fix: Address dashboard permission regression in #23586 (#24350)

tests/integration_tests/dashboards/security/security_dataset_tests.py

@@ -22,6 +22,7 @@ import pytest
 from flask import escape
 
 from superset import app
+from superset.dashboards.dao import DashboardDAO
 from superset.models import core as models
 from tests.integration_tests.dashboards.base_case import DashboardTestCase
 from tests.integration_tests.dashboards.consts import *
@@ -223,7 +224,7 @@ class TestDashboardDatasetSecurity(DashboardTestCase):
         """
         admin = self.get_user("admin")
         title = f"title{random_str()}"
-        create_dashboard_to_db(title, "slug1", owners=[admin])
+        dashboard = create_dashboard_to_db(title, "slug1", owners=[admin])
 
         self.login(username="gamma")
         arguments = {
@@ -234,3 +235,4 @@ class TestDashboardDatasetSecurity(DashboardTestCase):
         self.assert200(rv)
         data = json.loads(rv.data.decode("utf-8"))
         self.assertEqual(0, data["count"])
+        DashboardDAO.delete(dashboard)

tests/integration_tests/dashboards/security/security_rbac_tests.py

@@ -395,3 +395,40 @@ class TestDashboardRoleBasedSecurity(BaseTestDashboardSecurity):
         # post
         for dash in published_dashboards + draft_dashboards:
             revoke_access_to_dashboard(dash, "Public")
+
+    def test_get_draft_dashboard_without_roles_by_uuid(self):
+        """
+        Dashboard API: Test get draft dashboard without roles by uuid
+        """
+        admin = self.get_user("admin")
+        dashboard = self.insert_dashboard("title", "slug1", [admin.id])
+        assert not dashboard.published
+        assert dashboard.roles == []
+
+        self.login(username="gamma")
+        uri = f"api/v1/dashboard/{dashboard.uuid}"
+        rv = self.client.get(uri)
+        assert rv.status_code == 200
+        # rollback changes
+        db.session.delete(dashboard)
+        db.session.commit()
+
+    def test_cannot_get_draft_dashboard_with_roles_by_uuid(self):
+        """
+        Dashboard API: Test get dashboard by uuid
+        """
+        admin = self.get_user("admin")
+        admin_role = self.get_role("Admin")
+        dashboard = self.insert_dashboard(
+            "title", "slug1", [admin.id], roles=[admin_role.id]
+        )
+        assert not dashboard.published
+        assert dashboard.roles == [admin_role]
+
+        self.login(username="gamma")
+        uri = f"api/v1/dashboard/{dashboard.uuid}"
+        rv = self.client.get(uri)
+        assert rv.status_code == 403
+        # rollback changes
+        db.session.delete(dashboard)
+        db.session.commit()