fix: Don't let users see dashboards only because it's favorited (#24991)

2026-04-19 08:04:53 +00:00 · 2023-08-17 17:35:37 -07:00
parent 4a59a265fb
commit 258e56285a
3 changed files with 3 additions and 92 deletions
--- a/tests/integration_tests/dashboards/security/security_dataset_tests.py
+++ b/tests/integration_tests/dashboards/security/security_dataset_tests.py
@@ -23,7 +23,6 @@ from flask import escape

 from superset import app
 from superset.daos.dashboard import DashboardDAO
-from superset.models import core as models
 from tests.integration_tests.dashboards.base_case import DashboardTestCase
 from tests.integration_tests.dashboards.consts import *
 from tests.integration_tests.dashboards.dashboard_test_utils import *
@@ -124,48 +123,6 @@ class TestDashboardDatasetSecurity(DashboardTestCase):
        # assert
        self.assertNotIn(dashboard_url, get_dashboards_response)

-    def test_get_dashboards__users_can_view_favorites_dashboards(self):
-        # arrange
-        user = security_manager.find_user("gamma")
-        fav_dash_slug = f"my_favorite_dash_{random_slug()}"
-        regular_dash_slug = f"regular_dash_{random_slug()}"
-
-        favorite_dash = Dashboard()
-        favorite_dash.dashboard_title = "My Favorite Dashboard"
-        favorite_dash.slug = fav_dash_slug
-
-        regular_dash = Dashboard()
-        regular_dash.dashboard_title = "A Plain Ol Dashboard"
-        regular_dash.slug = regular_dash_slug
-
-        db.session.add(favorite_dash)
-        db.session.add(regular_dash)
-        db.session.commit()
-
-        dash = db.session.query(Dashboard).filter_by(slug=fav_dash_slug).first()
-
-        favorites = models.FavStar()
-        favorites.obj_id = dash.id
-        favorites.class_name = "Dashboard"
-        favorites.user_id = user.id
-
-        db.session.add(favorites)
-        db.session.commit()
-
-        self.login(user.username)
-
-        # act
-        get_dashboards_response = self.get_resp(DASHBOARDS_API_URL)
-
-        # cleanup
-        db.session.delete(favorites)
-        db.session.delete(favorite_dash)
-        db.session.delete(regular_dash)
-        db.session.commit()
-
-        # assert
-        self.assertIn(f"/superset/dashboard/{fav_dash_slug}/", get_dashboards_response)
-
    def test_get_dashboards__user_can_not_view_unpublished_dash(self):
        # arrange
        admin_user = security_manager.find_user(ADMIN_USERNAME)