Superset 6.0: “View query” shows empty SQL in embedded dashboard, but works with anonymous login under the same role #35686

iir0221 · 2025-10-16T09:39:25Z

iir0221
Oct 16, 2025

I embedded a Superset dashboard into an HTML page.

When I click “View query” in the chart, the SQL panel is empty.

With the same role, accessing the dashboard via anonymous login shows the SQL correctly.

What could be causing this, and is there any additional configuration needed to make “View query” work in the embedded view?

I’m using Superset version 6.0.

all permissions are:

{
  "result": [
    {
      "id": 1,
      "permission_name": "can_read",
      "view_menu_name": "SavedQuery"
    },
    {
      "id": 3,
      "permission_name": "can_read",
      "view_menu_name": "CssTemplate"
    },
    {
      "id": 7,
      "permission_name": "can_read",
      "view_menu_name": "Chart"
    },
    {
      "id": 11,
      "permission_name": "can_read",
      "view_menu_name": "Dataset"
    },
    {
      "id": 15,
      "permission_name": "can_read",
      "view_menu_name": "Dashboard"
    },
    {
      "id": 17,
      "permission_name": "can_read",
      "view_menu_name": "Database"
    },
    {
      "id": 19,
      "permission_name": "can_read",
      "view_menu_name": "Query"
    },
    {
      "id": 122,
      "permission_name": "can_invalidate",
      "view_menu_name": "CacheRestApi"
    },
    {
      "id": 128,
      "permission_name": "can_read",
      "view_menu_name": "DashboardFilterStateRestApi"
    },
    {
      "id": 130,
      "permission_name": "can_read",
      "view_menu_name": "DashboardPermalinkRestApi"
    },
    {
      "id": 134,
      "permission_name": "can_cache_dashboard_screenshot",
      "view_menu_name": "Dashboard"
    },
    {
      "id": 136,
      "permission_name": "can_get_embedded",
      "view_menu_name": "Dashboard"
    },
    {
      "id": 138,
      "permission_name": "can_get_drill_info",
      "view_menu_name": "Dataset"
    },
    {
      "id": 143,
      "permission_name": "can_get_column_values",
      "view_menu_name": "Datasource"
    },
    {
      "id": 144,
      "permission_name": "can_read",
      "view_menu_name": "EmbeddedDashboard"
    },
    {
      "id": 146,
      "permission_name": "can_read",
      "view_menu_name": "ExploreFormDataRestApi"
    },
    {
      "id": 148,
      "permission_name": "can_read",
      "view_menu_name": "ExplorePermalinkRestApi"
    },
    {
      "id": 158,
      "permission_name": "can_format_sql",
      "view_menu_name": "SQLLab"
    },
    {
      "id": 159,
      "permission_name": "can_read",
      "view_menu_name": "SQLLab"
    },
    {
      "id": 163,
      "permission_name": "can_get_results",
      "view_menu_name": "SQLLab"
    },
    {
      "id": 174,
      "permission_name": "can_query",
      "view_menu_name": "Api"
    },
    {
      "id": 175,
      "permission_name": "can_time_range",
      "view_menu_name": "Api"
    },
    {
      "id": 176,
      "permission_name": "can_query_form_data",
      "view_menu_name": "Api"
    },
    {
      "id": 178,
      "permission_name": "can_samples",
      "view_menu_name": "Datasource"
    },
    {
      "id": 179,
      "permission_name": "can_get",
      "view_menu_name": "Datasource"
    },
    {
      "id": 180,
      "permission_name": "can_external_metadata",
      "view_menu_name": "Datasource"
    },
    {
      "id": 181,
      "permission_name": "can_external_metadata_by_name",
      "view_menu_name": "Datasource"
    },
    {
      "id": 186,
      "permission_name": "can_fetch_datasource_metadata",
      "view_menu_name": "Superset"
    },
    {
      "id": 187,
      "permission_name": "can_dashboard",
      "view_menu_name": "Superset"
    },
    {
      "id": 190,
      "permission_name": "can_log",
      "view_menu_name": "Superset"
    },
    {
      "id": 191,
      "permission_name": "can_slice",
      "view_menu_name": "Superset"
    },
    {
      "id": 212,
      "permission_name": "can_read",
      "view_menu_name": "SecurityRestApi"
    },
    {
      "id": 225,
      "permission_name": "menu_access",
      "view_menu_name": "Dashboards"
    },
    {
      "id": 235,
      "permission_name": "menu_access",
      "view_menu_name": "SQL Lab"
    },
    {
      "id": 239,
      "permission_name": "all_datasource_access",
      "view_menu_name": "all_datasource_access"
    },
    {
      "id": 245,
      "permission_name": "can_sqllab",
      "view_menu_name": "Superset"
    },
    {
      "id": 246,
      "permission_name": "can_view_query",
      "view_menu_name": "Dashboard"
    },
    {
      "id": 247,
      "permission_name": "can_view_chart_as_table",
      "view_menu_name": "Dashboard"
    },
    {
      "id": 248,
      "permission_name": "can_drill",
      "view_menu_name": "Dashboard"
    }
  ]
}

Answered by dosubot[bot]

Oct 16, 2025

Hi @iir0221! I'm Dosu and I’m helping the superset team.

This is expected behavior in Superset 6.0: when a dashboard is viewed in embedded mode (using a guest token), the backend intentionally strips the SQL query from the API response for security reasons, even if the role has all the necessary permissions. This is done to prevent exposing potentially sensitive SQL in embedded contexts. Anonymous login (not using a guest token) is not treated as an embedded/guest user, so the SQL is shown if permissions allow it. There is no configuration or permission that will allow embedded dashboards to display the SQL in "View query"—this restriction is enforced by the backend regardless of role pe…

View full answer

@iir0221 · 2025-10-16T09:46:18Z

dosubot[bot]
bot Oct 16, 2025

Hi @iir0221! I'm Dosu and I’m helping the superset team.

This is expected behavior in Superset 6.0: when a dashboard is viewed in embedded mode (using a guest token), the backend intentionally strips the SQL query from the API response for security reasons, even if the role has all the necessary permissions. This is done to prevent exposing potentially sensitive SQL in embedded contexts. Anonymous login (not using a guest token) is not treated as an embedded/guest user, so the SQL is shown if permissions allow it. There is no configuration or permission that will allow embedded dashboards to display the SQL in "View query"—this restriction is enforced by the backend regardless of role permissions.

Reference: backend code that removes SQL for guest users.

To reply, just mention @dosu.

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Superset 6.0: “View query” shows empty SQL in embedded dashboard, but works with anonymous login under the same role #35686

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Superset 6.0: “View query” shows empty SQL in embedded dashboard, but works with anonymous login under the same role #35686

Uh oh!

iir0221 Oct 16, 2025

Replies: 1 comment

Uh oh!

dosubot[bot] bot Oct 16, 2025

iir0221
Oct 16, 2025

dosubot[bot]
bot Oct 16, 2025