ChartFilter filters on datasource instead of chart

[jingapore]

ChartFilter here should filter on chart access, not datasource access.

This has downstream implications:

• A newly added dashboard owner who did not create the underlying datasource cannot edit chart. It fails with a 404 error, because chart isn't found. This links to Users not able to view chart in Explore from dashboard they have access to #20381.
• This behaviour is unintended. After all, dashboard ownership comes with chart ownership.
• This is partly a result of how ChartDAO.find_by_id relies on ChartFilter, which mistakenly checks for datasource ownership.

The correct thing is for chart access to be separated from datasource access. ChartFilter needs to be amended.

[SaviorXTanren]

To add to this, the same sort of logic is present in the Datasets list. When a user visits the Datasets list page, it shows all Datasets of the Datasources that the user has access to. So users will be able to see Datasets that they do not have permission and it will fail for them when they attempt to navigate to any of them.

Similarly, visiting a Dataset that you don't have access to will expose the names of the columns in the dataset, even though you don't have access to query on it.

There should be a trickle down check done on these sorts of pages. For example, if you go to Charts list, it should check first to see what Datasources you have access to, and then individually check the Charts in those Datasources to ensure you have access to each one before it is shown in the list. Same sort of idea for Datasets, Dashboards, etc.

[rusackas]

This is likely fixed by now, and is pretty out of date if not. If people are still encountering this in current versions (3.x) please open a new Issue or a PR to address the problem, or add a reproducible example here so we can re-open this one.