opensource/grafana
1
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-08-03 01:02:42 +08:00
Code Issues Packages Projects Releases Wiki Activity

Auth: Lock down Grafana admin role updates if the role is externally synced (#72677)

Browse Source 
* lock down server admin role updates on the frontend if the user is externally synced

* add tests

* lock Grafana Server admin role updates from the backend

* rename variables

* check that the user has auth info

* add LDAP to providers for which Grafana Server admin role can be synced

* linting
This commit is contained in:
Ieva
2023-08-01 16:39:08 +01:00
committed by GitHub
parent d28bb03ebc
commit d3b481dac8
9 changed files with 300 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
pkg/api/admin_users.go
View File

@ -167,6 +167,17 @@ func (hs *HTTPServer) AdminUpdateUserPermissions(c *contextmodel.ReqContext) res
return response.Error(http.StatusBadRequest, "id is invalid", err)
}
getAuthQuery := login.GetAuthInfoQuery{UserId: userID}
if authInfo, err := hs.authInfoService.GetAuthInfo(c.Req.Context(), &getAuthQuery); err == nil && authInfo != nil {
oAuthAndAllowAssignGrafanaAdmin := false
if oauthInfo := hs.SocialService.GetOAuthInfoProvider(strings.TrimPrefix(authInfo.AuthModule, "oauth_")); oauthInfo != nil {
oAuthAndAllowAssignGrafanaAdmin = oauthInfo.AllowAssignGrafanaAdmin
}
if login.IsGrafanaAdminExternallySynced(hs.Cfg, authInfo.AuthModule, oAuthAndAllowAssignGrafanaAdmin) {
return response.Error(http.StatusForbidden, "Cannot change Grafana Admin role for externally synced user", nil)
}
}
err = hs.userService.UpdatePermissions(c.Req.Context(), userID, form.IsGrafanaAdmin)
if err != nil {
if errors.Is(err, user.ErrLastGrafanaAdmin) {