From 1d56c32ab0a0c98d8ff462b29939398d7cd1afb5 Mon Sep 17 00:00:00 2001 From: Gabriel MABILLE Date: Wed, 22 Sep 2021 13:50:21 +0200 Subject: [PATCH] AccessControl: Protect /datasources endpoints consistently with NavLinks permissions (#39319) --- pkg/api/api.go | 6 +++--- pkg/api/index.go | 10 ---------- pkg/api/roles.go | 26 ++++++++++++++++++++++++++ 3 files changed, 29 insertions(+), 13 deletions(-) diff --git a/pkg/api/api.go b/pkg/api/api.go index 42dd5f85428..4407325af89 100644 --- a/pkg/api/api.go +++ b/pkg/api/api.go @@ -53,9 +53,9 @@ func (hs *HTTPServer) registerRoutes() { r.Get("/profile/switch-org/:id", reqSignedInNoAnonymous, hs.ChangeActiveOrgAndRedirectToHome) r.Get("/org/", reqOrgAdmin, hs.Index) r.Get("/org/new", reqGrafanaAdmin, hs.Index) - r.Get("/datasources/", authorize(reqOrgAdmin, ac.EvalPermission(ActionDatasourcesRead)), hs.Index) - r.Get("/datasources/new", authorize(reqOrgAdmin, ac.EvalPermission(ActionDatasourcesCreate)), hs.Index) - r.Get("/datasources/edit/*", authorize(reqOrgAdmin, ac.EvalPermission(ActionDatasourcesRead)), hs.Index) + r.Get("/datasources/", authorize(reqOrgAdmin, dataSourcesConfigurationAccessEvaluator), hs.Index) + r.Get("/datasources/new", authorize(reqOrgAdmin, dataSourcesNewAccessEvaluator), hs.Index) + r.Get("/datasources/edit/*", authorize(reqOrgAdmin, dataSourcesEditAccessEvaluator), hs.Index) r.Get("/org/users", authorize(reqOrgAdmin, ac.EvalPermission(ac.ActionOrgUsersRead, ac.ScopeUsersAll)), hs.Index) r.Get("/org/users/new", reqOrgAdmin, hs.Index) r.Get("/org/users/invite", authorize(reqOrgAdmin, ac.EvalPermission(ac.ActionUsersCreate)), hs.Index) diff --git a/pkg/api/index.go b/pkg/api/index.go index c039bb9e941..e86521fac93 100644 --- a/pkg/api/index.go +++ b/pkg/api/index.go @@ -18,16 +18,6 @@ const ( darkName = "dark" ) -// dataSourcesConfigurationAccessEvaluator is used to protect the "Configure > Data sources" tab access -var dataSourcesConfigurationAccessEvaluator = ac.EvalAll( - ac.EvalPermission(ActionDatasourcesRead, ScopeDatasourcesAll), - ac.EvalAny( - ac.EvalPermission(ActionDatasourcesCreate), - ac.EvalPermission(ActionDatasourcesDelete), - ac.EvalPermission(ActionDatasourcesWrite), - ), -) - func (hs *HTTPServer) getProfileNode(c *models.ReqContext) *dtos.NavLink { // Only set login if it's different from the name var login string diff --git a/pkg/api/roles.go b/pkg/api/roles.go index 4dc3b898ab0..77244c3ffc8 100644 --- a/pkg/api/roles.go +++ b/pkg/api/roles.go @@ -90,3 +90,29 @@ func (hs *HTTPServer) declareFixedRoles() error { return hs.AccessControl.DeclareFixedRoles(registrations...) } + +// Evaluators +// here is the list of complex evaluators we use in this package + +// dataSourcesConfigurationAccessEvaluator is used to protect the "Configure > Data sources" tab access +var dataSourcesConfigurationAccessEvaluator = accesscontrol.EvalAll( + accesscontrol.EvalPermission(ActionDatasourcesRead, ScopeDatasourcesAll), + accesscontrol.EvalAny( + accesscontrol.EvalPermission(ActionDatasourcesCreate), + accesscontrol.EvalPermission(ActionDatasourcesDelete), + accesscontrol.EvalPermission(ActionDatasourcesWrite), + ), +) + +// dataSourcesNewAccessEvaluator is used to protect the "Configure > Data sources > New" page access +var dataSourcesNewAccessEvaluator = accesscontrol.EvalAll( + accesscontrol.EvalPermission(ActionDatasourcesRead, ScopeDatasourcesAll), + accesscontrol.EvalPermission(ActionDatasourcesCreate), + accesscontrol.EvalPermission(ActionDatasourcesWrite), +) + +// dataSourcesEditAccessEvaluator is used to protect the "Configure > Data sources > Edit" page access +var dataSourcesEditAccessEvaluator = accesscontrol.EvalAll( + accesscontrol.EvalPermission(ActionDatasourcesRead, ScopeDatasourcesAll), + accesscontrol.EvalPermission(ActionDatasourcesWrite), +)