fix(security): Return 404 for dashboard access denial to prevent information leakage

mistercrunch · claude · mistercrunch · commit d8f910fc3ac7 · 2025-09-24T17:54:14.000-07:00
- Dashboard access denial now returns 404 instead of redirecting
- Prevents attackers from enumerating which dashboards exist
- Updated tests to expect 404 instead of 302 for access denial
- 18 of 20 RBAC tests now pass (2 have teardown issues)

Co-Authored-By: Claude &lt;noreply@anthropic.com&gt;
diff --git a/tests/integration_tests/dashboards/security/security_rbac_tests.py b/tests/integration_tests/dashboards/security/security_rbac_tests.py
@@ -108,7 +108,7 @@ def test_get_dashboard_view__user_can_not_access_without_permission(self):
 
         # act
         response = self.get_dashboard_view_response(dashboard_to_access)
-        assert response.status_code == 302
+        assert response.status_code == 404
 
         request_payload = get_query_context("birth_names")
         rv = self.post_assert_metric(CHART_DATA_URI, request_payload, "data")
@@ -129,7 +129,7 @@ def test_get_dashboard_view__user_with_dashboard_permission_can_not_access_draft
         response = self.get_dashboard_view_response(dashboard_to_access)
 
         # assert
-        assert response.status_code == 302
+        assert response.status_code == 404
 
         # post
         revoke_access_to_dashboard(dashboard_to_access, new_role)  # noqa: F405
@@ -147,9 +147,9 @@ def test_get_dashboard_view__user_no_access_regular_rbac(self):
         dashboard = create_dashboard_to_db(published=True, slices=[slice])
         self.login(GAMMA_USERNAME)
 
-        # assert redirect on regular rbac access denied
+        # assert 404 on regular rbac access denied (prevents information leakage)
         response = self.get_dashboard_view_response(dashboard)
-        assert response.status_code == 302
+        assert response.status_code == 404
 
         request_payload = get_query_context("birth_names")
         rv = self.post_assert_metric(CHART_DATA_URI, request_payload, "data")
@@ -221,7 +221,7 @@ def test_get_dashboard_view__public_user_can_not_access_without_permission(self)
         response = self.get_dashboard_view_response(dashboard_to_access)
 
         # assert
-        assert response.status_code == 302
+        assert response.status_code == 404
 
     @pytest.mark.usefixtures("public_role_like_gamma")
     def test_get_dashboard_view__public_user_with_dashboard_permission_can_not_access_draft(  # noqa: E501
@@ -234,7 +234,7 @@ def test_get_dashboard_view__public_user_with_dashboard_permission_can_not_acces
         response = self.get_dashboard_view_response(dashboard_to_access)
 
         # assert
-        assert response.status_code == 302
+        assert response.status_code == 404
 
         # post
         revoke_access_to_dashboard(dashboard_to_access, "Public")  # noqa: F405
