fix(core): Use make_response instead of abort(404) in exception handler

mistercrunch · claude · mistercrunch · commit 038c0c4076ff · 2025-09-24T18:00:53.000-07:00
Using abort(404) inside an exception handler causes issues:
- Raises werkzeug.exceptions.NotFound which may not be caught properly
- Can leave database transactions in inconsistent state
- Causes test teardown failures

Solution: Return make_response('Not Found', 404) which returns a proper
Flask Response object with 404 status code.

All 20 RBAC security tests now pass.

Co-Authored-By: Claude &lt;noreply@anthropic.com&gt;
diff --git a/superset/views/core.py b/superset/views/core.py
@@ -29,6 +29,7 @@
     abort,
     current_app as app,
     g,
+    make_response,
     redirect,
     request,
     Response,
@@ -769,7 +770,7 @@ def dashboard(
             dashboard.raise_for_access()
         except SupersetSecurityException:
             # Return 404 to avoid revealing dashboard existence
-            abort(404)
+            return make_response("Not Found", 404)
         add_extra_log_payload(
             dashboard_id=dashboard.id,
             dashboard_version="v2",
