Alerting: fix bug where user is able to access rules from namespaces user is not part of (#41403)

* Add fix * Add tests Co-authored-by: Yuriy Tseretyan <yuriy.tseretyan@grafana.com> Co-authored-by: Armand Grillet <2117580+armandgrillet@users.noreply.github.com> Co-authored-by: Jean-Philippe Quéméner <JohnnyQQQQ@users.noreply.github.com> Co-authored-by: George Robinson <george.robinson@grafana.com>
2025-02-25 18:55:37 -06:00 · 2021-11-08 13:26:08 +00:00
parent 9d82111a1a
commit 6220872633
4 changed files with 55 additions and 1 deletions
--- a/pkg/tests/api/alerting/api_ruler_test.go
+++ b/pkg/tests/api/alerting/api_ruler_test.go
@@ -245,6 +245,24 @@ func TestAlertRulePermissions(t *testing.T) {
 		}`
 		assert.JSONEq(t, expectedGetNamespaceResponseBody, body)
 	}
+
+	// Remove permissions from ALL folders.
+	require.NoError(t, store.UpdateDashboardACL(1, nil))
+	{
+		u := fmt.Sprintf("http://grafana:password@%s/api/ruler/grafana/api/v1/rules", grafanaListedAddr)
+		// nolint:gosec
+		resp, err := http.Get(u)
+		require.NoError(t, err)
+		t.Cleanup(func() {
+			err := resp.Body.Close()
+			require.NoError(t, err)
+		})
+		b, err := ioutil.ReadAll(resp.Body)
+		require.NoError(t, err)
+
+		assert.Equal(t, resp.StatusCode, 200)
+		require.JSONEq(t, `{}`, string(b))
+	}
 }

 func createRule(t *testing.T, grafanaListedAddr string, folder string, user, password string) {