Apache Superset [6.0.0-RC2] 'GuestUser' object has no attribute 'active'

Bug description

Description

Apache Superset throws an AttributeError when using guest token authentication. The GuestUser class is missing the required active attribute that Flask-AppBuilder's security manager expects.

Error Message

AttributeError: 'GuestUser' object has no attribute 'active'

## **Stack Trace**
File "/app/.venv/lib/python3.11/site-packages/flask_appbuilder/security/decorators.py", line 106, in wraps
if current_app.appbuilder.sm.has_access(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/.venv/lib/python3.11/site-packages/flask_appbuilder/security/manager.py", line 1591, in has_access
if current_user.is_authenticated and current_user.active:
^^^^^^^^^^^^^^^^^^^^
AttributeError: 'GuestUser' object has no attribute 'active'

Steps to Reproduce

1. Configure Superset with guest token authentication
2. Create a guest token for dashboard access
3. Access dashboard API endpoint: GET /api/v1/dashboard/{id}
4. Error occurs when Flask-AppBuilder security manager checks current_user.active

Expected Behavior

Guest users should be able to access permitted dashboards without AttributeError, with the security manager properly checking user permissions.

Actual Behavior

The application crashes with a 500 error because the GuestUser class lacks the active attribute required by Flask-AppBuilder's permission system.

Environment

• Superset Version: 6.0.0RC2
• Python Version: 3.11
• Deployment: Docker container
• Authentication: Guest token authentication

Suggested Fix

The GuestUser class should include the required Flask-AppBuilder attributes: - active = True - is_authenticated property - is_anonymous property

Additional Context

This appears to be a compatibility issue between Superset's guest authentication implementation and Flask-AppBuilder's security manager expectations. The error specifically occurs at line 1591 in Flask-AppBuilder's manager.py when checking user permissions.

Workaround

Manually add the missing attributes to the GuestUser class implementation in the security manager configuration.

Screenshots/recordings

No response

Superset version

6.0.0rc2

Python version

3.11

Browser

Chrome

Additional context

No response

Checklist

• [x] I have searched Superset docs and Slack and didn't find a solution to my problem.
• [x] I have searched the GitHub issue tracker and didn't find a similar bug report.
• [x] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

Comment From: dosubot[bot]

You are correct: in Superset 6.0.0-RC2, the GuestUser class (defined in superset/security/guest_token.py) does not have an active attribute, which Flask-AppBuilder expects for permission checks. This causes the AttributeError you’re seeing when using guest token authentication. The class does implement is_authenticated and is_anonymous properties, but omits active reference.

There is no official fix or workaround documented yet, and recent pull requests do not address this issue. Manually adding active = True to the GuestUser class is a valid workaround and will resolve the compatibility problem with Flask-AppBuilder’s security manager reference.

No changes in recent PRs or discussions indicate this has been fixed upstream, so your suggested patch is the best approach for now.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}    

Comment From: sadpandajoe

@dpgaspar mind seeing if this is an issue with FAB in 6.0.0rc2?