fix(rls): reject empty or whitespace-only RLS clauses

[rusackas]

SUMMARY

The RLS clause field was validated only for presence and type (required=True / allow_none=False), which does not reject an empty string and has no non-blank constraint. An empty or whitespace-only clause could be persisted; as a base filter (designed to always restrict) an empty clause produces a predicate that constrains nothing, silently disabling the control.

This adds a non-blank validator to the clause field on both the create (RLSPostSchema) and update (RLSPutSchema) schemas, rejecting empty and whitespace-only clauses on both paths.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

N/A — schema validation behavior.

TESTING INSTRUCTIONS

Unit tests added in tests/unit_tests/row_level_security/schema_test.py:

• Blank/whitespace clauses are rejected on create and update.
• Non-blank clauses are accepted.
• A partial update that omits clause remains valid.

Run: pytest tests/unit_tests/row_level_security/schema_test.py

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[bito-code-review]

Code Review Agent Run #c55543

Actionable Suggestions - 0

Review Details

• Files reviewed - 3 · Commit Range: f9263e4..f9263e4

  • superset/row_level_security/schemas.py
  • tests/unit_tests/row_level_security/__init__.py
  • tests/unit_tests/row_level_security/schema_test.py
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[codeant-ai-for-open-source]

Suggestion: Add full type annotations to _post_payload, including a typed **overrides parameter and an explicit return type. [custom_rule]

Severity Level: Minor ⚠️

Why it matters? 🤔

This is a newly added Python helper function and it has no type hints for either
the variadic parameter overrides or the return value. The rule requires new
Python code to be fully typed, so this is a real violation.

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** tests/unit_tests/row_level_security/schema_test.py
**Line:** 25:25
**Comment:**
	*Custom Rule: Add full type annotations to `_post_payload`, including a typed `**overrides` parameter and an explicit return type.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

👍 | 👎

[bito-code-review]

The suggestion to add type annotations to the _post_payload helper function is correct, as it improves code clarity and adheres to the project's typing standards. You can resolve this by updating the function signature to include type hints for the **overrides parameter and the return type, as shown below:

from typing import Any, Dict

def _post_payload(**overrides: Any) -> Dict[str, Any]:
    payload = {
        "name": "rule",
        "filter_type": "Regular",
        "tables": [1],
        "roles": [1],
        "clause": "client_id = 9",
    }
    payload.update(overrides)
    return payload

There are no other comments on this pull request to address. Would you like me to check for any other potential improvements in this file?

tests/unit_tests/row_level_security/schema_test.py

from typing import Any, Dict

def _post_payload(**overrides: Any) -> Dict[str, Any]:
    payload = {
        "name": "rule",
        "filter_type": "Regular",
        "tables": [1],
        "roles": [1],
        "clause": "client_id = 9",
    }
    payload.update(overrides)
    return payload

[codecov]

Codecov Report

❌ Patch coverage is 50.00000% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.34%. Comparing base (3b46a5f) to head (f9263e4).

Files with missing lines	Patch %	Lines
superset/row_level_security/schemas.py	50.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #41297      +/-   ##
==========================================
- Coverage   64.34%   64.34%   -0.01%     
==========================================
  Files        2653     2653              
  Lines      144952   144955       +3     
  Branches    33433    33434       +1     
==========================================
- Hits        93273    93268       -5     
- Misses      49995    50000       +5     
- Partials     1684     1687       +3     

Flag	Coverage Δ
hive	39.27% <50.00%> (-0.01%)	⬇️
mysql	58.00% <50.00%> (-0.01%)	⬇️
postgres	58.06% <50.00%> (-0.01%)	⬇️
presto	40.86% <50.00%> (-0.01%)	⬇️
python	59.50% <50.00%> (-0.01%)	⬇️
sqlite	57.72% <50.00%> (-0.01%)	⬇️
unit	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.