Merge pull request #6791 from metabase/fix-dashcard-series-perms

Ensure collection_id is included in series dashcards

Merge pull request #6791 from metabase/fix-dashcard-series-perms
c952a60a · Ryan Senior · GitHub · b1627d67 · 5f3e5bea · c952a60a
Unverified Commit c952a60a authored 7 years ago by Ryan Senior Committed by GitHub 7 years ago
--- a/src/metabase/models/dashboard_card.clj
+++ b/src/metabase/models/dashboard_card.clj
@@ -68,7 +68,7 @@
 (defn ^:hydrate series
  "Return the `Cards` associated as additional series on this `DashboardCard`."
  [{:keys [id]}]
-  (db/select [Card :id :name :description :display :dataset_query :visualization_settings]
+  (db/select [Card :id :name :description :display :dataset_query :visualization_settings :collection_id]
    (mdb/join [Card :id] [DashboardCardSeries :card_id])
    (db/qualify DashboardCardSeries :dashboardcard_id) id
    {:order-by [[(db/qualify DashboardCardSeries :position) :asc]]}))

--- a/test/metabase/api/dashboard_test.clj
+++ b/test/metabase/api/dashboard_test.clj
@@ -11,6 +11,7 @@
             [dashboard :as dashboard-api]]
            [metabase.models
             [card :refer [Card]]
+             [collection :refer [Collection]]
             [dashboard :refer [Dashboard]]
             [dashboard-card :refer [DashboardCard retrieve-dashboard-card]]
             [dashboard-card-series :refer [DashboardCardSeries]]
@@ -143,6 +144,19 @@
                  DashboardCard [_                  {:dashboard_id dashboard-id, :card_id card-id}]]
    (dashboard-response ((user->client :rasta) :get 200 (format "dashboard/%d" dashboard-id)))))

+;; ## GET /api/dashboard/:id with a series, should fail if the user doesn't have access to the collection
+(expect
+  "You don't have permissions to do that."
+  (tt/with-temp* [Collection          [{coll-id :id}      {:name "Collection 1"}]
+                  Dashboard           [{dashboard-id :id} {:name       "Test Dashboard"
+                                                           :creator_id (user->id :crowberto)}]
+                  Card                [{card-id :id}      {:name          "Dashboard Test Card"
+                                                           :collection_id coll-id}]
+                  Card                [{card-id2 :id}     {:name          "Dashboard Test Card 2"
+                                                           :collection_id coll-id}]
+                  DashboardCard       [{dbc_id :id}       {:dashboard_id dashboard-id, :card_id card-id}]
+                  DashboardCardSeries [_                  {:dashboardcard_id dbc_id, :card_id card-id2, :position 0}]]
+    ((user->client :rasta) :get 403 (format "dashboard/%d" dashboard-id))))

 ;; ## PUT /api/dashboard/:id
 (expect