feat(rbac): hide unauthorized menu sections and enforce route guards

backend/src/core/superset_client.py

@@ -159,14 +159,37 @@ class SupersetClient:
 
             # Map fields to DashboardMetadata schema
             result = []
-            for dash in dashboards:
-                owners = self._extract_owner_labels(dash.get("owners"))
+            max_debug_samples = 12
+            for index, dash in enumerate(dashboards):
+                raw_owners = dash.get("owners")
+                raw_created_by = dash.get("created_by")
+                raw_changed_by = dash.get("changed_by")
+                raw_changed_by_name = dash.get("changed_by_name")
+
+                owners = self._extract_owner_labels(raw_owners)
                 # No per-dashboard detail requests here: keep list endpoint O(1).
                 if not owners:
                     owners = self._extract_owner_labels(
-                        [dash.get("created_by"), dash.get("changed_by")],
+                        [raw_created_by, raw_changed_by],
                     )
 
+                projected_created_by = self._extract_user_display(
+                    None,
+                    raw_created_by,
+                )
+                projected_modified_by = self._extract_user_display(
+                    raw_changed_by_name,
+                    raw_changed_by,
+                )
+
+                raw_owner_usernames: List[str] = []
+                if isinstance(raw_owners, list):
+                    for owner_payload in raw_owners:
+                        if isinstance(owner_payload, dict):
+                            owner_username = self._sanitize_user_text(owner_payload.get("username"))
+                            if owner_username:
+                                raw_owner_usernames.append(owner_username)
+
                 result.append({
                     "id": dash.get("id"),
                     "slug": dash.get("slug"),
@@ -174,16 +197,26 @@ class SupersetClient:
                     "url": dash.get("url"),
                     "last_modified": dash.get("changed_on_utc"),
                     "status": "published" if dash.get("published") else "draft",
-                    "created_by": self._extract_user_display(
-                        None,
-                        dash.get("created_by"),
-                    ),
-                    "modified_by": self._extract_user_display(
-                        dash.get("changed_by_name"),
-                        dash.get("changed_by"),
-                    ),
+                    "created_by": projected_created_by,
+                    "modified_by": projected_modified_by,
                     "owners": owners,
                 })
+
+                if index < max_debug_samples:
+                    app_logger.reflect(
+                        "[REFLECT] Dashboard actor projection sample "
+                        f"(env={getattr(self.env, 'id', None)}, dashboard_id={dash.get('id')}, "
+                        f"raw_owners={raw_owners!r}, raw_owner_usernames={raw_owner_usernames!r}, "
+                        f"raw_created_by={raw_created_by!r}, raw_changed_by={raw_changed_by!r}, "
+                        f"raw_changed_by_name={raw_changed_by_name!r}, projected_owners={owners!r}, "
+                        f"projected_created_by={projected_created_by!r}, projected_modified_by={projected_modified_by!r})"
+                    )
+
+            app_logger.reflect(
+                "[REFLECT] Dashboard actor projection summary "
+                f"(env={getattr(self.env, 'id', None)}, dashboards={len(result)}, "
+                f"sampled={min(len(result), max_debug_samples)})"
+            )
             return result
     # [/DEF:get_dashboards_summary:Function]