fix(embedded): add CurrentUserRestApi read permission to Public role defaults

[EnxDev]

User description

SUMMARY

When loading an embedded dashboard, the frontend calls /api/v1/me/roles/ as its very first action to bootstrap user permissions.
This call hits the CurrentUserRestApi endpoint, which requires ("can_read", "CurrentUserRestApi") in the user's role.

This permission was missing from PUBLIC_ROLE_PERMISSIONS, the set of defaults applied to the Public role when PUBLIC_ROLE_LIKE = "Public" is configured.

As a result, guest/embedded users received a 403 on the bootstrap call, and the embedded dashboard displayed a black screen with "Something went wrong with embedded authentication" instead of rendering.

This also affects deployments that manually configure their embedded role based on the documented defaults, the permission was simply never listed.

The fix adds ("can_read", "CurrentUserRestApi") alongside the existing embedded permissions (EmbeddedDashboard, Theme, etc.) in PUBLIC_ROLE_PERMISSIONS.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

• Before

• Afer

TESTING INSTRUCTIONS

Add to superset_config.py:
PUBLIC_ROLE_LIKE = "Public"
FEATURE_FLAGS = {"EMBEDDED_SUPERSET": True}

2. Run superset init to sync permissions
3. Verify the Public role now includes can_read on CurrentUserRestApi:
   Settings → Security → List Roles → Public
4. Create a dashboard and enable embedding (ellipsis menu → Embed dashboard)
5. Use the Superset Embedded SDK to load the dashboard with a guest token
6. Expected: Dashboard renders successfully
7. Before this fix: Black screen with "Something went wrong with embedded authentication"

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

---

CodeAnt-AI Description

Add read permission for current-user API to Public role so embedded dashboards load for guests

What Changed

• Public role defaults now include the read permission for the current-user API used during embedded bootstrap
• Guest/embedded users no longer receive a 403 on the initial permissions call, allowing embedded dashboards to render instead of showing an authentication error
• Deployments that apply documented Public-role defaults will get the missing permission after role sync/initialization

Impact

✅ Embedded dashboards render for guest users
✅ Fewer 403 errors during embedded bootstrap
✅ Clearer embedded authentication behavior

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[bito-code-review]

Code Review Agent Run #b93121

Actionable Suggestions - 0

Review Details

• Files reviewed - 1 · Commit Range: e5bb7d0..e5bb7d0

  • superset/security/manager.py
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by