diff --git a/superset/views/core.py b/superset/views/core.py index 0419c042f8ec1..4a21947e5c657 100755 --- a/superset/views/core.py +++ b/superset/views/core.py @@ -1179,7 +1179,12 @@ def explore(self, datasource_type, datasource_id): if action == 'overwrite' and not slice_overwrite_perm: return json_error_response( - "You don't have the rights to alter this slice", + _('You don\'t have the rights to ') + _('alter this ') + _('chart'), + status=400) + + if action == 'saveas' and not slice_add_perm: + return json_error_response( + _('You don\'t have the rights to ') + _('create a ') + _('chart'), status=400) if action in ('saveas', 'overwrite'): @@ -1287,12 +1292,28 @@ def save_or_overwrite_slice( .filter_by(id=int(request.args.get('save_to_dashboard_id'))) .one() ) + + # check edit dashboard permissions + dash_overwrite_perm = check_ownership(dash, raise_if_false=False) + if not dash_overwrite_perm: + return json_error_response( + _('You don\'t have the rights to ') + _('alter this ') + + _('dashboard'), + status=400) + flash( 'Slice [{}] was added to dashboard [{}]'.format( slc.slice_name, dash.dashboard_title), 'info') elif request.args.get('add_to_dash') == 'new': + # check create dashboard permissions + dash_add_perm = self.can_access('can_add', 'DashboardModelView') + if not dash_add_perm: + return json_error_response( + _('You don\'t have the rights to ') + _('create a ') + _('dashboard'), + status=400) + dash = models.Dashboard( dashboard_title=request.args.get('new_dashboard_name'), owners=[g.user] if g.user else [])