diff --git a/pkg/services/libraryelements/api.go b/pkg/services/libraryelements/api.go index 970fd31212f..a8ed34609c4 100644 --- a/pkg/services/libraryelements/api.go +++ b/pkg/services/libraryelements/api.go @@ -26,7 +26,7 @@ func (l *LibraryElementService) registerAPIEndpoints() { entities.Post("/", authorize(ac.EvalPermission(ActionLibraryPanelsCreate)), routing.Wrap(l.createHandler)) entities.Delete("/:uid", authorize(ac.EvalPermission(ActionLibraryPanelsDelete, uidScope)), routing.Wrap(l.deleteHandler)) entities.Get("/", authorize(ac.EvalPermission(ActionLibraryPanelsRead)), routing.Wrap(l.getAllHandler)) - entities.Get("/:uid", authorize(ac.EvalPermission(ActionLibraryPanelsRead, uidScope)), routing.Wrap(l.getHandler)) + entities.Get("/:uid", authorize(ac.EvalPermission(ActionLibraryPanelsRead)), routing.Wrap(l.getHandler)) entities.Get("/:uid/connections/", authorize(ac.EvalPermission(ActionLibraryPanelsRead, uidScope)), routing.Wrap(l.getConnectionsHandler)) entities.Get("/name/:name", routing.Wrap(l.getByNameHandler)) entities.Patch("/:uid", authorize(ac.EvalPermission(ActionLibraryPanelsWrite, uidScope)), routing.Wrap(l.patchHandler)) @@ -140,7 +140,8 @@ func (l *LibraryElementService) deleteHandler(c *contextmodel.ReqContext) respon // 404: notFoundError // 500: internalServerError func (l *LibraryElementService) getHandler(c *contextmodel.ReqContext) response.Response { - element, err := l.getLibraryElementByUid(c.Req.Context(), c.SignedInUser, + ctx := c.Req.Context() + element, err := l.getLibraryElementByUid(ctx, c.SignedInUser, model.GetLibraryElementCommand{ UID: web.Params(c.Req)[":uid"], FolderName: dashboards.RootFolderName, @@ -150,6 +151,15 @@ func (l *LibraryElementService) getHandler(c *contextmodel.ReqContext) response. return toLibraryElementError(err, "Failed to get library element") } + if l.features.IsEnabled(ctx, featuremgmt.FlagLibraryPanelRBAC) { + allowed, err := l.AccessControl.Evaluate(ctx, c.SignedInUser, ac.EvalPermission(ActionLibraryPanelsRead, ScopeLibraryPanelsProvider.GetResourceScopeUID(web.Params(c.Req)[":uid"]))) + if err != nil { + return response.Error(http.StatusInternalServerError, "unable to evaluate library panel permissions", err) + } else if !allowed { + return response.Error(http.StatusForbidden, "insufficient permissions for getting library panel", err) + } + } + return response.JSON(http.StatusOK, model.LibraryElementResponse{Result: element}) } diff --git a/pkg/services/libraryelements/database.go b/pkg/services/libraryelements/database.go index b8c09c12816..a223107d035 100644 --- a/pkg/services/libraryelements/database.go +++ b/pkg/services/libraryelements/database.go @@ -296,7 +296,12 @@ func (l *LibraryElementService) getLibraryElements(c context.Context, store db.D builder.Write(getFromLibraryElementDTOWithMeta(store.GetDialect())) builder.Write(" INNER JOIN dashboard AS dashboard on le.folder_id = dashboard.id AND le.folder_id <> 0") writeParamSelectorSQL(&builder, params...) - builder.WriteDashboardPermissionFilter(signedInUser, dashboardaccess.PERMISSION_VIEW, searchstore.TypeFolder) + + // use permission filter if lib panel RBAC isn't enabled + if !l.features.IsEnabled(c, featuremgmt.FlagLibraryPanelRBAC) { + builder.WriteDashboardPermissionFilter(signedInUser, dashboardaccess.PERMISSION_VIEW, searchstore.TypeFolder) + } + builder.Write(` OR dashboard.id=0`) if err := session.SQL(builder.GetSQLString(), builder.GetParams()...).Find(&libraryElements); err != nil { return err