opensource/grafana
1
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-07-31 11:12:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

Query History: Prevent viewers from accessing (#88735)

Browse Source 
* Add permissions check for viewer without viewers_can_edit

* Add test

* fix lint

* Add role checks on other handlers

* Linter and fix Go issue

* Fix conflict

* Remove invalid way of testing for error
This commit is contained in:
Kristina
2024-07-19 14:44:58 -05:00
committed by GitHub
parent 98c197e6cc
commit a0268a9ad2
4 changed files with 41 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
pkg/services/queryhistory/api.go
View File

@ -8,6 +8,7 @@ import (
"github.com/grafana/grafana/pkg/api/routing"
"github.com/grafana/grafana/pkg/middleware"
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
"github.com/grafana/grafana/pkg/services/org"
"github.com/grafana/grafana/pkg/util"
"github.com/grafana/grafana/pkg/web"
)
@ -35,6 +36,10 @@ func (s *QueryHistoryService) registerAPIEndpoints() {
// 401: unauthorisedError
// 500: internalServerError
func (s *QueryHistoryService) createHandler(c *contextmodel.ReqContext) response.Response {
if c.GetOrgRole() == org.RoleViewer && !s.Cfg.ViewersCanEdit {
return response.Error(http.StatusUnauthorized, "Failed to create query history", nil)
}
cmd := CreateQueryInQueryHistoryCommand{}
if err := web.Bind(c.Req, &cmd); err != nil {
return response.Error(http.StatusBadRequest, "bad request data", err)
@ -61,6 +66,10 @@ func (s *QueryHistoryService) createHandler(c *contextmodel.ReqContext) response
// 401: unauthorisedError
// 500: internalServerError
func (s *QueryHistoryService) searchHandler(c *contextmodel.ReqContext) response.Response {
if c.GetOrgRole() == org.RoleViewer && !s.Cfg.ViewersCanEdit {
return response.Error(http.StatusUnauthorized, "Failed to get query history", nil)
}
timeRange := gtime.NewTimeRange(c.Query("from"), c.Query("to"))
query := SearchInQueryHistoryQuery{
@ -93,6 +102,10 @@ func (s *QueryHistoryService) searchHandler(c *contextmodel.ReqContext) response
// 401: unauthorisedError
// 500: internalServerError
func (s *QueryHistoryService) deleteHandler(c *contextmodel.ReqContext) response.Response {
if c.GetOrgRole() == org.RoleViewer && !s.Cfg.ViewersCanEdit {
return response.Error(http.StatusUnauthorized, "Failed to delete query history", nil)
}
queryUID := web.Params(c.Req)[":uid"]
if len(queryUID) > 0 && !util.IsValidShortUID(queryUID) {
return response.Error(http.StatusNotFound, "Query in query history not found", nil)
@ -150,6 +163,9 @@ func (s *QueryHistoryService) patchCommentHandler(c *contextmodel.ReqContext) re
// 401: unauthorisedError
// 500: internalServerError
func (s *QueryHistoryService) starHandler(c *contextmodel.ReqContext) response.Response {
if c.GetOrgRole() == org.RoleViewer && !s.Cfg.ViewersCanEdit {
return response.Error(http.StatusUnauthorized, "Failed to star query history", nil)
}
queryUID := web.Params(c.Req)[":uid"]
if len(queryUID) > 0 && !util.IsValidShortUID(queryUID) {
return response.Error(http.StatusNotFound, "Query in query history not found", nil)
@ -174,6 +190,9 @@ func (s *QueryHistoryService) starHandler(c *contextmodel.ReqContext) response.R
// 401: unauthorisedError
// 500: internalServerError
func (s *QueryHistoryService) unstarHandler(c *contextmodel.ReqContext) response.Response {
if c.GetOrgRole() == org.RoleViewer && !s.Cfg.ViewersCanEdit {
return response.Error(http.StatusUnauthorized, "Failed to unstar query history", nil)
}
queryUID := web.Params(c.Req)[":uid"]
if len(queryUID) > 0 && !util.IsValidShortUID(queryUID) {
return response.Error(http.StatusNotFound, "Query in query history not found", nil)