dasboard_history: security fix, added orgId filter to dashboard version lookup

2024-11-23 09:26:43 -06:00 · 2017-06-07 14:21:40 +02:00 · 2017-06-07 14:21:40 +02:00 · 46412c8475
commit 46412c8475
parent 3ba8aeb9a7
4 changed files with 25 additions and 52 deletions
--- a/pkg/api/dashboard.go
+++ b/pkg/api/dashboard.go
@ -346,6 +346,9 @@ func CalculateDashboardDiff(c *middleware.Context, apiOptions dtos.CalculateDiff

 	result, err := dashdiffs.CalculateDiff(&options)
 	if err != nil {
+		if err == m.ErrDashboardVersionNotFound {
+			return ApiError(404, "Dashboard version not found", err)
+		}
 		return ApiError(500, "Unable to compute diff", err)
 	}

--- a/pkg/components/dashdiffs/compare.go
+++ b/pkg/components/dashdiffs/compare.go
@ -65,6 +65,7 @@ func CalculateDiff(options *Options) (*Result, error) {
 	baseVersionQuery := models.GetDashboardVersionQuery{
 		DashboardId: options.Base.DashboardId,
 		Version:     options.Base.Version,
+		OrgId:       options.OrgId,
 	}

 	if err := bus.Dispatch(&baseVersionQuery); err != nil {
@ -74,6 +75,7 @@ func CalculateDiff(options *Options) (*Result, error) {
 	newVersionQuery := models.GetDashboardVersionQuery{
 		DashboardId: options.New.DashboardId,
 		Version:     options.New.Version,
+		OrgId:       options.OrgId,
 	}

 	if err := bus.Dispatch(&newVersionQuery); err != nil {
--- a/pkg/services/sqlstore/dashboard_version.go
+++ b/pkg/services/sqlstore/dashboard_version.go
@ -10,15 +10,22 @@ func init() {
 	bus.AddHandler("sql", GetDashboardVersions)
 }

-// GetDashboardVersion gets the dashboard version for the given dashboard ID
-// and version number.
+// GetDashboardVersion gets the dashboard version for the given dashboard ID and version number.
 func GetDashboardVersion(query *m.GetDashboardVersionQuery) error {
-	result, err := getDashboardVersion(query.DashboardId, query.Version)
+	version := m.DashboardVersion{}
+	has, err := x.Where("dashboard_version.dashboard_id=? AND dashboard_version.version=? AND dashboard.org_id=?", query.DashboardId, query.Version, query.OrgId).
+		Join("LEFT", "dashboard", `dashboard.id = dashboard_version.dashboard_id`).
+		Get(&version)
+
 	if err != nil {
 		return err
 	}

-	query.Result = result
+	if !has {
+		return m.ErrDashboardVersionNotFound
+	}
+
+	query.Result = &version
 	return nil
 }

@ -50,33 +57,3 @@ func GetDashboardVersions(query *m.GetDashboardVersionsQuery) error {
 	}
 	return nil
 }
-
-// getDashboardVersion is a helper function that gets the dashboard version for
-// the given dashboard ID and version ID.
-func getDashboardVersion(dashboardId int64, version int) (*m.DashboardVersion, error) {
-	dashboardVersion := m.DashboardVersion{}
-	has, err := x.Where("dashboard_id=? AND version=?", dashboardId, version).Get(&dashboardVersion)
-	if err != nil {
-		return nil, err
-	}
-	if !has {
-		return nil, m.ErrDashboardVersionNotFound
-	}
-
-	dashboardVersion.Data.Set("id", dashboardVersion.DashboardId)
-	return &dashboardVersion, nil
-}
-
-// getDashboard gets a dashboard by ID. Used for retrieving the dashboard
-// associated with dashboard versions.
-func getDashboard(dashboardId int64) (*m.Dashboard, error) {
-	dashboard := m.Dashboard{Id: dashboardId}
-	has, err := x.Get(&dashboard)
-	if err != nil {
-		return nil, err
-	}
-	if has == false {
-		return nil, m.ErrDashboardNotFound
-	}
-	return &dashboard, nil
-}
--- a/pkg/services/sqlstore/logger.go
+++ b/pkg/services/sqlstore/logger.go
@ -23,67 +23,59 @@ func NewXormLogger(level glog.Lvl, grafanaLog glog.Logger) *XormLogger {
 }

 // Error implement core.ILogger
-func (s *XormLogger) Err(v ...interface{}) error {
+func (s *XormLogger) Error(v ...interface{}) {
 	if s.level <= glog.LvlError {
 		s.grafanaLog.Error(fmt.Sprint(v...))
 	}
-	return nil
 }

 // Errorf implement core.ILogger
-func (s *XormLogger) Errf(format string, v ...interface{}) error {
+func (s *XormLogger) Errorf(format string, v ...interface{}) {
 	if s.level <= glog.LvlError {
 		s.grafanaLog.Error(fmt.Sprintf(format, v...))
 	}
-	return nil
 }

 // Debug implement core.ILogger
-func (s *XormLogger) Debug(v ...interface{}) error {
+func (s *XormLogger) Debug(v ...interface{}) {
 	if s.level <= glog.LvlDebug {
 		s.grafanaLog.Debug(fmt.Sprint(v...))
 	}
-	return nil
 }

 // Debugf implement core.ILogger
-func (s *XormLogger) Debugf(format string, v ...interface{}) error {
+func (s *XormLogger) Debugf(format string, v ...interface{}) {
 	if s.level <= glog.LvlDebug {
 		s.grafanaLog.Debug(fmt.Sprintf(format, v...))
 	}
-	return nil
 }

 // Info implement core.ILogger
-func (s *XormLogger) Info(v ...interface{}) error {
+func (s *XormLogger) Info(v ...interface{}) {
 	if s.level <= glog.LvlInfo {
 		s.grafanaLog.Info(fmt.Sprint(v...))
 	}
-	return nil
 }

 // Infof implement core.ILogger
-func (s *XormLogger) Infof(format string, v ...interface{}) error {
+func (s *XormLogger) Infof(format string, v ...interface{}) {
 	if s.level <= glog.LvlInfo {
 		s.grafanaLog.Info(fmt.Sprintf(format, v...))
 	}
-	return nil
 }

 // Warn implement core.ILogger
-func (s *XormLogger) Warning(v ...interface{}) error {
+func (s *XormLogger) Warn(v ...interface{}) {
 	if s.level <= glog.LvlWarn {
 		s.grafanaLog.Warn(fmt.Sprint(v...))
 	}
-	return nil
 }

 // Warnf implement core.ILogger
-func (s *XormLogger) Warningf(format string, v ...interface{}) error {
+func (s *XormLogger) Warnf(format string, v ...interface{}) {
 	if s.level <= glog.LvlWarn {
 		s.grafanaLog.Warn(fmt.Sprintf(format, v...))
 	}
-	return nil
 }

 // Level implement core.ILogger
@ -103,8 +95,7 @@ func (s *XormLogger) Level() core.LogLevel {
 }

 // SetLevel implement core.ILogger
-func (s *XormLogger) SetLevel(l core.LogLevel) error {
-	return nil
+func (s *XormLogger) SetLevel(l core.LogLevel) {
 }

 // ShowSQL implement core.ILogger