AccessControl: Protect org users lookup (#38981)

* Move legacy accesscontrol to middleware layer * Remove bus usage for this endpoint * Add tests for legacy accesscontrol * Fix tests for org user and remove one more bus usage * Added test for FolderAdmin as suggested in the review
2025-02-25 18:55:37 -06:00 · 2021-09-17 09:19:36 +02:00
parent f8de33da8d
commit 4be9ec8f72
4 changed files with 205 additions and 92 deletions
--- a/pkg/middleware/auth.go
+++ b/pkg/middleware/auth.go
@@ -11,6 +11,7 @@ import (

 	"github.com/grafana/grafana/pkg/middleware/cookies"
 	"github.com/grafana/grafana/pkg/models"
+	"github.com/grafana/grafana/pkg/services/sqlstore"
 	"github.com/grafana/grafana/pkg/setting"
 )

@@ -188,3 +189,29 @@ func shouldForceLogin(c *models.ReqContext) bool {

 	return forceLogin
 }
+
+func OrgAdminFolderAdminOrTeamAdmin(c *models.ReqContext) {
+	if c.OrgRole == models.ROLE_ADMIN {
+		return
+	}
+
+	hasAdminPermissionInFoldersQuery := models.HasAdminPermissionInFoldersQuery{SignedInUser: c.SignedInUser}
+	if err := sqlstore.HasAdminPermissionInFolders(&hasAdminPermissionInFoldersQuery); err != nil {
+		c.JsonApiErr(500, "Failed to check if user is a folder admin", err)
+	}
+
+	if hasAdminPermissionInFoldersQuery.Result {
+		return
+	}
+
+	isAdminOfTeamsQuery := models.IsAdminOfTeamsQuery{SignedInUser: c.SignedInUser}
+	if err := sqlstore.IsAdminOfTeams(&isAdminOfTeamsQuery); err != nil {
+		c.JsonApiErr(500, "Failed to check if user is a team admin", err)
+	}
+
+	if isAdminOfTeamsQuery.Result {
+		return
+	}
+
+	accessForbidden(c)
+}