Frontend support for unauthorized/empty dashcard cards + change backend to...

Frontend support for unauthorized/empty dashcard cards + change backend to return { id: card_id } for unauthorized cards.

Frontend support for unauthorized/empty dashcard cards + change backend to...
85e6316a · Tom Robinson · 06e38478 · 85e6316a · 85e6316a
Commit 85e6316a authored 8 years ago by Tom Robinson
--- a/frontend/src/metabase/dashboard/dashboard.js
+++ b/frontend/src/metabase/dashboard/dashboard.js
@@ -137,6 +137,16 @@ export const fetchCardData = createThunkAction(FETCH_CARD_DATA, function(card, d
            dispatch(clearCardData(card.id, dashcard.id));
        }

+        // If the dataset_query was filtered then we don't have permisison to view this card, so
+        // shortcircuit and return a fake 403
+        if (!card.dataset_query) {
+            return {
+                dashcard_id: dashcard.id,
+                card_id: card.id,
+                result: { error: { status: 403 }}
+            };
+        }
+
        let result = null;

        // if we have a parameter, apply it to the card query before we execute
@@ -196,7 +206,8 @@ export const fetchDashboard = createThunkAction(FETCH_DASHBOARD, function(dashId
        _.chain(result.ordered_cards)
            .map((dc) => [dc.card].concat(dc.series))
            .flatten()
-            .map(card => card.dataset_query && card.dataset_query.database)
+            .filter(card => card && card.dataset_query && card.dataset_query.database)
+            .map(card => card.dataset_query.database)
            .uniq()
            .each((dbId) => dispatch(fetchDatabaseMetadata(dbId)));


--- a/src/metabase/api/dashboard.clj
+++ b/src/metabase/api/dashboard.clj
@@ -37,15 +37,21 @@
   parameters [ArrayOfMaps]}
  (dashboard/create-dashboard! dashboard *current-user-id*))

+(defn- hide-unreadable-card
+  "Replace unreadable card with object containing only the id"
+  [card]
+  (if (models/can-read? card)
+    card
+    {:id (:id card)}))

 (defn- hide-unreadable-cards
-  "Remove the `:card` and `:series` entries from dashcards that they user isn't allowed to read."
+  "Replace the `:card` and `:series` entries from dashcards that they user isn't allowed to read with empty object."
  [dashboard]
  (update dashboard :ordered_cards (fn [dashcards]
                                     (vec (for [dashcard dashcards]
-                                            (if (models/can-read? dashcard)
-                                              dashcard
-                                              (dissoc dashcard :card :series)))))))
+                                            (assoc dashcard :card (hide-unreadable-card (:card dashcard))
+                                                            :series (for [card (:series dashcard)]
+                                                                      (hide-unreadable-card card))))))))

 (defendpoint GET "/:id"
  "Get `Dashboard` with ID."