fix(api): apply dashboard filter to get dash charts API (#13173)

* fix(api): apply dashboard filter to get dash charts API * lint
2021-02-17 21:42:07 +00:00 · 2021-02-17 21:42:07 +00:00 · 4c544500a7
parent 2d95bfcd99
commit 4c544500a7
2 changed files with 18 additions and 0 deletions
--- a/superset/dashboards/dao.py
+++ b/superset/dashboards/dao.py
@ -18,6 +18,7 @@ import json
 import logging
 from typing import Any, Dict, List, Optional

+from flask_appbuilder.models.sqla.interface import SQLAInterface
 from sqlalchemy.exc import SQLAlchemyError
 from sqlalchemy.orm import contains_eager

@ -46,6 +47,11 @@ class DashboardDAO(BaseDAO):
            .filter(Dashboard.id == dashboard_id)
            .options(contains_eager(Dashboard.slices))
        )
+        # Apply dashboard base filters
+        query = DashboardFilter("id", SQLAInterface(Dashboard, db.session)).apply(
+            query, None
+        )
+
        dashboard = query.one_or_none()
        if not dashboard:
            raise DashboardNotFoundError()
--- a/tests/dashboards/api_tests.py
+++ b/tests/dashboards/api_tests.py
@ -174,6 +174,7 @@ class TestDashboardApi(SupersetTestCase, ApiOwnersTestCaseMixin, InsertChartMixi
        """
        Dashboard API: Test getting charts belonging to a dashboard
        """
+        self.login(username="admin")
        dashboard = self.dashboards[0]
        uri = f"api/v1/dashboard/{dashboard.id}/charts"
        response = self.get_assert_metric(uri, "get_charts")
@ -195,6 +196,17 @@ class TestDashboardApi(SupersetTestCase, ApiOwnersTestCaseMixin, InsertChartMixi
        response = self.get_assert_metric(uri, "get_charts")
        self.assertEqual(response.status_code, 404)

+    @pytest.mark.usefixtures("create_dashboards")
+    def test_get_dashboard_charts_not_allowed(self):
+        """
+        Dashboard API: Test getting charts on a dashboard a user does not have access to
+        """
+        self.login(username="gamma")
+        dashboard = self.dashboards[0]
+        uri = f"api/v1/dashboard/{dashboard.id}/charts"
+        response = self.get_assert_metric(uri, "get_charts")
+        self.assertEqual(response.status_code, 404)
+
    @pytest.mark.usefixtures("create_dashboards")
    def test_get_dashboard_charts_empty(self):
        """