From f68d2816ab6737de8b1d1c89aacf1b1c4e43d615 Mon Sep 17 00:00:00 2001 From: Daniel Lee Date: Thu, 22 Jun 2017 01:23:36 +0200 Subject: [PATCH] dashfolders: security for png rendering --- pkg/api/render.go | 2 ++ pkg/components/renderer/renderer.go | 5 ++++- pkg/middleware/render_auth.go | 5 +++-- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/pkg/api/render.go b/pkg/api/render.go index 4dbead23524..f11b4d5b40b 100644 --- a/pkg/api/render.go +++ b/pkg/api/render.go @@ -18,6 +18,8 @@ func RenderToPng(c *middleware.Context) { Width: queryReader.Get("width", "800"), Height: queryReader.Get("height", "400"), OrgId: c.OrgId, + UserId: c.UserId, + OrgRole: c.OrgRole, Timeout: queryReader.Get("timeout", "30"), Timezone: queryReader.Get("tz", ""), } diff --git a/pkg/components/renderer/renderer.go b/pkg/components/renderer/renderer.go index c09c431a1df..99848e48456 100644 --- a/pkg/components/renderer/renderer.go +++ b/pkg/components/renderer/renderer.go @@ -15,6 +15,7 @@ import ( "github.com/grafana/grafana/pkg/log" "github.com/grafana/grafana/pkg/middleware" + "github.com/grafana/grafana/pkg/models" "github.com/grafana/grafana/pkg/setting" "github.com/grafana/grafana/pkg/util" ) @@ -25,6 +26,8 @@ type RenderOpts struct { Height string Timeout string OrgId int64 + UserId int64 + OrgRole models.RoleType Timezone string } @@ -72,7 +75,7 @@ func RenderToPng(params *RenderOpts) (string, error) { pngPath, _ := filepath.Abs(filepath.Join(setting.ImagesDir, util.GetRandomString(20))) pngPath = pngPath + ".png" - renderKey := middleware.AddRenderAuthKey(params.OrgId) + renderKey := middleware.AddRenderAuthKey(params.OrgId, params.UserId, params.OrgRole) defer middleware.RemoveRenderAuthKey(renderKey) cmdArgs := []string{ diff --git a/pkg/middleware/render_auth.go b/pkg/middleware/render_auth.go index 3a57660c9bf..d2f9c1b2b1a 100644 --- a/pkg/middleware/render_auth.go +++ b/pkg/middleware/render_auth.go @@ -33,14 +33,15 @@ func initContextWithRenderAuth(ctx *Context) bool { type renderContextFunc func(key string) (string, error) -func AddRenderAuthKey(orgId int64) string { +func AddRenderAuthKey(orgId int64, userId int64, orgRole m.RoleType) string { renderKeysLock.Lock() key := util.GetRandomString(32) renderKeys[key] = &m.SignedInUser{ OrgId: orgId, - OrgRole: m.ROLE_VIEWER, + OrgRole: orgRole, + UserId: userId, } renderKeysLock.Unlock()