RBAC: only set basic role permissions for folders without parents (#62486)

only set basic role permissions for folders without parents
2025-02-25 18:55:37 -06:00 · 2023-01-31 12:13:26 +00:00 · 2023-01-31 12:13:26 +00:00 · a46d62cf48
commit a46d62cf48
parent a0c3dcb8c6
1 changed files with 8 additions and 6 deletions
--- a/pkg/api/folder.go
+++ b/pkg/api/folder.go
@ -176,7 +176,7 @@ func (hs *HTTPServer) CreateFolder(c *contextmodel.ReqContext) response.Response
 }

 func (hs *HTTPServer) setDefaultFolderPermissions(ctx context.Context, orgID int64, user *user.SignedInUser, folder *folder.Folder) error {
-	// Set default folder permissions
+	isNested := folder.ParentUID != ""
 	var permissionErr error
 	if !accesscontrol.IsDisabled(hs.Cfg) {
 		var permissions []accesscontrol.SetResourcePermissionCommand
@ -186,15 +186,17 @@ func (hs *HTTPServer) setDefaultFolderPermissions(ctx context.Context, orgID int
 			})
 		}

-		permissions = append(permissions, []accesscontrol.SetResourcePermissionCommand{
-			{BuiltinRole: string(org.RoleEditor), Permission: dashboards.PERMISSION_EDIT.String()},
-			{BuiltinRole: string(org.RoleViewer), Permission: dashboards.PERMISSION_VIEW.String()},
-		}...)
+		if !isNested {
+			permissions = append(permissions, []accesscontrol.SetResourcePermissionCommand{
+				{BuiltinRole: string(org.RoleEditor), Permission: dashboards.PERMISSION_EDIT.String()},
+				{BuiltinRole: string(org.RoleViewer), Permission: dashboards.PERMISSION_VIEW.String()},
+			}...)
+		}

 		_, permissionErr = hs.folderPermissionsService.SetPermissions(ctx, orgID, folder.UID, permissions...)
 		return permissionErr
 	} else if hs.Cfg.EditorsCanAdmin && user.IsRealUser() && !user.IsAnonymous {
-		return hs.folderService.MakeUserAdmin(ctx, orgID, user.UserID, folder.ID, true)
+		return hs.folderService.MakeUserAdmin(ctx, orgID, user.UserID, folder.ID, !isNested)
 	}
 	return nil
 }