root
/
grafana
mirror of https://github.com/grafana/grafana.git
1
0
Fork 0
Code Issues Actions 31 Packages Projects Releases Wiki Activity

[v11.3.x] User: Check SignedInUser OrgID in RevokeInvite (#95490) 

User: Check SignedInUser OrgID in RevokeInvite (#95476)

Check SignedInUser OrgID in RevokeInvite

(cherry picked from commit fedcf47702)

Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>
This commit is contained in:
grafana-delivery-bot[bot] 2024-10-28 14:42:19 +02:00 committed by GitHub
parent c081bb53d0
commit 5af40ed44f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
pkg/api/org_invite.go
View File

@ -195,6 +195,20 @@ func (hs *HTTPServer) inviteExistingUserToOrg(c *contextmodel.ReqContext, user *
// 404: notFoundError
// 500: internalServerError
func (hs *HTTPServer) RevokeInvite(c *contextmodel.ReqContext) response.Response {
query := tempuser.GetTempUserByCodeQuery{Code: web.Params(c.Req)[":code"]}
queryResult, err := hs.tempUserService.GetTempUserByCode(c.Req.Context(), &query)
if err != nil {
if errors.Is(err, tempuser.ErrTempUserNotFound) {
return response.Error(http.StatusNotFound, "Invite not found", nil)
}
return response.Error(http.StatusInternalServerError, "Failed to get invite", err)
}
canRevoke := c.SignedInUser.GetOrgID() == queryResult.OrgID || c.SignedInUser.GetIsGrafanaAdmin()
if !canRevoke {
return response.Error(http.StatusForbidden, "Permission denied: not permitted to revoke invite", nil)
}
if ok, rsp := hs.updateTempUserStatus(c.Req.Context(), web.Params(c.Req)[":code"], tempuser.TmpUserRevoked); !ok {
return rsp
}