feat(auth): when user is not logged in, failure to access a dashboard should redirect to login screen

[sfirke]

SUMMARY

If a viewer is not logged in, or they are the public/anonymous user, and they click a link that takes them to a Superset dashboard that is not public, they are currently told "You don't have access" and sent to the list of dashboards, where they will see only public ones listed. This is often misleading: in most cases, the problem is not that they don't have access -- they just need to log in.

After the PR, such cases are routed to the login screen, and after a successful login the users are sent back to the dashboard they were trying to access.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

BEFORE

current_redirect.mp4

AFTER

redirect_new.mp4

note I've changed the error message since recording this

TESTING INSTRUCTIONS

Create a dashboard with restricted access, try to view it while not logged in.

ADDITIONAL INFORMATION

Implements this feature request: #22190
Replaces this stale PR: #23280

I have the DASHBOARD_RBAC flag enabled as well as the Public role in use. My code alterations are minimal so I don't think it will negatively affect deployments that differ from mine, but it would be good to have someone check.

I'm not sure how to write tests for this but am open to it if someone can advise.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.90%. Comparing base (76d897e) to head (d8ad102).
⚠️ Report is 2203 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff             @@
##           master   #30380       +/-   ##
===========================================
+ Coverage   60.48%   83.90%   +23.41%     
===========================================
  Files        1931      533     -1398     
  Lines       76236    38524    -37712     
  Branches     8568        0     -8568     
===========================================
- Hits        46114    32322    -13792     
+ Misses      28017     6202    -21815     
+ Partials     2105        0     -2105     

Flag	Coverage Δ
hive	48.99% <0.00%> (-0.17%)	⬇️
javascript	?
mysql	76.88% <100.00%> (?)
postgres	76.95% <100.00%> (?)
presto	53.49% <0.00%> (-0.31%)	⬇️
python	83.90% <100.00%> (+20.39%)	⬆️
sqlite	76.40% <100.00%> (?)
unit	60.64% <0.00%> (+3.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[villebro]

LGTM with a non-blocking question on the next url param.

[Ishankoradia]

@sfirke i have a public dashboard and its redirecting users to /login page even when the dashboard is tagged with a Public role.

Does this PR handle this case too ?

I am using oauth with superset 4.1.1

(this works in the basic auth setting)

[sfirke]

@Ishankoradia two things:

1. I think you may need to configure something differently. In 4.1.1 I am able to have both OAuth and public dashboards. Maybe something missing about how you set it public.

2. this PR's functionality has since been unintentionally broken by other changes. I have PR fix(auth): redirect anonymous attempts to view dashboard with next #35345 open to re-add this functionality to Superset, hopefully for v6.0.0.

[Ishankoradia]

Thanks @sfirke for the really quick response.

I will check my configuration again but correct me if I am wrong. Two important things to allow dashboards to he viewed publicly (without authentication)

1. Attach a Public role to that dashboard
2. Set PUBLIC_ROLE_LIKE=Gamma

Am I missing something ?

[sfirke]

I will look at my config tomorrow but try enabling the DASHBOARD_RBAC feature flag if that works for your security model.

[sfirke]

I don't have PUBLIC_ROLE_LIKE in my config. Instead I define a Public role in the Superset UI, using a permissions list from #25938 (comment).

[Ishankoradia]

Ahh gotcha !!! thank you so much @sfirke