fix(dashboard): check edit permissions correctly on frontend

[suddjian]

SUMMARY

This fixes a case where users who were not owners of a dashboard were incorrectly seeing the "Edit" button. This is not a security hole as the users cannot successfully submit their edits, but it was incorrect UI that needed to be fixed.

The frontend was incorrectly inferring dashboard edit permissions. This change fixes the issue by copying logic from the backend's check_ownership function.

The code of the frontend version implements the same check, while being much simpler than the backend version due to being a pure function, dashboard-specific, and not having parameterized function behavior.

I did this instead of changing endpoints, because the caching of the existing dashboard endpoints depends on returning the same data to all users, and because implementing a new endpoint to just return a boolean felt wrong.

TEST PLAN

1. Log in as a user with "Alpha" role (or other non-admin role with dashboard edit permissions)
2. View a dashboard of which you are an owner - you should be able to edit
3. View a dashboard of which you are not an owner - you should not be able to edit
4. Log in as an admin: you should be able to edit any dashboard, regardless of ownership
5. Log in as a user without dashboard edit permissions (e.g. Gamma role): You should not be able to edit any dashboard, regardless of ownership

ADDITIONAL INFORMATION

• Has associated issue: fixes Public dashboard does not work due to JS error in findPermission.ts #14442
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[codecov]

Codecov Report

Merging #14626 (1fc7e8d) into master (d31958c) will increase coverage by 0.03%.
The diff coverage is 68.75%.

@@            Coverage Diff             @@
##           master   #14626      +/-   ##
==========================================
+ Coverage   77.47%   77.51%   +0.03%     
==========================================
  Files         959      959              
  Lines       48492    48853     +361     
  Branches     5681     5830     +149     
==========================================
+ Hits        37569    37867     +298     
- Misses      10723    10782      +59     
- Partials      200      204       +4     

Flag	Coverage Δ
hive	80.96% <ø> (ø)
javascript	72.67% <68.75%> (+0.15%)	⬆️
mysql	81.24% <ø> (ø)
postgres	81.26% <ø> (ø)
presto	80.96% <ø> (ø)
python	81.79% <ø> (ø)
sqlite	80.88% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...ontend/src/common/hooks/apiResources/dashboards.ts	40.00% <0.00%> (-10.00%)	⬇️
superset-frontend/src/dashboard/actions/hydrate.js	1.73% <0.00%> (-0.02%)	⬇️
...rset-frontend/src/dashboard/util/findPermission.ts	100.00% <100.00%> (ø)
...tend/src/explore/components/ExploreChartHeader.jsx	60.41% <0.00%> (-2.75%)	⬇️
superset-frontend/src/components/Menu/SubMenu.tsx	95.50% <0.00%> (-0.21%)	⬇️
...et-frontend/src/components/EditableTitle/index.tsx	83.78% <0.00%> (-0.17%)	⬇️
...nd/src/explore/components/ExploreViewContainer.jsx	2.31% <0.00%> (-0.03%)	⬇️
...components/DashboardBuilder/DashboardContainer.tsx	100.00% <0.00%> (ø)
...uperset-frontend/src/components/Menu/MenuRight.tsx	92.95% <0.00%> (+0.10%)	⬆️
...ntend/src/explore/components/ExploreChartPanel.jsx	17.33% <0.00%> (+0.19%)	⬆️
... and 6 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d31958c...1fc7e8d. Read the comment docs.

[junlincc]

@suddjian hi Aaron, can you add manual test plan for our QA team to help test? thanks 😊

[suddjian]

Done @junlincc thank you for the heads up

[pkdotson]

should this be initialized as a empty object if dashboard comes back as undefined.

[suddjian]

I assume you mean if the metadata is undefined (if the dashboard is undefined it will be a 404). I don't think it should be initialized like that, null is different from an empty object.

This is not actually new behavior, I just had to write this guard to appease the type system since I corrected the types of some dashboard fields to be nullable.

[suddjian]

fixes #14442

[pkdotson]

LGTM!

[michael-s-molina]

#14442

@suddjian GitHub will not automatically close this issue because it doesn't check for comments. You should add this text to the PR description 😉