From 14a36b4040a6609c21bcc4cd249ec047c05c274b Mon Sep 17 00:00:00 2001
From: Tania <10127682+undef1nd@users.noreply.github.com>
Date: Sun, 4 Feb 2024 01:16:19 +0100
Subject: [PATCH] Folders: Forbid performing operations on folders via
 dashboards HTTP API (#81264)

* Forbid creating folders via dashboard api

* Update delete endpoint

* Update docs
---
 docs/sources/developers/http_api/dashboard.md | 2 ++
 pkg/api/dashboard.go                          | 9 +++++++++
 public/api-merged.json                        | 2 +-
 public/openapi3.json                          | 2 +-
 4 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/docs/sources/developers/http_api/dashboard.md b/docs/sources/developers/http_api/dashboard.md
index 05dcb8294c4..c818e470929 100644
--- a/docs/sources/developers/http_api/dashboard.md
+++ b/docs/sources/developers/http_api/dashboard.md
@@ -37,6 +37,8 @@ The uid can have a maximum length of 40 characters.
 
 Creates a new dashboard or updates an existing dashboard. When updating existing dashboards, if you do not define the `folderId` or the `folderUid` property, then the dashboard(s) are moved to the root level. (You need to define only one property, not both).
 
+> **Note:** This endpoint is not intended for creating folders, use `POST /api/folders` for that.
+
 **Required permissions**
 
 See note in the [introduction]({{< ref "#dashboard-api" >}}) for an explanation.
diff --git a/pkg/api/dashboard.go b/pkg/api/dashboard.go
index 6a9e23471a0..1462e330b32 100644
--- a/pkg/api/dashboard.go
+++ b/pkg/api/dashboard.go
@@ -303,6 +303,10 @@ func (hs *HTTPServer) deleteDashboard(c *contextmodel.ReqContext) response.Respo
 		return dashboardGuardianResponse(err)
 	}
 
+	if dash.IsFolder {
+		return response.Error(http.StatusBadRequest, "Use folders endpoint for deleting folders.", nil)
+	}
+
 	namespaceID, userIDStr := c.SignedInUser.GetNamespacedID()
 
 	// disconnect all library elements for this dashboard
@@ -356,6 +360,7 @@ func (hs *HTTPServer) deleteDashboard(c *contextmodel.ReqContext) response.Respo
 // Create / Update dashboard
 //
 // Creates a new dashboard or updates an existing dashboard.
+// Note: This endpoint is not intended for creating folders, use `POST /api/folders` for that.
 //
 // Responses:
 // 200: postDashboardResponse
@@ -375,6 +380,10 @@ func (hs *HTTPServer) PostDashboard(c *contextmodel.ReqContext) response.Respons
 }
 
 func (hs *HTTPServer) postDashboard(c *contextmodel.ReqContext, cmd dashboards.SaveDashboardCommand) response.Response {
+	if cmd.IsFolder {
+		return response.Error(http.StatusBadRequest, "Use folders endpoint for saving folders.", nil)
+	}
+
 	ctx := c.Req.Context()
 	var err error
 
diff --git a/public/api-merged.json b/public/api-merged.json
index cf63087e3d5..6113e8c08c3 100644
--- a/public/api-merged.json
+++ b/public/api-merged.json
@@ -3015,7 +3015,7 @@
     },
     "/dashboards/db": {
       "post": {
-        "description": "Creates a new dashboard or updates an existing dashboard.",
+        "description": "Creates a new dashboard or updates an existing dashboard.\nNote: This endpoint is not intended for creating folders, use `POST /api/folders` for that.",
         "tags": [
           "dashboards"
         ],
diff --git a/public/openapi3.json b/public/openapi3.json
index f35dd5acd7f..a5211471ca0 100644
--- a/public/openapi3.json
+++ b/public/openapi3.json
@@ -16107,7 +16107,7 @@
     },
     "/dashboards/db": {
       "post": {
-        "description": "Creates a new dashboard or updates an existing dashboard.",
+        "description": "Creates a new dashboard or updates an existing dashboard.\nNote: This endpoint is not intended for creating folders, use `POST /api/folders` for that.",
         "operationId": "postDashboard",
         "requestBody": {
           "content": {