feat(core): SoftDeleteMixin and restore infrastructure

[mikebridge]

SUMMARY

First of four PRs decomposing the soft-delete work for charts, dashboards, and datasets, SIP-208 — passed 2026-05-08).

This PR ships the infrastructure with zero behaviour change. No model uses the mixin yet, no migration runs, no API surface changes, no permission migrations. Everything in this PR is dormant until the entity-rollout PRs (linked below) opt their concrete entities in.

Entity rollouts (forthcoming, depend on this PR)

• Soft-delete and restore for charts
• Soft-delete and restore for dashboards
• Soft-delete and restore for datasets

Each entity-rollout PR adds SoftDeleteMixin to its model, ships a one-table migration adding the deleted_at column + index, wires the entity-specific concrete subclasses of the abstractions in this PR, and adds entity-level integration tests.

What this PR ships

Runtime mechanism (superset/models/helpers.py, superset/initialization/__init__.py)

• SoftDeleteMixin — adds a nullable deleted_at column, is_deleted hybrid property, where_not_deleted() filter clause, soft_delete() and restore() methods.
• _add_soft_delete_filter — do_orm_execute listener using SQLAlchemy's officially-recommended pattern (Mike Bayer / sqlalchemy#7973). On every primary user SELECT, iterates concrete SoftDeleteMixin subclasses and attaches a with_loader_criteria(cls, cls.where_not_deleted(), include_aliases=True) for each one not in the request's bypass set. Per-class scoping means a bypass for Dashboard does not unhide soft-deleted Slice or SqlaTable rows. Subclass iteration is sorted by __qualname__ so SQLAlchemy's compiled-statement cache key is stable across processes. No-op until something inherits the mixin.
• Two opt-out vehicles, one key (SKIP_VISIBILITY_FILTER_CLASSES) — the listener consults the union of:
  • execution_options[SKIP_VISIBILITY_FILTER_CLASSES] = {Model} on a Query — one-statement narrow scope; used by BaseDAO.find_by_id(skip_visibility_filter=True), security_manager.raise_for_ownership, and find_existing_for_import.
  • session.info[SKIP_VISIBILITY_FILTER_CLASSES] = {Model, ...} on a Session — session-scoped (i.e., request-scoped under Flask-SQLAlchemy) bypass that survives query reconstruction. Used by BaseDeletedStateFilter because FAB's SQLAInterface.get_outer_query_from_inner_query builds the outer fetch query from a fresh session.query(self.obj), dropping the inner query's execution_options. Session-level state survives that reconstruction; per-query options do not.
• skip_visibility_filter(session, *classes) context manager — programmatic bypass with guaranteed cleanup on exception. Wraps the session.info mechanism.

BaseDAO surface (superset/daos/base.py, superset/daos/database.py)

• BaseDAO.soft_delete(items) — calls item.soft_delete() on each.
• BaseDAO.hard_delete(items) — calls db.session.delete(item) on each (the original BaseDAO.delete behaviour, renamed and preserved).
• BaseDAO.delete(items) — routes to soft for SoftDeleteMixin-inheriting models, hard otherwise. Backwards-compatible: until any model inherits the mixin, delete() continues to call hard_delete() exactly as before.
• find_by_id, find_by_uuid, find_by_ids, _find_by_column gain a skip_visibility_filter: bool = False keyword-only parameter. Internally translates the boolean to execution_options(SKIP_VISIBILITY_FILTER_CLASSES={cls.model_cls}) — caller-facing API stays ergonomic; per-class scoping happens internally.
• DatabaseDAO.find_by_id is updated for signature compatibility.

Restore abstractions (superset/commands/restore.py, superset/views/filters.py, superset/commands/importers/v1/utils.py, superset/constants.py)

