LibraryPanelRBAC: Fix issue with importing dashboards containing library panels (#83980)

2024-04-05 10:11:02 +01:00 · 2024-04-05 10:11:02 +01:00 · 6a53864f7a
parent 5ce8b60878
commit 6a53864f7a
2 changed files with 18 additions and 3 deletions
--- a/pkg/services/libraryelements/api.go
+++ b/pkg/services/libraryelements/api.go
@ -26,7 +26,7 @@ func (l *LibraryElementService) registerAPIEndpoints() {
 			entities.Post("/", authorize(ac.EvalPermission(ActionLibraryPanelsCreate)), routing.Wrap(l.createHandler))
 			entities.Delete("/:uid", authorize(ac.EvalPermission(ActionLibraryPanelsDelete, uidScope)), routing.Wrap(l.deleteHandler))
 			entities.Get("/", authorize(ac.EvalPermission(ActionLibraryPanelsRead)), routing.Wrap(l.getAllHandler))
-			entities.Get("/:uid", authorize(ac.EvalPermission(ActionLibraryPanelsRead, uidScope)), routing.Wrap(l.getHandler))
+			entities.Get("/:uid", authorize(ac.EvalPermission(ActionLibraryPanelsRead)), routing.Wrap(l.getHandler))
 			entities.Get("/:uid/connections/", authorize(ac.EvalPermission(ActionLibraryPanelsRead, uidScope)), routing.Wrap(l.getConnectionsHandler))
 			entities.Get("/name/:name", routing.Wrap(l.getByNameHandler))
 			entities.Patch("/:uid", authorize(ac.EvalPermission(ActionLibraryPanelsWrite, uidScope)), routing.Wrap(l.patchHandler))
@ -140,7 +140,8 @@ func (l *LibraryElementService) deleteHandler(c *contextmodel.ReqContext) respon
 // 404: notFoundError
 // 500: internalServerError
 func (l *LibraryElementService) getHandler(c *contextmodel.ReqContext) response.Response {
-	element, err := l.getLibraryElementByUid(c.Req.Context(), c.SignedInUser,
+	ctx := c.Req.Context()
+	element, err := l.getLibraryElementByUid(ctx, c.SignedInUser,
 		model.GetLibraryElementCommand{
 			UID:        web.Params(c.Req)[":uid"],
 			FolderName: dashboards.RootFolderName,
@ -150,6 +151,15 @@ func (l *LibraryElementService) getHandler(c *contextmodel.ReqContext) response.
 		return toLibraryElementError(err, "Failed to get library element")
 	}

+	if l.features.IsEnabled(ctx, featuremgmt.FlagLibraryPanelRBAC) {
+		allowed, err := l.AccessControl.Evaluate(ctx, c.SignedInUser, ac.EvalPermission(ActionLibraryPanelsRead, ScopeLibraryPanelsProvider.GetResourceScopeUID(web.Params(c.Req)[":uid"])))
+		if err != nil {
+			return response.Error(http.StatusInternalServerError, "unable to evaluate library panel permissions", err)
+		} else if !allowed {
+			return response.Error(http.StatusForbidden, "insufficient permissions for getting library panel", err)
+		}
+	}
+
 	return response.JSON(http.StatusOK, model.LibraryElementResponse{Result: element})
 }

--- a/pkg/services/libraryelements/database.go
+++ b/pkg/services/libraryelements/database.go
@ -296,7 +296,12 @@ func (l *LibraryElementService) getLibraryElements(c context.Context, store db.D
 		builder.Write(getFromLibraryElementDTOWithMeta(store.GetDialect()))
 		builder.Write(" INNER JOIN dashboard AS dashboard on le.folder_id = dashboard.id AND le.folder_id <> 0")
 		writeParamSelectorSQL(&builder, params...)
-		builder.WriteDashboardPermissionFilter(signedInUser, dashboardaccess.PERMISSION_VIEW, searchstore.TypeFolder)
+
+		// use permission filter if lib panel RBAC isn't enabled
+		if !l.features.IsEnabled(c, featuremgmt.FlagLibraryPanelRBAC) {
+			builder.WriteDashboardPermissionFilter(signedInUser, dashboardaccess.PERMISSION_VIEW, searchstore.TypeFolder)
+		}
+
 		builder.Write(` OR dashboard.id=0`)
 		if err := session.SQL(builder.GetSQLString(), builder.GetParams()...).Find(&libraryElements); err != nil {
 			return err