From a97637a133314907ab19861e1f3d9119a8dd5571 Mon Sep 17 00:00:00 2001
From: Marcus Efraimsson <marcus.efraimsson@gmail.com>
Date: Tue, 16 Mar 2021 16:46:34 +0100
Subject: [PATCH] Snapshots: Fix usage of sign in link from the snapshot page
 (#31986)

Fix redirect to login page from snapshot page when not authenticated.

Fixes #28547
---
 pkg/api/api.go         |  3 ++-
 pkg/middleware/auth.go | 30 ++++++++++++++++++++++++------
 2 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/pkg/api/api.go b/pkg/api/api.go
index cff827fe263..c2803af4cb3 100644
--- a/pkg/api/api.go
+++ b/pkg/api/api.go
@@ -18,6 +18,7 @@ var plog = log.New("api")
 
 // registerRoutes registers all API HTTP routes.
 func (hs *HTTPServer) registerRoutes() {
+	reqNoAuth := middleware.NoAuth()
 	reqSignedIn := middleware.ReqSignedIn
 	reqSignedInNoAnonymous := middleware.ReqSignedInNoAnonymous
 	reqGrafanaAdmin := middleware.ReqGrafanaAdmin
@@ -118,7 +119,7 @@ func (hs *HTTPServer) registerRoutes() {
 	r.Post("/api/user/password/reset", bind(dtos.ResetUserPasswordForm{}), routing.Wrap(ResetPassword))
 
 	// dashboard snapshots
-	r.Get("/dashboard/snapshot/*", hs.Index)
+	r.Get("/dashboard/snapshot/*", reqNoAuth, hs.Index)
 	r.Get("/dashboard/snapshots/", reqSignedIn, hs.Index)
 
 	// api renew session based on cookie
diff --git a/pkg/middleware/auth.go b/pkg/middleware/auth.go
index 8be3c1f669b..513d74e8c75 100644
--- a/pkg/middleware/auth.go
+++ b/pkg/middleware/auth.go
@@ -76,13 +76,8 @@ func RoleAuth(roles ...models.RoleType) macaron.Handler {
 func Auth(options *AuthOptions) macaron.Handler {
 	return func(c *models.ReqContext) {
 		forceLogin := false
-
 		if c.AllowAnonymous {
-			forceLoginParam, err := strconv.ParseBool(c.Req.URL.Query().Get("forceLogin"))
-			if err == nil {
-				forceLogin = forceLoginParam
-			}
-
+			forceLogin = shouldForceLogin(c)
 			if !forceLogin {
 				orgIDValue := c.Req.URL.Query().Get("orgId")
 				orgID, err := strconv.ParseInt(orgIDValue, 10, 64)
@@ -137,3 +132,26 @@ func SnapshotPublicModeOrSignedIn(cfg *setting.Cfg) macaron.Handler {
 		}
 	}
 }
+
+// NoAuth creates a middleware that doesn't require any authentication.
+// If forceLogin param is set it will redirect the user to the login page.
+func NoAuth() macaron.Handler {
+	return func(c *models.ReqContext) {
+		if shouldForceLogin(c) {
+			notAuthorized(c)
+			return
+		}
+	}
+}
+
+// shouldForceLogin checks if user should be enforced to login.
+// Returns true if forceLogin parameter is set.
+func shouldForceLogin(c *models.ReqContext) bool {
+	forceLogin := false
+	forceLoginParam, err := strconv.ParseBool(c.Req.URL.Query().Get("forceLogin"))
+	if err == nil {
+		forceLogin = forceLoginParam
+	}
+
+	return forceLogin
+}