Allow access to unpublished dashboards that don't have roles

apache · Nov 22, 2021 · 893595e · 893595e
1 parent 81e1630
commit 893595e
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/superset/security/manager.py b/superset/security/manager.py
@@ -1186,6 +1186,7 @@ def raise_for_dashboard_access(dashboard: "Dashboard") -> None:
             is_user_admin()
             or is_owner(dashboard, g.user)
             or (dashboard.published and has_rbac_access)
+            or (not dashboard.published and not dashboard.roles)
         )
 
         if not can_access:

diff --git a/tests/integration_tests/dashboards/api_tests.py b/tests/integration_tests/dashboards/api_tests.py
@@ -395,7 +395,7 @@ def test_get_dashboard_no_data_access(self):
         self.login(username="gamma")
         uri = f"api/v1/dashboard/{dashboard.id}"
         rv = self.client.get(uri)
-        assert rv.status_code == 403
+        assert rv.status_code == 200
         # rollback changes
         db.session.delete(dashboard)
         db.session.commit()