Remove unreadable cards and series from dashcards

06e38478 · Cam Saül · 329af5c5 · 06e38478 · 06e38478
Unverified Commit 06e38478 authored 8 years ago by Cam Saül
--- a/src/metabase/api/dashboard.clj
+++ b/src/metabase/api/dashboard.clj
@@ -38,11 +38,22 @@
  (dashboard/create-dashboard! dashboard *current-user-id*))


+(defn- hide-unreadable-cards
+  "Remove the `:card` and `:series` entries from dashcards that they user isn't allowed to read."
+  [dashboard]
+  (update dashboard :ordered_cards (fn [dashcards]
+                                     (vec (for [dashcard dashcards]
+                                            (if (models/can-read? dashcard)
+                                              dashcard
+                                              (dissoc dashcard :card :series)))))))
+
 (defendpoint GET "/:id"
  "Get `Dashboard` with ID."
  [id]
-  (u/prog1 (read-check (-> (Dashboard id)
-                           (hydrate :creator [:ordered_cards [:card :creator] :series])))
+  (u/prog1 (-> (Dashboard id)
+               (hydrate :creator [:ordered_cards [:card :creator] :series])
+               read-check
+               hide-unreadable-cards)
    (events/publish-event :dashboard-read (assoc <> :actor_id *current-user-id*))))



--- a/src/metabase/models/dashboard_card.clj
+++ b/src/metabase/models/dashboard_card.clj
@@ -3,13 +3,26 @@
            (metabase [db :as db]
                      [events :as events])
            (metabase.models  [card :refer [Card]]
-                              [hydrate :refer :all]
                              [dashboard-card-series :refer [DashboardCardSeries]]
+                              [hydrate :refer :all]
                              [interface :as i])
            [metabase.util :as u]))

 (i/defentity DashboardCard :report_dashboardcard)

+(declare series)
+
+(defn- perms-objects-set
+  "Return the set of permissions required to READ-OR-WRITE this `DashboardCard`.
+  If `:card` and `:series` are already hydrated this method doesn't need to make any DB calls."
+  [dashcard read-or-write]
+  (let [card   (or (:card dashcard)
+                   (db/select-one [Card :dataset_query] :id (u/get-id (:card_id dashcard))))
+        series (or (:series dashcard)
+                   (series dashcard))]
+    (apply set/union (i/perms-objects-set card read-or-write) (for [series-card series]
+                                                                (i/perms-objects-set series-card read-or-write)))))
+
 (defn- pre-insert [dashcard]
  (let [defaults {:sizeX              2
                  :sizeY              2
@@ -24,6 +37,9 @@
  (merge i/IEntityDefaults
         {:timestamped?       (constantly true)
          :types              (constantly {:parameter_mappings :json})
+          :perms-objects-set  perms-objects-set
+          :can-read?          (partial i/current-user-has-full-permissions? :read)
+          :can-write?         (partial i/current-user-has-full-permissions? :write)
          :pre-insert         pre-insert
          :pre-cascade-delete pre-cascade-delete
          :post-select        (u/rpartial set/rename-keys {:sizex :sizeX, :sizey :sizeY})}))