• BaseRestoreCommand[T] — T bound to SoftDeleteMixin. Subclasses are purely declarative (four ClassVars, no methods): dao, not_found_exc, forbidden_exc, restore_failed_exc. The base run() owns the transaction wrapper, building @transaction(on_error=partial(on_error, reraise=self.restore_failed_exc)) at call time. Subclasses can't accidentally drop or mis-wire the transaction (earlier iterations required subclasses to override run() purely to add the decorator — fragile contract, now eliminated). validate() calls dao.find_by_id(uuid, id_column="uuid", skip_visibility_filter=True) — the entity's RBAC base_filter stays in effect, matching delete's lookup semantics; only the visibility filter is bypassed. Ownership is verified by raise_for_ownership after the lookup.
• BaseDeletedStateFilter — base class for per-entity rison filters (*_deleted_state with values include / only). Adds its self.model to session.info[SKIP_VISIBILITY_FILTER_CLASSES] so the listener stops filtering this entity for the duration of the request. A separate request-scoped flag g._augment_response_with_deleted_at signals that the response should be augmented with a deleted_at field on each row — two concerns, two channels.
• SoftDeleteApiMixin (also in views/filters.py) — REST API mixin that augments list responses with deleted_at when the augmentation flag is set. Mount on concrete REST API classes for soft-deletable entities. Chains via super().pre_get_list(data) so other inheritance-chain behaviour still runs. Keeping the augmentation in a mixin rather than on BaseSupersetModelRestApi keeps the base class focused on its own responsibility.
• find_existing_for_import(model_cls, uuid) — pure lookup helper for v1 importer pipelines. Bypasses the visibility filter and returns the row as-is whether it's live or soft-deleted (or None).
• clear_soft_deleted_for_import(existing) — explicit destructive cleanup. Hard-deletes a soft-deleted row via db.session.delete() (so ORM after_delete listeners fire and clean up tagged_object rows + dataset permission-view rows that the database cannot cascade). Entity importers (charts/dashboards/datasets) call this after the overwrite/permission check passes, so the destructive op is gated by the same ownership check as the live-overwrite path.
• MODEL_API_RW_METHOD_PERMISSION_MAP["restore"] = "write" — so future per-entity /restore endpoints inherit can_write (the same permission as delete). No new permission, no role migration.

Design decisions documented in code

• No feature flag — soft-delete is always-on once a model inherits the mixin. Per SIP-208 discussion and the sc-103157 thread, a global flag risks confusing partial states.
• No cascade in V1 — each entity is soft-deleted independently; cascade is out of scope and tracked separately.
• Permission model mirrors delete exactly — endpoint-level can_write, resource-level raise_for_ownership. No new permission plumbing.
• datetime.now() (naive) for deleted_at to match AuditMixinNullable.changed_on precedent (PR #33693 reverted UTC on those columns; if/when audit columns move to UTC-aware, soft-delete should follow).
• Compatible with future SQLAlchemy-Continuum adoption for full entity versioning (confirmed compatible with SQLAlchemy 1.4.54).
• Per-class bypass scoping — not a global "skip soft-delete for this request" boolean. SIP-208's roadmap covers more entities (Database, Annotation, SavedQuery, Report, Alert, Tag); a global boolean's leak surface would grow with every new soft-deletable entity. Per-class scoping caps the leak at exactly what the caller asked for.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

N/A — backend-only infrastructure with no runtime behaviour change.

TESTING INSTRUCTIONS

pytest tests/unit_tests/models/test_soft_delete_mixin.py \
       tests/unit_tests/daos/test_base_dao_soft_delete.py \
       tests/unit_tests/commands/test_base_restore_command.py -v

Expected: 26 passed.

The tests use synthetic in-memory models (_SoftDeletable, _SoftDeletableTwo, _SoftDeletableParent, _SoftDeletableChild) that inherit SoftDeleteMixin directly, exercising the listener, mixin methods, BaseDAO routing, BaseRestoreCommand.validate, the transactional wrapper, and the context manager — all without any real Superset entity. Real entities acquire the mixin in the entity-rollout PRs above.

Key tests worth pointing at:

• test_session_bypass_survives_query_reconstruction reproduces the exact FAB outer/inner shape (inner_query.with_entities(pk).subquery() joined to a fresh session.query(Model)) and proves the session-level bypass survives that reconstruction. This is the test that would have caught the original bug.
• test_per_query_bypass_for_one_class_does_not_unhide_other and test_session_bypass_does_not_leak_across_classes pin per-class scoping using a second synthetic soft-deletable model.
• test_relationship_load_filters_child_independently_of_parent_bypass verifies that with_loader_criteria(..., propagate_to_loaders=True) carries the per-class criteria through to lazy/selectin loads.
• test_get_without_bypass_filters_out_soft_deleted_row and test_per_query_bypass_via_get_finds_soft_deleted_row pin Query.get() behaviour (using session.expunge_all() to force a SQL round trip through the listener, not just an identity-map hit) — the path raise_for_ownership depends on.
• test_run_translates_sqlalchemy_errors_via_restore_failed_exc pins the base class's transactional wrapper: a SQLAlchemyError raised inside the unit of work is translated to the subclass's restore_failed_exc.
• test_listener_does_not_affect_non_soft_deletable_queries pins that the per-class iteration doesn't break queries against classes that don't inherit SoftDeleteMixin.

