Permissions: Validate against Team/User permission role update (#29101)

* validate against role field update * lowercase error string * make all msgs consistent style * fix wording Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * sayonara simple json Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2025-02-25 18:55:37 -06:00 · 2020-11-18 15:36:41 +01:00
parent 0cfb967404
commit 2939caf9a2
7 changed files with 86 additions and 4 deletions
--- a/pkg/api/dashboard_permission.go
+++ b/pkg/api/dashboard_permission.go
@@ -43,6 +43,10 @@ func GetDashboardPermissionList(c *models.ReqContext) Response {
 }

 func UpdateDashboardPermissions(c *models.ReqContext, apiCmd dtos.UpdateDashboardAclCommand) Response {
+	if err := validatePermissionsUpdate(apiCmd); err != nil {
+		return Error(400, err.Error(), err)
+	}
+
 	dashID := c.ParamsInt64(":dashboardId")

 	_, rsp := getDashboardHelper(c.OrgId, "", dashID, "")
@@ -93,3 +97,12 @@ func UpdateDashboardPermissions(c *models.ReqContext, apiCmd dtos.UpdateDashboar

 	return Success("Dashboard permissions updated")
 }
+
+func validatePermissionsUpdate(apiCmd dtos.UpdateDashboardAclCommand) error {
+	for _, item := range apiCmd.Items {
+		if (item.UserId > 0 || item.TeamId > 0) && item.Role != nil {
+			return models.ErrPermissionsWithRoleNotAllowed
+		}
+	}
+	return nil
+}