Plugins Catalog: Only allow admins to access plugins catalog (#57101)

* feat(plugins-catalog): only allow admins to access plugins catalog routes * add backend check * fix(plugins-catalog): update route role access to include server admins Co-authored-by: Will Browne <will.browne@grafana.com>
2024-12-28 01:41:24 -06:00 · 2022-11-30 09:41:28 +01:00 · 2022-11-30 09:41:28 +01:00 · 207b2993b2
commit 207b2993b2
parent c72322874d
3 changed files with 17 additions and 4 deletions
--- a/pkg/api/api.go
+++ b/pkg/api/api.go
@ -117,10 +117,10 @@ func (hs *HTTPServer) registerRoutes() {
 	r.Get("/live/pipeline", reqGrafanaAdmin, hs.Index)
 	r.Get("/live/cloud", reqGrafanaAdmin, hs.Index)

-	r.Get("/plugins", reqSignedIn, hs.Index)
-	r.Get("/plugins/:id/", reqSignedIn, hs.Index)
-	r.Get("/plugins/:id/edit", reqSignedIn, hs.Index) // deprecated
-	r.Get("/plugins/:id/page/:page", reqSignedIn, hs.Index)
+	r.Get("/plugins", middleware.CanAdminPlugins(hs.Cfg), hs.Index)
+	r.Get("/plugins/:id/", middleware.CanAdminPlugins(hs.Cfg), hs.Index)
+	r.Get("/plugins/:id/edit", middleware.CanAdminPlugins(hs.Cfg), hs.Index) // deprecated
+	r.Get("/plugins/:id/page/:page", middleware.CanAdminPlugins(hs.Cfg), hs.Index)
 	// App Root Page
 	appPluginIDScope := plugins.ScopeProvider.GetResourceScope(ac.Parameter(":id"))
 	r.Get("/a/:id/*", authorize(reqSignedIn, ac.EvalPermission(plugins.ActionAppAccess, appPluginIDScope)), hs.Index)
--- a/pkg/middleware/auth.go
+++ b/pkg/middleware/auth.go
@ -10,6 +10,7 @@ import (
 	"github.com/grafana/grafana/pkg/infra/db"
 	"github.com/grafana/grafana/pkg/middleware/cookies"
 	"github.com/grafana/grafana/pkg/models"
+	"github.com/grafana/grafana/pkg/plugins"
 	"github.com/grafana/grafana/pkg/services/auth"
 	"github.com/grafana/grafana/pkg/services/dashboards"
 	"github.com/grafana/grafana/pkg/services/org"
@ -86,6 +87,15 @@ func EnsureEditorOrViewerCanEdit(c *models.ReqContext) {
 	}
 }

+func CanAdminPlugins(cfg *setting.Cfg) func(c *models.ReqContext) {
+	return func(c *models.ReqContext) {
+		if !plugins.ReqCanAdminPlugins(cfg)(c) {
+			accessForbidden(c)
+			return
+		}
+	}
+}
+
 func RoleAuth(roles ...org.RoleType) web.Handler {
 	return func(c *models.ReqContext) {
 		ok := false
--- a/public/app/features/plugins/admin/routes.tsx
+++ b/public/app/features/plugins/admin/routes.tsx
@ -10,18 +10,21 @@ const DEFAULT_ROUTES = [
  {
    path: '/plugins',
    navId: 'plugins',
+    roles: () => ['Admin', 'ServerAdmin'],
    routeName: PluginAdminRoutes.Home,
    component: SafeDynamicImport(() => import(/* webpackChunkName: "PluginListPage" */ './pages/Browse')),
  },
  {
    path: '/plugins/browse',
    navId: 'plugins',
+    roles: () => ['Admin', 'ServerAdmin'],
    routeName: PluginAdminRoutes.Browse,
    component: SafeDynamicImport(() => import(/* webpackChunkName: "PluginListPage" */ './pages/Browse')),
  },
  {
    path: '/plugins/:pluginId/',
    navId: 'plugins',
+    roles: () => ['Admin', 'ServerAdmin'],
    routeName: PluginAdminRoutes.Details,
    component: SafeDynamicImport(() => import(/* webpackChunkName: "PluginPage" */ './pages/PluginDetails')),
  },