Optional sanity check that nothing broke in master behaviour (since BaseDAO.delete is now routed):

pytest tests/unit_tests/daos/ tests/unit_tests/models/ -q

Expected: all green.

ADDITIONAL INFORMATION

• Has associated issue: sc-106188, SIP-208 #39464
• Required feature flags:
• Changes UI
• Includes DB Migration — (no, migrations land in the entity-rollout PRs)
• Introduces new feature or API — (adds BaseDAO methods, BaseRestoreCommand, BaseDeletedStateFilter, SoftDeleteApiMixin, find_existing_for_import, clear_soft_deleted_for_import, skip_visibility_filter context manager, and restore → "write" mapping; no user-facing API surface yet)
• Removes existing feature or API

Reviewer notes

A reviewer may reasonably ask: "why ship abstractions with no callers in master?":

1. The callers exist — the three entity-rollout PRs (sc-106189 / sc-106190 / sc-106191) are queued behind this one and each consumes the abstractions. The original mono-PR (feat(soft-delete): add soft delete for charts, dashboards, and datasets #39286) demonstrated all three callers in a single diff; the decomposition just spreads them across reviewable PRs while keeping the abstraction as a single, focused unit.
2. The unit tests prove the contract. Synthetic _SoftDeletable models exercise the mixin, listener, BaseDAO routing, and BaseRestoreCommand. The tests would fail if the abstractions were broken.
3. The branch has been reviewed extensively — /sqlalchemy-review (cache-stability + hot-path allocation tidyings), /clean-code-review (Extract Method on the listener gate, filter opt-in, and pre_get_list policy/mechanism split), /tidy-first-review, /ultrareview (clean), plus multiple iterations of richardfogaca review (find/clear split, base_filter honored on restore, transaction-wrapper moved into base class, FAB outer/inner bug surfaced and fixed via session-scoped bypass).

[netlify]

✅ Deploy Preview for superset-docs-preview ready!

Name	Link
🔨 Latest commit	08a3cb6
🔍 Latest deploy log	https://app.netlify.com/projects/superset-docs-preview/deploys/6a148ada0dc1e700089c92d9
😎 Deploy Preview	https://deploy-preview-39977--superset-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

❌ Patch coverage is 44.10256% with 109 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.05%. Comparing base (e68251f) to head (125f202).

Files with missing lines	Patch %	Lines
superset/views/filters.py	39.39%	40 Missing ⚠️
superset/commands/restore.py	0.00%	32 Missing ⚠️
superset/models/helpers.py	63.15%	20 Missing and 1 partial ⚠️
superset/daos/base.py	50.00%	6 Missing and 4 partials ⚠️
superset/commands/importers/v1/utils.py	50.00%	3 Missing ⚠️
superset/daos/database.py	33.33%	1 Missing and 1 partial ⚠️
superset/initialization/__init__.py	85.71%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #39977      +/-   ##
==========================================
- Coverage   64.07%   64.05%   -0.03%     
==========================================
  Files        2592     2593       +1     
  Lines      139548   139733     +185     
  Branches    32421    32442      +21     
==========================================
+ Hits        89422    89499      +77     
- Misses      48589    48690     +101     
- Partials     1537     1544       +7     

Flag	Coverage Δ
hive	39.09% <38.46%> (-0.01%)	⬇️
mysql	58.47% <44.10%> (-0.05%)	⬇️
postgres	58.55% <44.10%> (-0.05%)	⬇️
presto	40.76% <38.46%> (-0.01%)	⬇️
python	60.09% <44.10%> (-0.06%)	⬇️
sqlite	58.19% <44.10%> (-0.05%)	⬇️
unit	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[bito-code-review]

The explanation accurately describes the code in superset/commands/importers/v1/utils.py, where the per-query execution_options(**{SKIP_VISIBILITY_FILTER: True}) bypasses the visibility filter only for the UUID lookup in find_existing_for_import, allowing access to soft-deleted rows while keeping other entity queries filtered.

[mikebridge]

@mistercrunch @michael-s-molina @betodealmeida @eschutho @sadpandajoe @kgabryje: I lack the ability to add you as reviewers, so I'm tagging you instead.

[bito-code-review]

Code Review Agent Run #096e88

Actionable Suggestions - 1

• superset/models/helpers.py - 1

  • datetime.now() called without timezone · Line 695-700

Additional Suggestions - 1

• superset/models/helpers.py - 1

  • Missing Return Type Hint · Line 707-707
    The repository rule [7819] requires explicit return type hints for all functions and methods, including when they return nothing. The new _add_soft_delete_filter function lacks a return type hint, violating this policy.
    Code suggestion

     @@ -707,1 +707,1 @@
    -def _add_soft_delete_filter(execute_state):  # type: ignore
    +def _add_soft_delete_filter(execute_state) -> None:  # type: ignore

Filtered by Review Rules

Bito filtered these suggestions based on rules created automatically for your feedback. Manage rules.

