IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Access control: Allow users with permission to update team, dashboard and folder permissions to list users in OSS (#48275)

Browse Source 
* Remove banner when missing permissions to list users

* For OSS allow users to list other users if they have permissions to
write either team, dashboard or folder permissions
This commit is contained in:
Karl Persson
2022-05-06 10:31:53 +02:00
committed by GitHub
parent 9826a694a8
commit 817cf52744
9 changed files with 28 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
pkg/api/api.go
View File

@@ -249,7 +249,19 @@ func (hs *HTTPServer) registerRoutes() {
// current org without requirement of user to be org admin
apiRoute.Group("/org", func(orgRoute routing.RouteRegister) {
orgRoute.Get("/users/lookup", authorize(reqOrgAdminFolderAdminOrTeamAdmin, ac.EvalPermission(ac.ActionOrgUsersRead)), routing.Wrap(hs.GetOrgUsersForCurrentOrgLookup))
lookupEvaluator := func() ac.Evaluator {
if hs.Cfg.IsEnterprise {
return ac.EvalPermission(ac.ActionOrgUsersRead)
}
// For oss we allow users with access to update permissions on either folders, teams or dashboards to perform the lookup
return ac.EvalAny(
ac.EvalPermission(ac.ActionOrgUsersRead),
ac.EvalPermission(ac.ActionTeamsPermissionsWrite),
ac.EvalPermission(dashboards.ActionDashboardsPermissionsWrite),
ac.EvalPermission(dashboards.ActionFoldersPermissionsWrite),
)
}
orgRoute.Get("/users/lookup", authorize(reqOrgAdminFolderAdminOrTeamAdmin, lookupEvaluator()), routing.Wrap(hs.GetOrgUsersForCurrentOrgLookup))
})
// create new org