fix(embedded): adding logic to check dataset used by filters (#24808)

2026-04-19 08:04:53 +00:00 · 2023-07-31 18:10:57 -03:00
parent 14a27b1ba3
commit 7f9b0380e0
2 changed files with 69 additions and 2 deletions
--- a/tests/integration_tests/security/guest_token_security_tests.py
+++ b/tests/integration_tests/security/guest_token_security_tests.py
@@ -15,18 +15,21 @@
 # specific language governing permissions and limitations
 # under the License.
 """Unit tests for Superset"""
+import json
 from unittest import mock

 import pytest
 from flask import g

 from superset import db, security_manager
+from superset.connectors.sqla.models import SqlaTable
 from superset.daos.dashboard import EmbeddedDashboardDAO
 from superset.dashboards.commands.exceptions import DashboardAccessDeniedError
 from superset.exceptions import SupersetSecurityException
 from superset.models.dashboard import Dashboard
 from superset.security.guest_token import GuestTokenResourceType
 from superset.sql_parse import Table
+from superset.utils.database import get_example_database
 from tests.integration_tests.base_tests import SupersetTestCase
 from tests.integration_tests.fixtures.birth_names_dashboard import (
    load_birth_names_dashboard_with_slices,
@@ -233,3 +236,46 @@ class TestGuestUserDashboardAccess(SupersetTestCase):

        db.session.delete(dash)
        db.session.commit()
+
+    def test_can_access_datasource_used_in_dashboard_filter(self):
+        """
+        Test that a user can access a datasource used only by a filter in a dashboard
+        they have access to.
+        """
+        # Create a test dataset
+        test_dataset = SqlaTable(
+            database_id=get_example_database().id,
+            schema="main",
+            table_name="test_table_embedded_filter",
+        )
+        db.session.add(test_dataset)
+        db.session.commit()
+
+        # Create an embedabble dashboard with a filter powered by the test dataset
+        test_dashboard = Dashboard()
+        test_dashboard.dashboard_title = "Test Embedded Dashboard"
+        test_dashboard.json_metadata = json.dumps(
+            {
+                "native_filter_configuration": [
+                    {"targets": [{"datasetId": test_dataset.id}]}
+                ]
+            }
+        )
+        test_dashboard.owners = []
+        test_dashboard.slices = []
+        test_dashboard.published = False
+        db.session.add(test_dashboard)
+        db.session.commit()
+        self.embedded = EmbeddedDashboardDAO.upsert(test_dashboard, [])
+
+        # grant access to the dashboad
+        g.user = self.authorized_guest
+        g.user.resources = [{"type": "dashboard", "id": str(self.embedded.uuid)}]
+        g.user.roles = [security_manager.get_public_role()]
+
+        # The user should have access to the datasource via the dashboard
+        security_manager.raise_for_access(datasource=test_dataset)
+
+        db.session.delete(test_dashboard)
+        db.session.delete(test_dataset)
+        db.session.commit()