API: Minor fix for team creation endpoint when using API key (#18252)

* Fix CreateTeam api endpoint No team member should be created for requests authenticated by API tokens. * Update middleware test Assert that `isAnonymous` is set for `SignedInUser` authenticated via API key. * Add test for team creation Assert that no team member is created if the signed in user is anomymous. * Revert "Fix CreateTeam api endpoint" This reverts commit 9fcc4e67f5. * Revert "Update middleware test" This reverts commit 75f767e58d. * Fix CreateTeam api endpoint No team member should be created for requests authenticated by API tokens. * Update team test * Change error to warning and update tests
2025-02-25 18:55:37 -06:00 · 2019-08-08 11:27:47 +03:00 · 2019-08-08 11:27:47 +03:00 · 7520166f17
commit 7520166f17
parent f20cd218c0
3 changed files with 97 additions and 8 deletions
--- a/pkg/api/team.go
+++ b/pkg/api/team.go
@ -24,15 +24,22 @@ func (hs *HTTPServer) CreateTeam(c *m.ReqContext, cmd m.CreateTeamCommand) Respo
 	}

 	if c.OrgRole == m.ROLE_EDITOR && hs.Cfg.EditorsCanAdmin {
-		addMemberCmd := m.AddTeamMemberCommand{
-			UserId:     c.SignedInUser.UserId,
-			OrgId:      cmd.OrgId,
-			TeamId:     cmd.Result.Id,
-			Permission: m.PERMISSION_ADMIN,
-		}
+		// if the request is authenticated using API tokens
+		// the SignedInUser is an empty struct therefore
+		// an additional check whether it is an actual user is required
+		if c.SignedInUser.IsRealUser() {
+			addMemberCmd := m.AddTeamMemberCommand{
+				UserId:     c.SignedInUser.UserId,
+				OrgId:      cmd.OrgId,
+				TeamId:     cmd.Result.Id,
+				Permission: m.PERMISSION_ADMIN,
+			}

-		if err := hs.Bus.Dispatch(&addMemberCmd); err != nil {
-			c.Logger.Error("Could not add creator to team.", "error", err)
+			if err := hs.Bus.Dispatch(&addMemberCmd); err != nil {
+				c.Logger.Error("Could not add creator to team.", "error", err)
+			}
+		} else {
+			c.Logger.Warn("Could not add creator to team because is not a real user.")
 		}
 	}

--- a/pkg/api/team_test.go
+++ b/pkg/api/team_test.go
@ -9,9 +9,24 @@ import (
 	"github.com/grafana/grafana/pkg/components/simplejson"
 	"github.com/grafana/grafana/pkg/models"

+	"github.com/grafana/grafana/pkg/infra/log"
 	. "github.com/smartystreets/goconvey/convey"
+	"github.com/stretchr/testify/assert"
+	macaron "gopkg.in/macaron.v1"
+	"net/http"
 )

+type testLogger struct {
+	log.Logger
+	warnCalled  bool
+	warnMessage string
+}
+
+func (stub *testLogger) Warn(testMessage string, ctx ...interface{}) {
+	stub.warnCalled = true
+	stub.warnMessage = testMessage
+}
+
 func TestTeamApiEndpoint(t *testing.T) {
 	Convey("Given two teams", t, func() {
 		mockResult := models.SearchTeamQueryResult{
@ -74,4 +89,67 @@ func TestTeamApiEndpoint(t *testing.T) {
 			})
 		})
 	})
+
+	t.Run("When creating team with api key", func(t *testing.T) {
+		defer bus.ClearBusHandlers()
+
+		hs := &HTTPServer{
+			Cfg: setting.NewCfg(),
+			Bus: bus.GetBus(),
+		}
+		hs.Cfg.EditorsCanAdmin = true
+
+		teamName := "team foo"
+
+		createTeamCalled := 0
+		bus.AddHandler("test", func(cmd *models.CreateTeamCommand) error {
+			createTeamCalled += 1
+			cmd.Result = models.Team{Name: teamName, Id: 42}
+			return nil
+		})
+
+		addTeamMemberCalled := 0
+		bus.AddHandler("test", func(cmd *models.AddTeamMemberCommand) error {
+			addTeamMemberCalled += 1
+			return nil
+		})
+
+		req, _ := http.NewRequest("POST", "/api/teams", nil)
+
+		t.Run("with no real signed in user", func(t *testing.T) {
+			stub := &testLogger{}
+			c := &models.ReqContext{
+				Context: &macaron.Context{
+					Req: macaron.Request{Request: req},
+				},
+				SignedInUser: &models.SignedInUser{},
+				Logger:       stub,
+			}
+			c.OrgRole = models.ROLE_EDITOR
+			cmd := models.CreateTeamCommand{Name: teamName}
+			hs.CreateTeam(c, cmd)
+			assert.Equal(t, createTeamCalled, 1)
+			assert.Equal(t, addTeamMemberCalled, 0)
+			assert.True(t, stub.warnCalled)
+			assert.Equal(t, stub.warnMessage, "Could not add creator to team because is not a real user.")
+		})
+
+		t.Run("with real signed in user", func(t *testing.T) {
+			stub := &testLogger{}
+			c := &models.ReqContext{
+				Context: &macaron.Context{
+					Req: macaron.Request{Request: req},
+				},
+				SignedInUser: &models.SignedInUser{UserId: 42},
+				Logger:       stub,
+			}
+			c.OrgRole = models.ROLE_EDITOR
+			cmd := models.CreateTeamCommand{Name: teamName}
+			createTeamCalled, addTeamMemberCalled = 0, 0
+			hs.CreateTeam(c, cmd)
+			assert.Equal(t, createTeamCalled, 1)
+			assert.Equal(t, addTeamMemberCalled, 1)
+			assert.False(t, stub.warnCalled)
+		})
+	})
 }
--- a/pkg/models/user.go
+++ b/pkg/models/user.go
@ -210,6 +210,10 @@ func (user *SignedInUser) HasRole(role RoleType) bool {
 	return user.OrgRole.Includes(role)
 }

+func (user *SignedInUser) IsRealUser() bool {
+	return user.UserId != 0
+}
+
 type UserProfileDTO struct {
 	Id             int64    `json:"id"`
 	Email          string   `json:"email"`