• superset/daos/database.py - 1

  • Missing skip_visibility_filter implementation · Line 72-72

Review Details

• Files reviewed - 11 · Commit Range: d54e7cc..d54e7cc

  • superset/commands/importers/v1/utils.py
  • superset/commands/restore.py
  • superset/constants.py
  • superset/daos/base.py
  • superset/daos/database.py
  • superset/initialization/__init__.py
  • superset/models/helpers.py
  • superset/views/base_api.py
  • superset/views/filters.py
  • tests/unit_tests/daos/test_base_dao_soft_delete.py
  • tests/unit_tests/models/test_soft_delete_mixin.py
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[bito-code-review]

Code Review Agent Run #915a41

Actionable Suggestions - 0

Review Details

• Files reviewed - 1 · Commit Range: d54e7cc..9c83215

  • superset/models/helpers.py
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[richardfogaca]

Posting on Richard's behalf — this is his PR reviewer agent. Forward any pushback to him and he'll loop me back in.

Left a few notes below — the main things worth checking before merge are around the visibility opt-out boundaries and the restore lookup path. All line numbers verified against HEAD 9c83215.

Functional — worth checking before merge

• superset/views/filters.py:164

  BaseDeletedStateFilter opts out by setting g.skip_visibility_filter, and the global listener reads that flag for every ORM SELECT later in the same request. Once more than one entity adopts SoftDeleteMixin, a list request that asks for deleted dashboards/charts/datasets could also make incidental relationship loads, serializer lookups, or helper queries expose soft-deleted rows for other models in the rest of that request.

  WDYT — could this use the query-scoped execution option for the primary list query, and keep any response-annotation state separate from the visibility bypass?

• superset/commands/restore.py:79

  BaseRestoreCommand.validate() correctly finds the soft-deleted row with skip_visibility_filter=True, but raise_for_ownership() re-loads the same model through self.session.query(resource.__class__).get(resource.id) without that opt-out. The global listener will hide the soft-deleted row there, so non-admin owners can be denied restore even when they own the row; admins bypass this path, so it may be easy to miss without owner-level restore coverage.

  WDYT — would it be worth making the ownership check soft-delete-aware for this command, or adding a restore-specific ownership helper/test so owners can restore their own deleted resources?

• superset/daos/database.py:82

  DatabaseDAO.find_by_id() now accepts skip_visibility_filter, but this override builds the query without applying the execution option. Any restore/admin path that routes through the override will still be filtered even though it passed skip_visibility_filter=True.

  Small suggestion: could we mirror BaseDAO.find_by_id() here and apply query.execution_options(**{SKIP_VISIBILITY_FILTER: True}) when the flag is set?

Compatibility / follow-up

• superset/daos/base.py:299

  Adding skip_visibility_filter before the existing id_column and query_options parameters changes the meaning of positional third/fourth arguments to a public DAO helper. I did not find an in-tree positional caller in the changed checkout, but Superset extensions and downstream code may still call this positionally.

  Totally optional if the team treats this helper as keyword-only in practice, but could we append the new flag after existing parameters or make it keyword-only to preserve the current positional ABI?

Praise

• superset/models/helpers.py:739

  The core listener uses SQLAlchemy's do_orm_execute plus with_loader_criteria pattern and already has a narrow per-query escape hatch, which seems like the right primitive for restore/import/admin flows once the broader request-level bypass is tightened.

[mikebridge]

@richardfogaca thanks for the careful review — all four addressed in c499e318fe (or in earlier 44e1d1710b for one of them). Per-item:

views/filters.py:164 — broad bypass scope — agreed, fixed. BaseDeletedStateFilter now applies the bypass per-query via .execution_options(skip_visibility_filter=True) on the primary list query only, and signals the response-augmentation step via a separate request-scoped flag (g._augment_response_with_deleted_at). The two concerns are decoupled. Soft-deleted rows of unrelated entities no longer leak through incidental relationship loads / serializer queries.

commands/restore.py:79 — ownership re-query filtered out — already fixed in 44e1d1710b (independently flagged by codeant-ai-for-open-source on Sunday). BaseRestoreCommand.validate() now sets g.skip_visibility_filter = True for the scope of raise_for_ownership only, restoring the previous value in a finally block. New unit tests in tests/unit_tests/commands/test_restore.py cover the contract (flag set during check, restored after, restored even on the exception path).

daos/database.py:82 — flag accepted but ignored — agreed, fixed. The override now applies execution_options(skip_visibility_filter=True) to its query when the flag is passed, matching BaseDAO.find_by_id.

daos/base.py:299 — positional ABI — agreed, fixed. skip_visibility_filter moved to the end and made keyword-only across find_by_id, find_by_ids, find_by_id_or_uuid, _find_by_column, and the DatabaseDAO.find_by_id override. Existing in-tree callers all already use keyword form, so no churn there.

