diff --git a/superset/views/base.py b/superset/views/base.py
index 217415adbf73b..e15399a083ca5 100644
--- a/superset/views/base.py
+++ b/superset/views/base.py
@@ -307,7 +307,7 @@ def check_ownership(obj, raise_if_false=True):
     if hasattr(orig_obj, 'created_by'):
         owners += [orig_obj.created_by]
 
-    owner_names = [o.username for o in owners]
+    owner_names = [o.username for o in owners if o]
 
     if (
             g.user and hasattr(g.user, 'username') and
diff --git a/superset/views/datasource.py b/superset/views/datasource.py
index e00bfbb78ad0d..360739cef0d73 100644
--- a/superset/views/datasource.py
+++ b/superset/views/datasource.py
@@ -9,6 +9,7 @@
 
 from flask import request
 from flask_appbuilder import expose
+from flask_appbuilder.security.decorators import has_access_api
 from flask_babel import gettext as __
 
 from superset import appbuilder, db
@@ -19,6 +20,7 @@
 class Datasource(BaseSupersetView):
     """Datasource-related views"""
     @expose('/save/', methods=['POST'])
+    @has_access_api
     def save(self):
         datasource = json.loads(request.form.get('data'))
         datasource_id = datasource.get('id')