Alerting: Fix access to alerts for viewer with editor permissions when RBAC is disabled (#49270)

* Add folder edit permission for users with Viewer role * relax permissions required to create an alert when RBAC is disabled
2025-02-25 18:55:37 -06:00 · 2022-05-23 09:58:20 -04:00
parent c29e6fcb3a
commit 3dfafbadef
12 changed files with 61 additions and 35 deletions
--- a/pkg/services/ngalert/CHANGELOG.md
+++ b/pkg/services/ngalert/CHANGELOG.md
@@ -57,6 +57,7 @@ Scopes must have an order to ensure consistency and ease of search, this helps u
 - [BUGFIX] Migration: ignore alerts that do not belong to any existing organization\dashboard #49192
 - [BUGFIX] Allow anonymous access to alerts #49203 
 - [BUGFIX] RBAC: replace create\update\delete actions for notification policies by alert.notifications:write #49185
+- [BUGFIX] Fix access to alerts for Viewer role with editor permissions in folder #49270

 ## 8.5.3

--- a/pkg/services/ngalert/api/api_ruler.go
+++ b/pkg/services/ngalert/api/api_ruler.go
@@ -358,20 +358,21 @@ func (srv RulerSrv) updateAlertRulesInGroup(c *models.ReqContext, groupKey ngmod
 			return nil
 		}

-		authorizedChanges, err := authorizeRuleChanges(groupChanges, func(evaluator accesscontrol.Evaluator) bool {
-			return hasAccess(accesscontrol.ReqOrgAdminOrEditor, evaluator)
-		})
-		if err != nil {
-			return err
-		}
-
-		if authorizedChanges.isEmpty() {
-			logger.Info("no authorized changes detected in the request. Do nothing", "not_authorized_add", len(groupChanges.New), "not_authorized_update", len(groupChanges.Update), "not_authorized_delete", len(groupChanges.Delete))
-			return nil
-		}
-
-		if len(groupChanges.Delete) > len(authorizedChanges.Delete) {
-			logger.Info("user is not authorized to delete one or many rules in the group. those rules will be skipped", "expected", len(groupChanges.Delete), "authorized", len(authorizedChanges.Delete))
+		authorizedChanges := groupChanges // if RBAC is disabled the permission are limited to folder access that is done upstream
+		if !srv.ac.IsDisabled() {
+			authorizedChanges, err = authorizeRuleChanges(groupChanges, func(evaluator accesscontrol.Evaluator) bool {
+				return hasAccess(accesscontrol.ReqOrgAdminOrEditor, evaluator)
+			})
+			if err != nil {
+				return err
+			}
+			if authorizedChanges.isEmpty() {
+				logger.Info("no authorized changes detected in the request. Do nothing", "not_authorized_add", len(groupChanges.New), "not_authorized_update", len(groupChanges.Update), "not_authorized_delete", len(groupChanges.Delete))
+				return nil
+			}
+			if len(groupChanges.Delete) > len(authorizedChanges.Delete) {
+				logger.Info("user is not authorized to delete one or many rules in the group. those rules will be skipped", "expected", len(groupChanges.Delete), "authorized", len(authorizedChanges.Delete))
+			}
 		}

 		provenances, err := srv.provenanceStore.GetProvenances(c.Req.Context(), c.OrgId, (&ngmodels.AlertRule{}).ResourceType())
--- a/pkg/services/ngalert/api/authorization.go
+++ b/pkg/services/ngalert/api/authorization.go
@@ -49,6 +49,7 @@ func (api *API) authorize(method, path string) web.Handler {
 	case http.MethodGet + "/api/ruler/grafana/api/v1/rules":
 		eval = ac.EvalPermission(ac.ActionAlertingRuleRead)
 	case http.MethodPost + "/api/ruler/grafana/api/v1/rules/{Namespace}":
+		fallback = middleware.ReqSignedIn // if RBAC is disabled then we need to delegate permission check to folder because its permissions can allow editing for Viewer role
 		scope := dashboards.ScopeFoldersProvider.GetResourceScopeName(ac.Parameter(":Namespace"))
 		// more granular permissions are enforced by the handler via "authorizeRuleChanges"
 		eval = ac.EvalAny(