Listener docstring updated to reflect the narrower documented use case for the per-request flag: it's now reserved for cases like wrapping raise_for_ownership where we don't directly control the internal queries. The list-endpoint use case has moved to the per-query option.

The "Praise" item also stays accurate — the do_orm_execute + with_loader_criteria pattern is unchanged, just with the documented loader-path guards added (also in 44e1d1710b, per the matching codeant comment).

[mikebridge]

After some discussion with AI about the maintainability of the official side-effecting pattern, I'd like to create a follow-up PR after this one to wrap the per-request bypass in a context manager.

The issue here is that it's easy for a dev to forget to reset the flag in try/catch:

• Forgetting the try/finally and leaving the flag set for the rest of the request
• Cleaning up with setattr(g, SKIP_VISIBILITY_FILTER, False) instead of restoring the captured previous value, which breaks composition when a caller is already inside a bypass

Both cases can be eliminated by a small context manager next to the SKIP_VISIBILITY_FILTER constant (via claude):

@contextmanager                                   
def skip_visibility_filter() -> Iterator[None]:
      """Opt the current request out of the soft-delete listener for the
      duration of the block. Restores the previous value on exit,                                                                                                                                     
      including the exception path. Use only when the bypass must                                                                                                                                     
      propagate through a function whose internal queries are not under                                                                                                                               
      your control; for queries you build directly, prefer the per-query                                                                                                                              
      ``execution_options(skip_visibility_filter=True)``.
      """                                                                                                                                                                                             
      previous = getattr(g, SKIP_VISIBILITY_FILTER, False)
      setattr(g, SKIP_VISIBILITY_FILTER, True)                                                                                                                                                        
      try:                                                                                                                                                                                            
          yield                                
      finally:                                                                                                                                                                                        
          setattr(g, SKIP_VISIBILITY_FILTER, previous)

Call site in BaseRestoreCommand.validate becomes:

with skip_visibility_filter():                    
      try:                                     
          security_manager.raise_for_ownership(model)
      except SupersetSecurityException as ex:                                                                                                                                                         
          raise self.forbidden_exc() from ex

I also think there should be a primer document somewhere on how the two bypasses work and why they are there, because it is not obvious.

[richardfogaca]

Posting on Richard's behalf — this is his PR reviewer agent. Forward any pushback to him and he'll loop me back in.

Left a few notes below — the import hard-delete cleanup path and the deleted-state visibility contract look like the main things to tighten before the entity rollout PRs depend on this infrastructure. All line numbers verified against HEAD c499e318.

Functional — worth addressing before entity rollout

• superset/commands/importers/v1/utils.py:430

  The replacement path for a soft-deleted import match uses a Core table DELETE, which bypasses the ORM after_delete listeners that currently own cleanup for the rollout entities. That matters because tags are cleaned up by ObjectUpdater.after_delete (superset/tags/core.py:38, :42, :46; superset/tags/models.py:278-289), and the physical tagged_object.object_id migration is just an integer (superset/migrations/versions/2018-07-26_11-10_c82ee8a39623_add_implicit_tags.py:84-89), so DB cascades will not remove those rows. Datasets also route permission cleanup through SqlaTable.after_delete (superset/connectors/sqla/models.py:2115-2123).

  WDYT — could this use an existing hard-delete path that still fires the relevant cleanup, or explicitly run the tag/permission cleanup before the direct delete?

• superset/views/filters.py:162

  BaseDeletedStateFilter opts the whole ORM statement out of the soft-delete listener with a boolean skip_visibility_filter; the only branch does the same at superset/views/filters.py:165. The listener then skips criteria for every SoftDeleteMixin subclass in that statement (superset/models/helpers.py:733-759), not just self.model, so a future list query that joins multiple soft-deletable entities could surface unrelated deleted rows while only asking for deleted state on one entity.

  Would it be worth making the bypass model-scoped, or adding an explicit non-deleted predicate back for other soft-deletable models participating in the query?

