AccessControl: Protect /datasources endpoints consistently with NavLinks permissions (#39319)

2025-02-25 18:55:37 -06:00 · 2021-09-22 13:50:21 +02:00
parent eb2e1197e9
commit 1d56c32ab0
3 changed files with 29 additions and 13 deletions
--- a/pkg/api/api.go
+++ b/pkg/api/api.go
@@ -53,9 +53,9 @@ func (hs *HTTPServer) registerRoutes() {
 	r.Get("/profile/switch-org/:id", reqSignedInNoAnonymous, hs.ChangeActiveOrgAndRedirectToHome)
 	r.Get("/org/", reqOrgAdmin, hs.Index)
 	r.Get("/org/new", reqGrafanaAdmin, hs.Index)
-	r.Get("/datasources/", authorize(reqOrgAdmin, ac.EvalPermission(ActionDatasourcesRead)), hs.Index)
-	r.Get("/datasources/new", authorize(reqOrgAdmin, ac.EvalPermission(ActionDatasourcesCreate)), hs.Index)
-	r.Get("/datasources/edit/*", authorize(reqOrgAdmin, ac.EvalPermission(ActionDatasourcesRead)), hs.Index)
+	r.Get("/datasources/", authorize(reqOrgAdmin, dataSourcesConfigurationAccessEvaluator), hs.Index)
+	r.Get("/datasources/new", authorize(reqOrgAdmin, dataSourcesNewAccessEvaluator), hs.Index)
+	r.Get("/datasources/edit/*", authorize(reqOrgAdmin, dataSourcesEditAccessEvaluator), hs.Index)
 	r.Get("/org/users", authorize(reqOrgAdmin, ac.EvalPermission(ac.ActionOrgUsersRead, ac.ScopeUsersAll)), hs.Index)
 	r.Get("/org/users/new", reqOrgAdmin, hs.Index)
 	r.Get("/org/users/invite", authorize(reqOrgAdmin, ac.EvalPermission(ac.ActionUsersCreate)), hs.Index)
--- a/pkg/api/index.go
+++ b/pkg/api/index.go
@@ -18,16 +18,6 @@ const (
 	darkName  = "dark"
 )

-// dataSourcesConfigurationAccessEvaluator is used to protect the "Configure > Data sources" tab access
-var dataSourcesConfigurationAccessEvaluator = ac.EvalAll(
-	ac.EvalPermission(ActionDatasourcesRead, ScopeDatasourcesAll),
-	ac.EvalAny(
-		ac.EvalPermission(ActionDatasourcesCreate),
-		ac.EvalPermission(ActionDatasourcesDelete),
-		ac.EvalPermission(ActionDatasourcesWrite),
-	),
-)
-
 func (hs *HTTPServer) getProfileNode(c *models.ReqContext) *dtos.NavLink {
 	// Only set login if it's different from the name
 	var login string
--- a/pkg/api/roles.go
+++ b/pkg/api/roles.go
@@ -90,3 +90,29 @@ func (hs *HTTPServer) declareFixedRoles() error {

 	return hs.AccessControl.DeclareFixedRoles(registrations...)
 }
+
+// Evaluators
+// here is the list of complex evaluators we use in this package
+
+// dataSourcesConfigurationAccessEvaluator is used to protect the "Configure > Data sources" tab access
+var dataSourcesConfigurationAccessEvaluator = accesscontrol.EvalAll(
+	accesscontrol.EvalPermission(ActionDatasourcesRead, ScopeDatasourcesAll),
+	accesscontrol.EvalAny(
+		accesscontrol.EvalPermission(ActionDatasourcesCreate),
+		accesscontrol.EvalPermission(ActionDatasourcesDelete),
+		accesscontrol.EvalPermission(ActionDatasourcesWrite),
+	),
+)
+
+// dataSourcesNewAccessEvaluator is used to protect the "Configure > Data sources > New" page access
+var dataSourcesNewAccessEvaluator = accesscontrol.EvalAll(
+	accesscontrol.EvalPermission(ActionDatasourcesRead, ScopeDatasourcesAll),
+	accesscontrol.EvalPermission(ActionDatasourcesCreate),
+	accesscontrol.EvalPermission(ActionDatasourcesWrite),
+)
+
+// dataSourcesEditAccessEvaluator is used to protect the "Configure > Data sources > Edit" page access
+var dataSourcesEditAccessEvaluator = accesscontrol.EvalAll(
+	accesscontrol.EvalPermission(ActionDatasourcesRead, ScopeDatasourcesAll),
+	accesscontrol.EvalPermission(ActionDatasourcesWrite),
+)