Dashboard RBAC Favourite issue

[stevensuting]

If a dashboard is assigned to a role, then user under that role makes that dashboard a favourite by clicking on the start, then if the role is removed from the dashboard, the user can still see the dashboard, but will not be able to access the content of the dashboard.

How to reproduce the bug

1. Create a dashboard (example_dash) and assign a role (example_role) to it via the RBAC option via an ADMIN user
2. Login with a non admin user who has the example_role
3. Make the example_dash a favourite dashboard, logout
4. Login in with Admin user and remove the example_role from the example_dash5.
5. Login with the non admin user and you will see that example_dash is still visible.

Expected results

Dashboard Board should not be visible if the role has been removed from Dashboard RBAC irrespective of the favourite status.

Environment

(please complete the following information):

• browser type and version: Chrome
• superset version: 1.4.2
• python version: 3,8
• any feature flags active: RBAC

[rusackas]

This issue and the superset version reported are old enough that I was tempted to close it, but it sounds... worrisome.

@stevensuting @jinghua-qa @sadpandajoe are any of you able to validate this problem still exists?

[pandinug]

Can confirm that this is very much still a thing on 2.1.0.
Easy to reproduce by creating a random role. Next, add the role to a test user, dataset and a dashboard.
Now log in with the test user and see that the dashboard is there. Be happy, star the dashboard. Log out again, or not.
Next, the admin takes away your role, possibly because you are switching to another department.
You log in to Superset again and your dashboard is still there. Not only that, also all the datasets are accessibly via the charts on the dashboard.