• superset/views/filters.py:160

  The deleted-state filter turns on include / only visibility without an authorization hook. Once a concrete list endpoint wires this in, a caller with normal list/read access can discover soft-deleted rows, while the future restore API is mapped to write permission.

  WDYT — should the base filter expose a hook/contract so concrete subclasses can require restore/write/admin capability before showing deleted rows?

Other suggestion

• superset/views/base_api.py:380

  _get_deleted_at_map lives on the generic base API but assumes every future soft-deletable API uses id as its primary key. That is true for the planned chart/dashboard/dataset rollout, but it makes the shared helper easier to misuse later.

  Small suggestion: could this use self.datamodel.get_pk() / get_pk_name() and preserve the existing key type instead?

Praise

• superset/commands/restore.py:87

  The restore command scopes the temporary request-level visibility bypass with try/finally and restores the previous flag value. That is a good guardrail for a subtle global-listener interaction.

[mikebridge]

@richardfogaca thanks for the second pass — addressed in 543dff20c9 for items 1 and 4; replying inline for items 2 and 3.

Item 1 (importers cleanup) — fixed. You're right that the raw Core DELETE was trading correctness for perf. find_existing_for_import now uses db.session.delete() so ObjectUpdater.after_delete and SqlaTable.after_delete fire and clean up tagged_object rows + dataset permission rows. The original rationale was avoiding cascade-load on large relationship graphs, but an import operation isn't a steady-state hot path; the trade tilts toward correctness. Updated the function docstring and the bypass-primer doc to reflect the change.

Item 4 (hardcoded id PK) — fixed. _get_deleted_at_map now resolves the PK via self.datamodel.get_pk_name() and the signature is list[Any] to match the broader PK contract. Same behaviour for the chart/dashboard/dataset rollout (all int PKs); future soft-deletable entities with a different PK will work without changes here.

Item 2 (per-query bypass scope) — accepted YAGNI, comment added in follow-up. You're the third reviewer to raise this from a slightly different angle (codeant flagged the listener guards, I raised it during initial design, you raised it for the request-scoped flag, and now for the per-query option). The mechanism in all cases is the same: with_loader_criteria(SoftDeleteMixin, ...) applies polymorphically to every subclass, so any bypass affects all subclasses in the same query.

In the current code path, the bypass is set by BaseDeletedStateFilter on the primary list query, which targets one concrete entity. The list queries for chart/dashboard/dataset don't currently join across other soft-deletable entities in the same statement, so the over-broad bypass is theoretical rather than actual.

Per-entity scoping is a real future-proofing option (e.g., execution_options(skip_visibility_filter_for=[Slice])) but it materially expands the listener and the bypass API surface. I'd prefer to defer it until a use case actually surfaces. Happy to add a code comment in BaseDeletedStateFilter.apply flagging the contract:

# The execution-option bypass is per-statement but not per-class — it
# skips the soft-delete listener for every SoftDeleteMixin subclass in
# the statement, not just self.model. Today the list endpoints don't
# join across soft-deletable entities, so this is moot in practice.
# If a future list query starts joining (e.g., a dashboard list that
# eagerly loads charts in the same statement), revisit per-entity
# scoping rather than continuing to use the broad bypass here.

WDYT — comment in code as a forward-looking warning, or do you think the per-entity scoping is worth doing now?

Item 3 (visibility auth gap) — SIP-208 question rather than code review. Legitimate concern. The proposal in SIP-208 maps restore to write but leaves visibility on the existing list-read permission. Whether seeing soft-deleted rows should require something stronger is a policy choice the SIP didn't address — I think it belongs back on the SIP-208 issue thread or dev@ rather than getting decided in this PR. If you'd like to take the discussion there, happy to be the lightning rod for the dev@ post.

Praise on the try/finally — noted, thank you. That ordering took a couple of iterations to land on.

[richardfogaca]

Posting on Richard's behalf — this is his PR reviewer agent. Forward any pushback to him and he'll loop me back in.

One follow-up from the second pass. Most of the earlier review notes look addressed, but I think there is still one functional gap around relationship loads. Line numbers verified against HEAD 543dff20c9.

• superset/models/helpers.py:751

  Would it be worth re-checking the is_relationship_load guard with the mixin-based with_loader_criteria target? I tested a small SQLAlchemy 1.4.54 repro with Parent -> Child where both classes inherit the soft-delete mixin: direct Child queries were filtered, but parent.children lazy loads returned soft-deleted children when this guard skipped relationship loads. Removing the relationship-load guard made the lazy load filter correctly.

  This seems to weaken the main invariant that soft-deleted rows are hidden from relationship/serializer queries by default, and it also means the deleted-state list filter can still expose unrelated soft-deleted related rows once multiple rollout entities use the mixin.

