sfirke opened a new pull request, #35345: URL: https://github.com/apache/superset/pull/35345
### SUMMARY Fixes #35344. Restores functionality from #30380 while retaining the security improvement made in [#35237](https://github.com/apache/superset/pull/35237): not leaking the existence of a dashboard the user doesn't have access to. This may be a minor improvement on #35237, as that uses `Response(status=404)` and returns a bare 404 page. Now it uniformly uses `abort(404)` to return a Superset-formatted 404 page in both cases. I tested these workflows: 1. Public dashboards remain visible to unauthenticated users 2. Anonymous (unauthenticated) users are always redirected to login when entering a dashboard URL, regardless of whether it exists or they have access. The `next` parameter is used to pass this redirect through the auth process. 3. Authenticated users receive the same Superset-branded 404 page whether they try to visit a dashboard they don't have access to or a dashboard that doesn't exist. ### TESTING INSTRUCTIONS I added tests, I also deployed to my test environment and manually verified each scenario above. ### ADDITIONAL INFORMATION <!--- Check any relevant boxes with "x" --> - [x] Has associated issue: #35344 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
