fix: Address dashboard permission regression in #23586 (#24350)

tests/integration_tests/base_tests.py

@@ -504,6 +504,48 @@ class SupersetTestCase(TestCase):
     def get_dttm(cls):
         return datetime.strptime("2019-01-02 03:04:05.678900", "%Y-%m-%d %H:%M:%S.%f")
 
+    def insert_dashboard(
+        self,
+        dashboard_title: str,
+        slug: Optional[str],
+        owners: list[int],
+        roles: list[int] = [],
+        created_by=None,
+        slices: Optional[list[Slice]] = None,
+        position_json: str = "",
+        css: str = "",
+        json_metadata: str = "",
+        published: bool = False,
+        certified_by: Optional[str] = None,
+        certification_details: Optional[str] = None,
+    ) -> Dashboard:
+        obj_owners = list()
+        obj_roles = list()
+        slices = slices or []
+        for owner in owners:
+            user = db.session.query(security_manager.user_model).get(owner)
+            obj_owners.append(user)
+        for role in roles:
+            role_obj = db.session.query(security_manager.role_model).get(role)
+            obj_roles.append(role_obj)
+        dashboard = Dashboard(
+            dashboard_title=dashboard_title,
+            slug=slug,
+            owners=obj_owners,
+            roles=obj_roles,
+            position_json=position_json,
+            css=css,
+            json_metadata=json_metadata,
+            slices=slices,
+            published=published,
+            created_by=created_by,
+            certified_by=certified_by,
+            certification_details=certification_details,
+        )
+        db.session.add(dashboard)
+        db.session.commit()
+        return dashboard
+
 
 @contextmanager
 def db_insert_temp_object(obj: DeclarativeMeta):

tests/integration_tests/dashboards/api_tests.py

@@ -19,7 +19,6 @@
 import json
 from io import BytesIO
 from time import sleep
-from typing import Optional
 from unittest.mock import ANY, patch
 from zipfile import is_zipfile, ZipFile
 
@@ -77,48 +76,6 @@ class TestDashboardApi(SupersetTestCase, ApiOwnersTestCaseMixin, InsertChartMixi
         "published": False,
     }
 
-    def insert_dashboard(
-        self,
-        dashboard_title: str,
-        slug: Optional[str],
-        owners: list[int],
-        roles: list[int] = [],
-        created_by=None,
-        slices: Optional[list[Slice]] = None,
-        position_json: str = "",
-        css: str = "",
-        json_metadata: str = "",
-        published: bool = False,
-        certified_by: Optional[str] = None,
-        certification_details: Optional[str] = None,
-    ) -> Dashboard:
-        obj_owners = list()
-        obj_roles = list()
-        slices = slices or []
-        for owner in owners:
-            user = db.session.query(security_manager.user_model).get(owner)
-            obj_owners.append(user)
-        for role in roles:
-            role_obj = db.session.query(security_manager.role_model).get(role)
-            obj_roles.append(role_obj)
-        dashboard = Dashboard(
-            dashboard_title=dashboard_title,
-            slug=slug,
-            owners=obj_owners,
-            roles=obj_roles,
-            position_json=position_json,
-            css=css,
-            json_metadata=json_metadata,
-            slices=slices,
-            published=published,
-            created_by=created_by,
-            certified_by=certified_by,
-            certification_details=certification_details,
-        )
-        db.session.add(dashboard)
-        db.session.commit()
-        return dashboard
-
     @pytest.fixture()
     def create_dashboards(self):
         with self.create_app().app_context():
@@ -507,43 +464,6 @@ class TestDashboardApi(SupersetTestCase, ApiOwnersTestCaseMixin, InsertChartMixi
         db.session.delete(dashboard)
         db.session.commit()
 
