Apache Superset 4.0.2 - Imported charts shows error on embedding (Guest user cannot modify chart payload)

Bug description

Bug description 「Guest user cannot modify chart payload」 Error is displayed for imported charts.

Screenshots/recordings

How to reproduce the bug I embedded Apache Superset in the web application (Spring Boot and Angular) with authentication. After connection, the superset is displayed without the charts and in the browser logs, I get a 403.

Here is a print screen of the error :

Can you help me ?

Superset version 4.0.2

Python version 3.9

Spring Boot 3.1.4

Angular 16

Browser FireFox

Superset version

4.0.2

Python version

3.9

Node version

16

Browser

Firefox

Additional context

No response

Checklist

• [x] I have searched Superset docs and Slack and didn't find a solution to my problem.
• [x] I have searched the GitHub issue tracker and didn't find a similar bug report.
• [x] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

Comment From: dosubot[bot]

Hey @choumiwail! I'm here to help you with the issue you're experiencing. I can assist with bug solving, answering questions, and more while you wait for a human maintainer.

I found a similar issue regarding the "Guest user cannot modify chart payload" error when embedding charts in Apache Superset. The error typically occurs when the guest user attempts to modify the chart ID, metrics, columns, or other form data, which is not allowed.

To resolve this issue, ensure that the form data being sent by the guest user matches the stored parameters for the chart. Here are some key points to check:

1. Chart ID Consistency: Ensure that the slice_id in the form data matches the expected chart ID. For example, if the stored chart ID is 65, the form data should also have "slice_id": 65.

2. Metrics and Columns Consistency: Ensure that the metrics and columns in the form data are not tampered with. They should match the stored metrics and columns for the chart.

3. Avoid Tampering: Ensure that the form data sent by the guest user is not altered from what is stored, as any modification will raise a SupersetSecurityException.

Additionally, ensure that you have properly configured the guest token authentication. This involves:

• Activating the EMBEDDED_SUPERSET feature flag.
• Setting a strong password in the GUEST_TOKEN_JWT_SECRET configuration variable.
• Using the POST /security/guest_token endpoint to create a guest token with the necessary permissions and passing it to your frontend ^[1][2].

By ensuring that the guest user's request payload is consistent with the stored chart parameters and properly configuring guest token authentication, you should be able to avoid the 403 Forbidden error.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}

Comment From: choumiwail

Hey @dosu After opening a chart in Superset and refreshing the page where Superset is integrated, I've noticed that the chart is displayed correctly and that the ‘Guest user cannot modify chart payload’ error no longer appears.

The 'EMBEDDED_SUPERSET' is activated and the guest token is generated

Comment From: dosubot[bot]

Hey @choumiwail! I'm glad to hear that the error no longer appears after refreshing the page. It sounds like things are working smoothly now. If you have any more technical questions or need help with bugs, feel free to ask. If you think I should have addressed something else, you can always reach out to the Dosu Team. 😊

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}

Comment From: choumiwail

@dosu I don't understand why, after the page has been refreshed, the charts are still displayed.

Comment From: dosubot[bot]

After a page refresh, the charts are still displayed because the guest token mechanism in Apache Superset maintains session state across page interactions. When you refresh the page, the guest token is used to authenticate the user as an anonymous user with the specified permissions and access rights. This ensures that the user's session remains consistent, allowing the charts to be displayed correctly without encountering the "Guest user cannot modify chart payload" error ^[1][2].

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}

Comment From: mostopalove

Hello, @choumiwail ! Try to upgrade your Superset to 4.1.1 version and make sure you request guest with list of resources.

resources: [
  {
    type: "dashboard",
    id: "your-dashboard-uuid",
  },
]

You can check my configuration in this repo

Comment From: mostopalove

This issue returns again from superset-helm-chart-0.13.5 release and above. In superset-helm-chart-0.13.4 everything works as expected.

Comment From: rusackas

@sadpandajoe or @betodealmeida might remember this one, but I believe it was fixed... I'm just not sure when. You might want to try 4.1.1.

Comment From: guidobonuzzi

I am testing version 4.1.2rc1 with various embedded boards that are imported. The issue with the error message "Guest user cannot modify chart payload" has not been fully resolved for all charts. For the charts where the issue persists, the workaround of editing the individual chart does not work either.

I have made several attempts to understand what is causing the issue. It seems to occur mainly in table-type charts that contain date fields.