root
/
grafana
mirror of https://github.com/grafana/grafana.git
1
0
Fork 0
Code Issues Actions 266 Packages Projects Releases Wiki Activity

LibraryPanelRBAC: Fix issue with importing dashboards containing library panels (#83980)

This commit is contained in:
kay delaney 2024-04-05 10:11:02 +01:00 committed by GitHub
parent 5ce8b60878
commit 6a53864f7a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 18 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
pkg/services/libraryelements/api.go
View File

@ -26,7 +26,7 @@ func (l *LibraryElementService) registerAPIEndpoints() {
entities.Post("/", authorize(ac.EvalPermission(ActionLibraryPanelsCreate)), routing.Wrap(l.createHandler))
entities.Delete("/:uid", authorize(ac.EvalPermission(ActionLibraryPanelsDelete, uidScope)), routing.Wrap(l.deleteHandler))
entities.Get("/", authorize(ac.EvalPermission(ActionLibraryPanelsRead)), routing.Wrap(l.getAllHandler))
entities.Get("/:uid", authorize(ac.EvalPermission(ActionLibraryPanelsRead, uidScope)), routing.Wrap(l.getHandler))
entities.Get("/:uid", authorize(ac.EvalPermission(ActionLibraryPanelsRead)), routing.Wrap(l.getHandler))
entities.Get("/:uid/connections/", authorize(ac.EvalPermission(ActionLibraryPanelsRead, uidScope)), routing.Wrap(l.getConnectionsHandler))
entities.Get("/name/:name", routing.Wrap(l.getByNameHandler))
entities.Patch("/:uid", authorize(ac.EvalPermission(ActionLibraryPanelsWrite, uidScope)), routing.Wrap(l.patchHandler))
@ -140,7 +140,8 @@ func (l *LibraryElementService) deleteHandler(c *contextmodel.ReqContext) respon
// 404: notFoundError
// 500: internalServerError
func (l *LibraryElementService) getHandler(c *contextmodel.ReqContext) response.Response {
element, err := l.getLibraryElementByUid(c.Req.Context(), c.SignedInUser,
ctx := c.Req.Context()
element, err := l.getLibraryElementByUid(ctx, c.SignedInUser,
model.GetLibraryElementCommand{
UID: web.Params(c.Req)[":uid"],
FolderName: dashboards.RootFolderName,
@ -150,6 +151,15 @@ func (l *LibraryElementService) getHandler(c *contextmodel.ReqContext) response.
return toLibraryElementError(err, "Failed to get library element")
}
if l.features.IsEnabled(ctx, featuremgmt.FlagLibraryPanelRBAC) {
allowed, err := l.AccessControl.Evaluate(ctx, c.SignedInUser, ac.EvalPermission(ActionLibraryPanelsRead, ScopeLibraryPanelsProvider.GetResourceScopeUID(web.Params(c.Req)[":uid"])))
if err != nil {
return response.Error(http.StatusInternalServerError, "unable to evaluate library panel permissions", err)
} else if !allowed {
return response.Error(http.StatusForbidden, "insufficient permissions for getting library panel", err)
}
}
return response.JSON(http.StatusOK, model.LibraryElementResponse{Result: element})
}

5
pkg/services/libraryelements/database.go
View File

@ -296,7 +296,12 @@ func (l *LibraryElementService) getLibraryElements(c context.Context, store db.D
builder.Write(getFromLibraryElementDTOWithMeta(store.GetDialect()))
builder.Write(" INNER JOIN dashboard AS dashboard on le.folder_id = dashboard.id AND le.folder_id <> 0")
writeParamSelectorSQL(&builder, params...)
// use permission filter if lib panel RBAC isn't enabled
if !l.features.IsEnabled(c, featuremgmt.FlagLibraryPanelRBAC) {
builder.WriteDashboardPermissionFilter(signedInUser, dashboardaccess.PERMISSION_VIEW, searchstore.TypeFolder)
}
builder.Write(` OR dashboard.id=0`)
if err := session.SQL(builder.GetSQLString(), builder.GetParams()...).Find(&libraryElements); err != nil {
return err