Folders: Forbid performing operations on folders via dashboards HTTP API (#81264)

* Forbid creating folders via dashboard api * Update delete endpoint * Update docs
2025-02-25 18:55:37 -06:00 · 2024-02-04 01:16:19 +01:00 · 2024-02-04 01:16:19 +01:00 · 14a36b4040
commit 14a36b4040
parent bd0fd21852
4 changed files with 13 additions and 2 deletions
--- a/docs/sources/developers/http_api/dashboard.md
+++ b/docs/sources/developers/http_api/dashboard.md
@ -37,6 +37,8 @@ The uid can have a maximum length of 40 characters.
 Creates a new dashboard or updates an existing dashboard. When updating existing dashboards, if you do not define the `folderId` or the `folderUid` property, then the dashboard(s) are moved to the root level. (You need to define only one property, not both).
 > **Note:** This endpoint is not intended for creating folders, use `POST /api/folders` for that.
 **Required permissions**
 See note in the [introduction]({{< ref "#dashboard-api" >}}) for an explanation.
--- a/pkg/api/dashboard.go
+++ b/pkg/api/dashboard.go
@ -303,6 +303,10 @@ func (hs *HTTPServer) deleteDashboard(c *contextmodel.ReqContext) response.Respo
 		return dashboardGuardianResponse(err)
 	}
 	if dash.IsFolder {
 		return response.Error(http.StatusBadRequest, "Use folders endpoint for deleting folders.", nil)
 	}
 	namespaceID, userIDStr := c.SignedInUser.GetNamespacedID()
 	// disconnect all library elements for this dashboard
@ -356,6 +360,7 @@ func (hs *HTTPServer) deleteDashboard(c *contextmodel.ReqContext) response.Respo
 // Create / Update dashboard
 //
 // Creates a new dashboard or updates an existing dashboard.
 // Note: This endpoint is not intended for creating folders, use `POST /api/folders` for that.
 //
 // Responses:
 // 200: postDashboardResponse
@ -375,6 +380,10 @@ func (hs *HTTPServer) PostDashboard(c *contextmodel.ReqContext) response.Respons
 }
 func (hs *HTTPServer) postDashboard(c *contextmodel.ReqContext, cmd dashboards.SaveDashboardCommand) response.Response {
 	if cmd.IsFolder {
 		return response.Error(http.StatusBadRequest, "Use folders endpoint for saving folders.", nil)
 	}
 	ctx := c.Req.Context()
 	var err error
--- a/public/api-merged.json
+++ b/public/api-merged.json
@ -3015,7 +3015,7 @@
    },
    "/dashboards/db": {
      "post": {
-        "description": "Creates a new dashboard or updates an existing dashboard.",
+        "description": "Creates a new dashboard or updates an existing dashboard.\nNote: This endpoint is not intended for creating folders, use `POST /api/folders` for that.",
        "tags": [
          "dashboards"
        ],
--- a/public/openapi3.json
+++ b/public/openapi3.json
@ -16107,7 +16107,7 @@
    },
    "/dashboards/db": {
      "post": {
-        "description": "Creates a new dashboard or updates an existing dashboard.",
+        "description": "Creates a new dashboard or updates an existing dashboard.\nNote: This endpoint is not intended for creating folders, use `POST /api/folders` for that.",
        "operationId": "postDashboard",
        "requestBody": {
          "content": {