In /graph_json, check internal_only on Test entity and skip test for all Row entities.

dashboard/dashboard/datastore_hooks.py

Index: dashboard/dashboard/datastore_hooks.py
diff --git a/dashboard/dashboard/datastore_hooks.py b/dashboard/dashboard/datastore_hooks.py
index 9e15b6572d2ebb53c05e8df2608bf5bf4648a055..432c2a503378370614ffdc93e9a0ee2a1d14f662 100644
--- a/dashboard/dashboard/datastore_hooks.py
+++ b/dashboard/dashboard/datastore_hooks.py
@@ -56,6 +56,23 @@ def SetPrivilegedRequest():
   request.registry['privileged'] = True
 
 
+def SetSinglePrivilegedRequest():
+  """Allows the current request to act as a privileged user only ONCE.
+
+  This should be called ONLY by handlers that have checked privilege immediately
+  before making a query. It will be automatically unset when the next query is
+  made.
+  """
+  request = webapp2.get_request()
+  request.registry['single_privileged'] = True
+
+
+def CancelSinglePrivilegedRequest():
+  """Disallows the current request to act as a privileged user only."""
+  request = webapp2.get_request()
+  request.registry['single_privileged'] = False
+
+
 def _IsServicingPrivilegedRequest():
   """Checks whether the request is considered privileged."""
   try:
@@ -70,6 +87,9 @@ def _IsServicingPrivilegedRequest():
     return True
   if request.registry.get('privileged', False):
     return True
+  if request.registry.get('single_privileged', False):
+    request.registry['single_privileged'] = False
+    return True
   whitelist = utils.GetIpWhitelist()
   if whitelist and hasattr(request, 'remote_addr'):
     return request.remote_addr in whitelist