  WDYT about either applying the criteria on relationship loads too, or adding a regression test that proves lazy/eager relationship loads stay filtered?

[bito-code-review]

Code Review Agent Run #fd97cd

Actionable Suggestions - 0

Review Details

• Files reviewed - 8 · Commit Range: 9c83215..543dff2

  • superset/commands/restore.py
  • superset/models/helpers.py
  • tests/unit_tests/commands/test_restore.py
  • superset/daos/base.py
  • superset/daos/database.py
  • superset/views/base_api.py
  • superset/views/filters.py
  • superset/commands/importers/v1/utils.py
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[mikebridge]

@richardfogaca I think there's a better solution to the raise_for_ownership issue, which is to always supply the "skip" filter there---there's no logical reason to be omitting soft-deleted items in "check owners". That eliminates a lot of the complexity of this PR

[richardfogaca]

Posting on Richard's behalf - this is his PR reviewer agent. Forward any pushback to him and he'll loop me back in.

Left a few notes below. The main things I would look at before the entity rollout PRs are the import helper's hard-delete timing and whether restore should bypass DAO base filters; the rest is smaller contract/docs cleanup. All line numbers verified against HEAD c6d741a.

Functional - worth tightening before merge

• superset/commands/importers/v1/utils.py:431-433

  find_existing_for_import() hard-deletes and flushes the soft-deleted match during what otherwise reads like a lookup helper. Once the entity import paths start using this, a caller that invokes the helper before completing overwrite / validation decisions would have already permanently removed the old row, including after_delete cleanup side effects.

  WDYT - would it be worth splitting this into a side-effect-free lookup plus an explicit hard_delete_existing_for_import() call that the entity import command can place after its overwrite/permission checks pass?

• superset/commands/restore.py:65-69

  Restore lookup bypasses the DAO base_filter as well as the new soft-delete visibility filter. Existing delete paths load through find_by_ids() without skip_base_filter=True, then run ownership checks, so restore would have a broader initial lookup surface than delete/update even though it only needs to see soft-deleted rows.

  Could we keep skip_visibility_filter=True but leave the normal base filter in place, unless a concrete rollout PR has an entity-specific reason to bypass it?

Other suggestions

• superset/commands/restore.py:60-62

  The base run() mutates the model without a transaction and relies on every concrete restore command remembering to override run() only to add the transaction decorator. That contract is documented, but it is easy for a rollout PR to miss and would silently skip the standard commit/error-wrapping behavior.

  Small suggestion: could the reusable base flow own the transactional wrapper somehow, or could the subclass requirement be made harder to accidentally skip? Happy to keep as-is if the concrete rollout PRs already pin this pattern with tests.

• superset/models/helpers.py:672-674

  Tiny doc mismatch: this now says BaseDAO.delete() is the permanent hard-delete path, but this PR changes BaseDAO.delete() to soft-delete models that inherit SoftDeleteMixin.

  Nit: could this point readers at BaseDAO.hard_delete() for permanent deletion instead?

Praise

• The Query.get() tests using expunge_all() are a nice guard against an identity-map false positive. That makes the listener/bypass behavior much more convincing, especially for the ownership re-query path that restore depends on.

[bito-code-review]

Code Review Agent Run #def5a4

Actionable Suggestions - 0

Filtered by Review Rules

Bito filtered these suggestions based on rules created automatically for your feedback. Manage rules.

• superset/security/manager.py - 1

  • Missing test for hard-delete guard · Line 3586-3599

Review Details

• Files reviewed - 8 · Commit Range: 03a16d5..c5832d0

  • superset/daos/base.py
  • superset/initialization/__init__.py
  • superset/models/helpers.py
  • superset/security/manager.py
  • superset/views/filters.py
  • tests/unit_tests/commands/importers/v1/test_find_existing_for_import.py
  • tests/unit_tests/views/test_soft_delete_filter.py
  • tests/unit_tests/models/test_soft_delete_mixin.py
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[bito-code-review]

Code Review Agent Run #575e5b

Actionable Suggestions - 0

Additional Suggestions - 2

• tests/unit_tests/commands/importers/v1/test_find_existing_for_import.py - 1

  • Unused fixture parameter · Line 71-71
    The `mocker` parameter on line 71 is never referenced in the test body. Either remove it for clarity or implement the intended mock if future mocking was planned.
    Code suggestion

    --- a/tests/unit_tests/commands/importers/v1/test_find_existing_for_import.py
    +++ b/tests/unit_tests/commands/importers/v1/test_find_existing_for_import.py
     @@ -68,7 +68,7 @@ def test_find_returns_live_row_as_is(
      @pytest.mark.usefixtures("_synthetic_table")
     def test_find_returns_live_row_as_is(
    -    app_context: None, session: Session, mocker: object
    +    app_context: None, session: Session
      ) -> None:
          """A live (not soft-deleted) row is returned as the existing row
          so the caller can treat it as an overwrite target."""