-    def test_get_draft_dashboard_without_roles_by_uuid(self):
-        """
-        Dashboard API: Test get draft dashboard without roles by uuid
-        """
-        admin = self.get_user("admin")
-        dashboard = self.insert_dashboard("title", "slug1", [admin.id])
-        assert not dashboard.published
-        assert dashboard.roles == []
-
-        self.login(username="gamma")
-        uri = f"api/v1/dashboard/{dashboard.uuid}"
-        rv = self.client.get(uri)
-        assert rv.status_code == 200
-        # rollback changes
-        db.session.delete(dashboard)
-        db.session.commit()
-
-    def test_cannot_get_draft_dashboard_with_roles_by_uuid(self):
-        """
-        Dashboard API: Test get dashboard by uuid
-        """
-        admin = self.get_user("admin")
-        admin_role = self.get_role("Admin")
-        dashboard = self.insert_dashboard(
-            "title", "slug1", [admin.id], roles=[admin_role.id]
-        )
-        assert not dashboard.published
-        assert dashboard.roles == [admin_role]
-
-        self.login(username="gamma")
-        uri = f"api/v1/dashboard/{dashboard.uuid}"
-        rv = self.client.get(uri)
-        assert rv.status_code == 403
-        # rollback changes
-        db.session.delete(dashboard)
-        db.session.commit()
-
     def test_get_dashboards_changed_on(self):
         """
         Dashboard API: Test get dashboards changed on

tests/integration_tests/dashboards/security/security_dataset_tests.py

@@ -22,6 +22,7 @@ import pytest
 from flask import escape
 
 from superset import app
+from superset.dashboards.dao import DashboardDAO
 from superset.models import core as models
 from tests.integration_tests.dashboards.base_case import DashboardTestCase
 from tests.integration_tests.dashboards.consts import *
@@ -223,7 +224,7 @@ class TestDashboardDatasetSecurity(DashboardTestCase):
         """
         admin = self.get_user("admin")
         title = f"title{random_str()}"
-        create_dashboard_to_db(title, "slug1", owners=[admin])
+        dashboard = create_dashboard_to_db(title, "slug1", owners=[admin])
 
         self.login(username="gamma")
         arguments = {
@@ -234,3 +235,4 @@ class TestDashboardDatasetSecurity(DashboardTestCase):
         self.assert200(rv)
         data = json.loads(rv.data.decode("utf-8"))
         self.assertEqual(0, data["count"])
+        DashboardDAO.delete(dashboard)

tests/integration_tests/dashboards/security/security_rbac_tests.py

@@ -395,3 +395,40 @@ class TestDashboardRoleBasedSecurity(BaseTestDashboardSecurity):
         # post
         for dash in published_dashboards + draft_dashboards:
             revoke_access_to_dashboard(dash, "Public")
+
+    def test_get_draft_dashboard_without_roles_by_uuid(self):
+        """
+        Dashboard API: Test get draft dashboard without roles by uuid
+        """
+        admin = self.get_user("admin")
+        dashboard = self.insert_dashboard("title", "slug1", [admin.id])
+        assert not dashboard.published
+        assert dashboard.roles == []
+
+        self.login(username="gamma")
+        uri = f"api/v1/dashboard/{dashboard.uuid}"
+        rv = self.client.get(uri)
+        assert rv.status_code == 200
+        # rollback changes
+        db.session.delete(dashboard)
+        db.session.commit()
+
+    def test_cannot_get_draft_dashboard_with_roles_by_uuid(self):
+        """
+        Dashboard API: Test get dashboard by uuid
+        """
+        admin = self.get_user("admin")
+        admin_role = self.get_role("Admin")
+        dashboard = self.insert_dashboard(
+            "title", "slug1", [admin.id], roles=[admin_role.id]
+        )
+        assert not dashboard.published
+        assert dashboard.roles == [admin_role]
+
+        self.login(username="gamma")
+        uri = f"api/v1/dashboard/{dashboard.uuid}"
+        rv = self.client.get(uri)
+        assert rv.status_code == 403
+        # rollback changes
+        db.session.delete(dashboard)
+        db.session.commit()