RBAC: Allow app plugins access restriction (#51524)

* RBAC: Allow app plugins restriction Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * Fix tests * Imports * WIP * Adding RBAC to AppPluginsRoutes * Switching middleware order * Restrict access to resources * Nit * Cosmetic changes * Fix fallback * Moving declaration to HttpServer Co-Authored-By: marefr <marcus.efraimsson@gmail.com> Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: marefr <marcus.efraimsson@gmail.com>
2025-02-25 18:55:37 -06:00 · 2022-07-08 13:24:09 +02:00
parent 0c33b9f211
commit 5975c4bc6d
8 changed files with 76 additions and 15 deletions
--- a/pkg/api/app_routes.go
+++ b/pkg/api/app_routes.go
@@ -13,6 +13,7 @@ import (
 	"github.com/grafana/grafana/pkg/middleware"
 	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/plugins"
+	ac "github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/util"
 	"github.com/grafana/grafana/pkg/web"
 )
@@ -42,6 +43,11 @@ func (hs *HTTPServer) initAppPluginRoutes(r *web.Mux) {
 				ReqSignedIn: true,
 			}))

+			// Preventing access to plugin routes if the user has no right to access the plugin
+			authorize := ac.Middleware(hs.AccessControl)
+			handlers = append(handlers, authorize(middleware.ReqSignedIn,
+				ac.EvalPermission(plugins.ActionAppAccess, plugins.ScopeProvider.GetResourceScope(plugin.ID))))
+
 			if route.ReqRole != "" {
 				if route.ReqRole == models.ROLE_ADMIN {
 					handlers = append(handlers, middleware.RoleAuth(models.ROLE_ADMIN))
@@ -49,6 +55,7 @@ func (hs *HTTPServer) initAppPluginRoutes(r *web.Mux) {
 					handlers = append(handlers, middleware.RoleAuth(models.ROLE_EDITOR, models.ROLE_ADMIN))
 				}
 			}
+
 			handlers = append(handlers, AppPluginRoute(route, plugin.ID, hs))
 			for _, method := range strings.Split(route.Method, ",") {
 				r.Handle(strings.TrimSpace(method), url, handlers)