fix: Don't let users see dashboards only because it's favorited (#24991)

2026-04-19 08:04:53 +00:00 · 2023-08-17 17:35:37 -07:00
parent 4a59a265fb
commit 258e56285a
3 changed files with 3 additions and 92 deletions
--- a/tests/integration_tests/dashboard_tests.py
+++ b/tests/integration_tests/dashboard_tests.py
@@ -27,7 +27,6 @@ from sqlalchemy import func
 from tests.integration_tests.test_app import app
 from superset import db, security_manager
 from superset.connectors.sqla.models import SqlaTable
-from superset.models import core as models
 from superset.models.dashboard import Dashboard
 from superset.models.slice import Slice
 from tests.integration_tests.fixtures.birth_names_dashboard import (
@@ -227,44 +226,6 @@ class TestDashboard(SupersetTestCase):
        self.assertIn(f"/superset/dashboard/{my_dash_slug}/", resp)
        self.assertNotIn(f"/superset/dashboard/{not_my_dash_slug}/", resp)

-    def test_users_can_view_favorited_dashboards(self):
-        user = security_manager.find_user("gamma")
-        fav_dash_slug = f"my_favorite_dash_{random()}"
-        regular_dash_slug = f"regular_dash_{random()}"
-
-        favorite_dash = Dashboard()
-        favorite_dash.dashboard_title = "My Favorite Dashboard"
-        favorite_dash.slug = fav_dash_slug
-
-        regular_dash = Dashboard()
-        regular_dash.dashboard_title = "A Plain Ol Dashboard"
-        regular_dash.slug = regular_dash_slug
-
-        db.session.add(favorite_dash)
-        db.session.add(regular_dash)
-        db.session.commit()
-
-        dash = db.session.query(Dashboard).filter_by(slug=fav_dash_slug).first()
-
-        favorites = models.FavStar()
-        favorites.obj_id = dash.id
-        favorites.class_name = "Dashboard"
-        favorites.user_id = user.id
-
-        db.session.add(favorites)
-        db.session.commit()
-
-        self.login(user.username)
-
-        resp = self.get_resp("/api/v1/dashboard/")
-
-        db.session.delete(favorites)
-        db.session.delete(regular_dash)
-        db.session.delete(favorite_dash)
-        db.session.commit()
-
-        self.assertIn(f"/superset/dashboard/{fav_dash_slug}/", resp)
-
    def test_user_can_not_view_unpublished_dash(self):
        admin_user = security_manager.find_user("admin")
        gamma_user = security_manager.find_user("gamma")