(superset) 01/01: fix: add parent_slice_id and use it

[msyavuz]

This is an automated email from the ASF dual-hosted git repository.

msyavuz pushed a commit to branch msyavuz/fix/embedded-multilayer
in repository https://gitbox.apache.org/repos/asf/superset.git

commit cd474fb91bd5e575b1cd7accec469b6c220dded8
Author: Mehmet Salih Yavuz <salih.ya...@proton.me>
AuthorDate: Tue Feb 24 18:57:57 2026 +0300

    fix: add parent_slice_id and use it
---
 .../legacy-preset-chart-deckgl/src/Multi/Multi.tsx       |  2 ++
 superset/security/manager.py                             | 16 ++++++++++++++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git 
a/superset-frontend/plugins/legacy-preset-chart-deckgl/src/Multi/Multi.tsx 
b/superset-frontend/plugins/legacy-preset-chart-deckgl/src/Multi/Multi.tsx
index f0f4d34a959..6a58ac83a05 100644
--- a/superset-frontend/plugins/legacy-preset-chart-deckgl/src/Multi/Multi.tsx
+++ b/superset-frontend/plugins/legacy-preset-chart-deckgl/src/Multi/Multi.tsx
@@ -289,6 +289,8 @@ const DeckMulti = (props: DeckMultiProps) => {
           adhoc_filters: adhocFilters,
           // Preserve dashboard context for embedded mode permissions
           ...(formData.dashboardId && { dashboardId: formData.dashboardId }),
+          // Include parent multilayer chart ID for security checks
+          ...(formData.slice_id && { parent_slice_id: formData.slice_id }),
         },
       } as any as JsonObject & { slice_id: number };
 
diff --git a/superset/security/manager.py b/superset/security/manager.py
index 9f97c810d77..d35ebb4afb5 100644
--- a/superset/security/manager.py
+++ b/superset/security/manager.py
@@ -2590,14 +2590,26 @@ class SupersetSecurityManager(  # pylint: 
disable=too-many-public-methods
                         or (
                             # Chart.
                             form_data.get("type") != "NATIVE_FILTER"
-                            and (slice_id := form_data.get("slice_id"))
+                            and (
+                                # Use parent_slice_id if present (for 
multilayer chart children)
+                                # Otherwise use slice_id directly
+                                slice_id := (
+                                    form_data.get("parent_slice_id")
+                                    or form_data.get("slice_id")
+                                )
+                            )
                             and (
                                 slc := self.session.query(Slice)
                                 .filter(Slice.id == slice_id)
                                 .one_or_none()
                             )
                             and slc in dashboard_.slices
-                            and slc.datasource == datasource
+                            and (
+                                # For parent charts, check datasource directly
+                                # For child charts of multilayer, parent is 
already validated
+                                slc.datasource == datasource
+                                or form_data.get("parent_slice_id") is not None
+                            )
                         )
                         or self.has_drill_by_access(form_data, dashboard_, 
datasource)
                     )