IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Restore dashboards: Add RBAC (#90270)

Browse Source 
* Restore dashboards: Add RBAC

* Add check to navtree

* Prevent non-admins from searching deleted dbs

* Add check to the route

* Cleanup

* Update translations

* Update API permissions

* Correct permissions

* Update warning message

* Update translation

* Return 401 for deleted query without admin role
This commit is contained in:
Alex Khomenko
2024-07-11 13:20:04 +03:00
committed by GitHub
parent c76b490c57
commit 62494248e3
8 changed files with 20 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/api/api.go
View File

@@ -170,7 +170,7 @@ func (hs *HTTPServer) registerRoutes() {
}
if hs.Features.IsEnabledGlobally(featuremgmt.FlagDashboardRestore) {
r.Get("/dashboard/recently-deleted", reqSignedIn, hs.Index)
r.Get("/dashboard/recently-deleted", reqOrgAdmin, hs.Index)
}
r.Get("/explore", authorize(ac.EvalPermission(ac.ActionDatasourcesExplore)), hs.Index)
@@ -477,8 +477,8 @@ func (hs *HTTPServer) registerRoutes() {
dashUidRoute.Get("/versions/:id", authorize(ac.EvalPermission(dashboards.ActionDashboardsWrite)), routing.Wrap(hs.GetDashboardVersion))
if hs.Features.IsEnabledGlobally(featuremgmt.FlagDashboardRestore) {
dashUidRoute.Patch("/trash", authorize(ac.EvalPermission(dashboards.ActionDashboardsWrite)), routing.Wrap(hs.RestoreDeletedDashboard))
dashUidRoute.Delete("/trash", authorize(ac.EvalPermission(dashboards.ActionDashboardsDelete)), routing.Wrap(hs.HardDeleteDashboardByUID))
dashUidRoute.Patch("/trash", reqOrgAdmin, routing.Wrap(hs.RestoreDeletedDashboard))
dashUidRoute.Delete("/trash", reqOrgAdmin, routing.Wrap(hs.HardDeleteDashboardByUID))
}
dashUidRoute.Group("/permissions", func(dashboardPermissionRoute routing.RouteRegister) {

6
pkg/api/search.go
View File

@@ -4,6 +4,8 @@ import (
"net/http"
"strconv"
"github.com/grafana/grafana/pkg/services/org"
"github.com/grafana/grafana/pkg/api/response"
"github.com/grafana/grafana/pkg/infra/metrics"
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
@@ -31,6 +33,10 @@ func (hs *HTTPServer) Search(c *contextmodel.ReqContext) response.Response {
deleted := c.Query("deleted")
permission := dashboardaccess.PERMISSION_VIEW
if deleted == "true" && c.SignedInUser.GetOrgRole() != org.RoleAdmin {
return response.Error(http.StatusUnauthorized, "Unauthorized", nil)
}
if limit > 5000 {
return response.Error(http.StatusUnprocessableEntity, "Limit is above maximum allowed (5000), use page parameter to access hits beyond limit", nil)
}