• superset/views/filters.py - 1

  • Type inconsistency in filter override · Line 183-183
    The `apply` method parameter `value` is typed as `Any` while the overridden `BaseFilter.apply` and all other filter methods in this file (lines 47, 75, 101, 122) use `Optional[Any]`. This inconsistency prevents consistent static analysis and may cause type-checking tools to report mismatched overrides.

Filtered by Review Rules

Bito filtered these suggestions based on rules created automatically for your feedback. Manage rules.

• superset/models/helpers.py - 1

  • Lambda closure captures loop variable · Line 878-878
• superset/commands/restore.py - 1

  • Base class override contract violated · Line 76-76

Review Details

• Files reviewed - 14 · Commit Range: 8a812c1..08a3cb6

  • superset/commands/importers/v1/utils.py
  • superset/commands/restore.py
  • superset/constants.py
  • superset/daos/base.py
  • superset/daos/database.py
  • superset/initialization/__init__.py
  • superset/models/helpers.py
  • superset/security/manager.py
  • superset/views/filters.py
  • tests/unit_tests/commands/importers/v1/test_find_existing_for_import.py
  • tests/unit_tests/commands/test_base_restore_command.py
  • tests/unit_tests/daos/test_base_dao_soft_delete.py
  • tests/unit_tests/models/test_soft_delete_mixin.py
  • tests/unit_tests/views/test_soft_delete_filter.py
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[betodealmeida]

This is awesome!

[betodealmeida]

Nit, by convention docstrings should have a 1-line short description. Because it's a convention a lot of tooling will rely on it, and in this case IDEs and other tools would show only "Look up an existing row by UUID for an import operation," as the documentation for the function.

[bito-code-review]

Code Review Agent Run #98adfd

Actionable Suggestions - 0

Additional Suggestions - 2

• superset/security/manager.py - 1

  • Time-sensitive comment needs removal · Line 3557-3557
    The docstring at line 3557 states "(none today; `.owners` is a User)" — a time-sensitive comment that creates a maintenance obligation. Per BITO.md rule [10906], documentation should describe only actively implemented features without predictions about future states.
    Code suggestion

    --- a/superset/security/manager.py
    +++ b/superset/security/manager.py
     @@ -3554,7 +3554,6 @@ class SupersetSecurityManager(
     
              The bypass is scoped to ``resource.__class__`` only —
              any soft-deletable relationships read from ``orig_resource``
    -        (none today; ``.owners`` is a User) remain filtered.
     
              :param resource: The dashboard, dataset, chart, etc. resource

• tests/unit_tests/commands/importers/v1/test_find_existing_for_import.py - 1

  • Dead code: unused mocker param · Line 71-71
    The `mocker` parameter is declared in the function signature but never used within the test body. Remove it to eliminate dead code and prevent confusion about its intended purpose.
    Code suggestion

    --- a/tests/unit_tests/commands/importers/v1/test_find_existing_for_import.py
    +++ b/tests/unit_tests/commands/importers/v1/test_find_existing_for_import.py
     @@ -68,7 +68,7 @@ def test_find_returns_none_when_no_match(app_context: None, session: Session) -
     
      @pytest.mark.usefixtures("_synthetic_table")
     def test_find_returns_live_row_as_is(
    -    app_context: None, session: Session, mocker: object
    +    app_context: None, session: Session
      ) -> None:
          """A live (not soft-deleted) row is returned as the existing row
          so the caller can treat it as an overwrite target."""

Review Details

• Files reviewed - 14 · Commit Range: ca51364..125f202

  • superset/commands/importers/v1/utils.py
  • superset/commands/restore.py
  • superset/constants.py
  • superset/daos/base.py
  • superset/daos/database.py
  • superset/initialization/__init__.py
  • superset/models/helpers.py
  • superset/security/manager.py
  • superset/views/filters.py
  • tests/unit_tests/commands/importers/v1/test_find_existing_for_import.py
  • tests/unit_tests/commands/test_base_restore_command.py
  • tests/unit_tests/daos/test_base_dao_soft_delete.py
  • tests/unit_tests/models/test_soft_delete_mixin.py
  • tests/unit_tests/views/test_soft_delete_filter.py
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by