A query's API key doesn't work if its data source has no group permissions

[susodapop]

Issue Summary

According to our documentation every query has a unique API key that can be used to download results through the API. But if a query uses a data source that has no group access permissions, its api_key fails authentication.

Screenshots

I reproduced this on redash-preview with this query which uses data source 59. I copied the results download link shown below:

Then I removed all group permissions from data source 59. Now the query API key doesn't work.

Steps to Reproduce

1. Make a QR data source
2. Write a query against your new data source.
3. Copy its api_key and check that it works.
4. Remove the data source in step 1 from all groups.
5. Visit the link in step 3. You'll receive an error.

{
  "message": "You don't have the permission to access the requested resource. It is either read-protected or not readable by the server."
}

I expect that the query API key should always pass authentication. Because anonymous visitors don't have any groups period.

Technical details:

• Redash Version: v9 Alpha
• Browser/OS: FF / REST API Client
• How did you install Redash: SaaS