Fixed viewing dashboards as anonymous (#1320)

2016-10-11 18:04:00 +03:00 · 2016-10-11 18:04:00 +03:00 · 1e6e144d24
parent fe66557bbb
commit 1e6e144d24
2 changed files with 21 additions and 2 deletions
--- a/caravel/views.py
+++ b/caravel/views.py
@ -136,6 +136,14 @@ def check_ownership(obj, raise_if_false=True):
    """
    if not obj:
        return False
+
+    security_exception = utils.CaravelSecurityException(
+              "You don't have the rights to alter [{}]".format(obj))
+
+    if g.user.is_anonymous():
+        if raise_if_false:
+            raise security_exception
+        return False
    roles = (r.name for r in get_user_roles())
    if 'Admin' in roles:
        return True
@ -154,8 +162,7 @@ def check_ownership(obj, raise_if_false=True):
            g.user.username in owner_names):
        return True
    if raise_if_false:
-        raise utils.CaravelSecurityException(
-            "You don't have the rights to alter [{}]".format(obj))
+        raise security_exception
    else:
        return False

--- a/tests/core_tests.py
+++ b/tests/core_tests.py
@ -396,6 +396,18 @@ class CoreTests(CaravelTestCase):
        resp = self.get_resp('/dashboardmodelview/list/')
        assert "/caravel/dashboard/world_health/" not in resp

+    def test_dashboard_with_created_by_can_be_accessed_by_public_users(self):
+        self.logout()
+        self.setup_public_access_for_dashboard('birth_names')
+
+        dash = db.session.query(models.Dashboard).filter_by(dashboard_title="Births").first()
+        dash.owners = [appbuilder.sm.find_user('admin')]
+        dash.created_by = appbuilder.sm.find_user('admin')
+        db.session.merge(dash)
+        db.session.commit()
+
+        assert 'Births' in self.get_resp('/caravel/dashboard/births/')
+
    def test_only_owners_can_save(self):
        dash = (
            db.session