkedIn Reddit and X

@msyavuz msyavuz requested a review from dpgaspar October 2, 2025 17:02
@dosubot dosubot bot added the authentication:access-control Rlated to access control label Oct 2, 2025
bito-code-review[bot]
bito-code-review bot reviewed Oct 2, 2025
View reviewed changes
Copy link
Contributor

@bito-code-review bito-code-review bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review Agent Run #fe6ce1

Actionable Suggestions - 1
  • superset/security/guest_token.py - 1
Review Details
  • Files reviewed - 1 · Commit Range: bb30f55..bb30f55
    • superset/security/guest_token.py
  • Files skipped - 0
  • Tools
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful
    • MyPy (Static Code Analysis) - ✔︎ Successful
    • Astral Ruff (Static Code Analysis) - ✔︎ Successful
Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Default Agent You can customize the agent settings here or contact your Bito workspace admin at [email protected].

Documentation & Help

AI Code Review powered by Bito Logo

superset/security/guest_token.py
Comment on lines 61 to +62
is_guest_user = True
active = True
Copy link
Contributor

@bito-code-review bito-code-review bot Oct 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Flask-Login interface violation

The added active = True class attribute does not implement the required Flask-Login is_active property. Flask-Login expects user classes to provide an is_active property (not a class attribute) that returns a boolean indicating whether the user account is active. This mismatch will cause authentication failures when Flask-Login checks current_user.is_active for guest users. Replace the class attribute with a proper @property method is_active that returns True, ensuring compatibility with Flask-Login's user interface requirements.

Code suggestion
Check the AI-generated fix before applying
Suggested change
is_guest_user = True
active = True
is_guest_user = True
@property
def is_active(self) -> bool:
return True

Code Review Run #fe6ce1

Should Bito avoid suggestions like this for future reviews? (Manage Rules)

  • Yes, avoid them

@sadpandajoe sadpandajoe added the review:checkpoint Last PR reviewed during the daily review standup label Oct 2, 2025
geido
geido reviewed Oct 3, 2025
View reviewed changes
superset/security/guest_token.py
"""

is_guest_user = True
active = True
Copy link
Member

@geido geido Oct 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would help if we can provide a bit more context as of why this issue came into existence and how this fixes it?

Copy link
Member Author

@msyavuz msyavuz Oct 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tagged @dpgaspar as a reviewer because i think a recent FAB update caused this.

@michael-s-molina michael-s-molina removed the review:checkpoint Last PR reviewed during the daily review standup label Oct 3, 2025
@sadpandajoe sadpandajoe mentioned this pull request Oct 6, 2025
Closed
9 tasks
@irodriguez-nebustream
Copy link
Contributor

irodriguez-nebustream commented Oct 8, 2025

Following this PR, I use this functionality and have seen the same issues on 6.0.0rc2. Would love to see this merged in!

sadpandajoe
sadpandajoe reviewed Oct 10, 2025
View reviewed changes
superset/security/guest_token.py
"""

is_guest_user = True
active = True
Copy link
Member

@sadpandajoe sadpandajoe Oct 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be active or is_active?

Copy link

@hsein-bitar hsein-bitar Oct 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested with active = True and confirmed it fixes the issue

Copy link
Member

@dpgaspar dpgaspar Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah the error is:

if current_user.is_authenticated and current_user.active:

so it should be like this, but can you add the is_active also like:

    @property
    def is_active(self):
        return self.active

Looking at it, it does seem that FAB should be using is_active instead of active, I'll make the change.

dpgaspar
dpgaspar approved these changes Oct 21, 2025
View reviewed changes
superset/security/guest_token.py
"""

is_guest_user = True
active = True
Copy link
Member

@dpgaspar dpgaspar Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah the error is:

if current_user.is_authenticated and current_user.active:

so it should be like this, but can you add the is_active also like:

    @property
    def is_active(self):
        return self.active

Looking at it, it does seem that FAB should be using is_active instead of active, I'll make the change.

@msyavuz msyavuz force-pushed the msyavuz/fix/guest-user-active branch from ebbdafb to bb30f55 Compare October 22, 2025 09:27
@msyavuz msyavuz merged commit 98fba1e into master Oct 22, 2025
144 of 145 checks passed
@msyavuz msyavuz deleted the msyavuz/fix/guest-user-active branch October 22, 2025 09:51
@sadpandajoe sadpandajoe added the v6.0 Label added by the release manager to track PRs to be included in the 6.0 branch label Oct 22, 2025
sadpandajoe pushed a commit that referenced this pull request Oct 22, 2025
@msyavuz @sadpandajoe
fix(security): Add active property to guest user (#35454)
bda2d8c 
(cherry picked from commit 98fba1e)
@github-actions github-actions bot added 🍒 6.0.0 Cherry-picked to 6.0.0 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels labels Dec 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sadpandajoe sadpandajoe sadpandajoe left review comments

@geido geido geido left review comments

@dpgaspar dpgaspar dpgaspar approved these changes

+4 more reviewers

@hsein-bitar hsein-bitar hsein-bitar left review comments

@bito-code-review bito-code-review[bot] bito-code-review[bot] left review comments

@irodriguez-nebustream irodriguez-nebustream irodriguez-nebustream approved these changes

@korbit-ai korbit-ai[bot] korbit-ai[bot] approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

authentication:access-control Rlated to access control 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels size/XS v6.0 Label added by the release manager to track PRs to be included in the 6.0 branch 🍒 6.0.0 Cherry-picked to 6.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[6.0.0-RC2] 'GuestUser' object has no attribute 'active'

7 participants

@msyavuz @irodriguez-nebustream @dpgaspar @sadpandajoe @hsein-bitar @geido @michael-s-molina