Role checking when saving dashboard, making sure that the user has owner or editor role

2025-02-25 18:55:37 -06:00 · 2015-01-16 15:28:44 +01:00
parent 22156fe309
commit 3912ed5023
317 changed files with 8218 additions and 206556 deletions
--- a/pkg/api/api.go
+++ b/pkg/api/api.go
@@ -13,6 +13,7 @@ import (
 func Register(r *macaron.Macaron) {
 	reqSignedIn := middleware.Auth(&middleware.AuthOptions{ReqSignedIn: true})
 	reqGrafanaAdmin := middleware.Auth(&middleware.AuthOptions{ReqSignedIn: true, ReqGrafanaAdmin: true})
+	reqEditorRole := middleware.RoleAuth(m.ROLE_EDITOR, m.ROLE_OWNER)
 	bind := binding.Bind

 	// not logged in views
@@ -63,7 +64,7 @@ func Register(r *macaron.Macaron) {
 		// Dashboard
 		r.Group("/dashboard", func() {
 			r.Combo("/:slug").Get(GetDashboard).Delete(DeleteDashboard)
-			r.Post("/", bind(m.SaveDashboardCommand{}), PostDashboard)
+			r.Post("/", reqEditorRole, bind(m.SaveDashboardCommand{}), PostDashboard)
 		})
 		// Search
 		r.Get("/search/", Search)