dosubot[bot] commented on issue #31872: URL: https://github.com/apache/superset/issues/31872#issuecomment-2592899285
<!-- Greeting --> Hey @choumiwail! I'm here to help you with the issue you're experiencing. I can assist with bug solving, answering questions, and more while you wait for a human maintainer. <!-- Answer --> I found a similar issue regarding the "Guest user cannot modify chart payload" error when embedding charts in Apache Superset. The error typically occurs when the guest user attempts to modify the chart ID, metrics, columns, or other form data, which is not allowed. To resolve this issue, ensure that the form data being sent by the guest user matches the stored parameters for the chart. Here are some key points to check: 1. **Chart ID Consistency**: Ensure that the `slice_id` in the form data matches the expected chart ID. For example, if the stored chart ID is 65, the form data should also have `"slice_id": 65`. 2. **Metrics and Columns Consistency**: Ensure that the metrics and columns in the form data are not tampered with. They should match the stored metrics and columns for the chart. 3. **Avoid Tampering**: Ensure that the form data sent by the guest user is not altered from what is stored, as any modification will raise a `SupersetSecurityException`. Additionally, ensure that you have properly configured the guest token authentication. This involves: - Activating the `EMBEDDED_SUPERSET` feature flag. - Setting a strong password in the `GUEST_TOKEN_JWT_SECRET` configuration variable. - Using the `POST /security/guest_token` endpoint to create a guest token with the necessary permissions and passing it to your frontend <sup>[[1]](https://github.com/apache/superset/blob/master/tests/unit_tests/security/manager_test.py)</sup><sup>[[2]](https://github.com/apache/superset/blob/master/superset-embedded-sdk/README.md)</sup>. By ensuring that the guest user's request payload is consistent with the stored chart parameters and properly configuring guest token authentication, you should be able to avoid the 403 Forbidden error. <!-- Dosu Comment Footer --> *To continue talking to [Dosu](https://dosu.dev), mention @dosu.* --- <sup>Help Dosu learn! Give it feedback: [Great Response](https://app.dosu.dev/response-feedback/407aa2fc-e3d0-4be6-bb77-b5a1b74610fb?feedback_type=great_response) | [Irrelevant Answer](https://app.dosu.dev/response-feedback/407aa2fc-e3d0-4be6-bb77-b5a1b74610fb?feedback_type=irrelevant_answer) | [Incorrect Sources](https://app.dosu.dev/response-feedback/407aa2fc-e3d0-4be6-bb77-b5a1b74610fb?feedback_type=incorrect_sources) | [Too Verbose](https://app.dosu.dev/response-feedback/407aa2fc-e3d0-4be6-bb77-b5a1b74610fb?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/407aa2fc-e3d0-4be6-bb77-b5a1b74610fb?feedback_type=hallucination) | [Other](https://app.dosu.dev/response-feedback/407aa2fc-e3d0-4be6-bb77-b5a1b74610fb?feedback_type=other)</sup> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
