From 64800f293e73fe22ea50118707ef730502287eee Mon Sep 17 00:00:00 2001 From: Karl Persson <23356117+kalleep@users.noreply.github.com> Date: Wed, 5 Feb 2025 15:06:38 +0100 Subject: [PATCH] Authz: Check for parent uid instead of id (#100121) * Check for parent uid instead of id --- pkg/services/dashboards/service/dashboard_service.go | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/pkg/services/dashboards/service/dashboard_service.go b/pkg/services/dashboards/service/dashboard_service.go index d85fb8ed692..19333ba137d 100644 --- a/pkg/services/dashboards/service/dashboard_service.go +++ b/pkg/services/dashboards/service/dashboard_service.go @@ -13,6 +13,7 @@ import ( "github.com/google/uuid" "github.com/prometheus/client_golang/prometheus" "go.opentelemetry.io/otel" + "golang.org/x/exp/slices" "golang.org/x/sync/errgroup" apierrors "k8s.io/apimachinery/pkg/api/errors" @@ -989,10 +990,8 @@ func (dr *DashboardServiceImpl) setDefaultPermissions(ctx context.Context, dto * } metrics.MFolderIDsServiceCount.WithLabelValues(metrics.Dashboard).Inc() - // nolint:staticcheck - inFolder := dash.FolderID > 0 - var permissions []accesscontrol.SetResourcePermissionCommand + var permissions []accesscontrol.SetResourcePermissionCommand if !provisioned && dto.User.IsIdentityType(claims.TypeUser, claims.TypeServiceAccount) { userID, err := dto.User.GetInternalID() if err != nil { @@ -1004,7 +1003,7 @@ func (dr *DashboardServiceImpl) setDefaultPermissions(ctx context.Context, dto * } } - if !inFolder { + if dash.FolderUID == "" { permissions = append(permissions, []accesscontrol.SetResourcePermissionCommand{ {BuiltinRole: string(org.RoleEditor), Permission: dashboardaccess.PERMISSION_EDIT.String()}, {BuiltinRole: string(org.RoleViewer), Permission: dashboardaccess.PERMISSION_VIEW.String()}, @@ -1025,9 +1024,7 @@ func (dr *DashboardServiceImpl) setDefaultFolderPermissions(ctx context.Context, return } - inFolder := f.ParentUID != "" var permissions []accesscontrol.SetResourcePermissionCommand - if !provisioned && cmd.SignedInUser.IsIdentityType(claims.TypeUser) { userID, err := cmd.SignedInUser.GetInternalID() if err != nil { @@ -1039,7 +1036,7 @@ func (dr *DashboardServiceImpl) setDefaultFolderPermissions(ctx context.Context, } } - if !inFolder { + if f.ParentUID == "" { permissions = append(permissions, []accesscontrol.SetResourcePermissionCommand{ {BuiltinRole: string(org.RoleEditor), Permission: dashboardaccess.PERMISSION_EDIT.String()}, {BuiltinRole: string(org.RoleViewer), Permission: dashboardaccess.PERMISSION_VIEW.String()},