Dashboard visibility problem

[tothandor]

Issue Summary

Dashboards become visible in dashboards list for users without access, if the dashboard contains a textbox widget.

Steps to Reproduce

Add a textbox widget to any dashboard. It becomes visible even to users without any permissions.
It's a problem because it will show things for certain users, that you don't want to show.

Technical details:

• Redash Version: v8.0.0 release
• Browser/OS: CentOS 7.5.1804
• How did you install Redash: virtualenv + git clone

[tothandor]

The patch below solves the issue. It modifies the query criteria in all() method of Dashboard class.
Text boxes don't have visualizations.

--- redash/models/__init__.py.orig	2019-12-11 13:51:21.000000000 +0100
+++ redash/models/__init__.py	2020-02-21 11:46:01.099026761 +0100
@@ -891,9 +891,8 @@
             .outerjoin(DataSourceGroup, Query.data_source_id == DataSourceGroup.data_source_id)
             .filter(
                 Dashboard.is_archived == False,
-                (DataSourceGroup.group_id.in_(group_ids) |
-                 (Dashboard.user_id == user_id) |
-                 ((Widget.dashboard != None) & (Widget.visualization == None))),
+                Widget.visualization != None,
+                (DataSourceGroup.group_id.in_(group_ids) | (Dashboard.user_id == user_id)),
                 Dashboard.org == org)
             .distinct())

[arikfr]

Thank you for reporting this, but this is a duplicate of #4099 which was fixed in #4492 (part of the next release).