check that the user has RBAC permissions to save dashboard annotation (#47882)

2025-02-25 18:55:37 -06:00 · 2022-04-20 08:43:42 +01:00
parent 39d3c8afd7
commit 1588cd393a
2 changed files with 46 additions and 54 deletions
--- a/pkg/api/annotations_test.go
+++ b/pkg/api/annotations_test.go
@@ -615,6 +615,18 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
 			},
 			want: http.StatusForbidden,
 		},
+		{
+			name: "AccessControl create dashboard annotation with incorrect permissions is forbidden",
+			args: args{
+				permissions: []*accesscontrol.Permission{{
+					Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsTypeOrganization,
+				}},
+				url:    "/api/annotations",
+				method: http.MethodPost,
+				body:   mockRequestBody(postDashboardCmd),
+			},
+			want: http.StatusForbidden,
+		},
 		{
 			name: "AccessControl create organization annotation with permissions is allowed",
 			args: args{