From fa97954aab063858c868edb20a8761a6b0519157 Mon Sep 17 00:00:00 2001
From: Akshat Sinha <akshatsinhasramhardy@gmail.com>
Date: Sat, 1 Nov 2025 00:04:39 +0530
Subject: [PATCH] fix(mcp): avoid mutating global SENSITIVE_FIELDS in field
 permissions

Build sensitive_fields from copies to prevent bleed-through across requests/tests
---
 superset/mcp_service/utils/permissions_utils.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/superset/mcp_service/utils/permissions_utils.py b/superset/mcp_service/utils/permissions_utils.py
index a3864206532e..ce3037db0f4e 100644
--- a/superset/mcp_service/utils/permissions_utils.py
+++ b/superset/mcp_service/utils/permissions_utils.py
@@ -142,9 +142,9 @@ def get_allowed_fields(
     if not user:
         user = get_current_user()
 
-    # Get sensitive fields for this object type
-    sensitive_fields = SENSITIVE_FIELDS.get(object_type, set())
-    sensitive_fields.update(SENSITIVE_FIELDS.get("common", set()))
+    base=SENSITIVE_FIELDS.get(object_type, set())
+    common=SENSITIVE_FIELDS.get("common", set())
+    sensitive_fields= set(base)|set(common)
 
     # If no user, only allow non-sensitive fields
     if not user: