RBAC: fix access control check in both new navivation and new search view (#50596)

* check access control permissions for new navigation * check access control actions in new search view
2024-11-23 09:26:43 -06:00 · 2022-06-10 15:26:00 +02:00 · 2022-06-10 15:26:00 +02:00 · b4559b41c2
commit b4559b41c2
parent 5539bb4578
4 changed files with 45 additions and 19 deletions
--- a/pkg/api/index.go
+++ b/pkg/api/index.go
@ -460,6 +460,11 @@ func (hs *HTTPServer) buildStarredItemsNavLinks(c *models.ReqContext, prefs *pre
 }

 func (hs *HTTPServer) buildDashboardNavLinks(c *models.ReqContext, hasEditPerm bool) []*dtos.NavLink {
+	hasAccess := ac.HasAccess(hs.AccessControl, c)
+	hasEditPermInAnyFolder := func(c *models.ReqContext) bool {
+		return hasEditPerm
+	}
+
 	dashboardChildNavs := []*dtos.NavLink{}
 	if !hs.Features.IsEnabled(featuremgmt.FlagNewNavigation) {
 		dashboardChildNavs = append(dashboardChildNavs, &dtos.NavLink{
@ -496,19 +501,26 @@ func (hs *HTTPServer) buildDashboardNavLinks(c *models.ReqContext, hasEditPerm b
 		dashboardChildNavs = append(dashboardChildNavs, &dtos.NavLink{
 			Text: "Divider", Divider: true, Id: "divider", HideFromTabs: true,
 		})
-		dashboardChildNavs = append(dashboardChildNavs, &dtos.NavLink{
-			Text: "New dashboard", Icon: "plus", Url: hs.Cfg.AppSubURL + "/dashboard/new", HideFromTabs: true, Id: "new-dashboard", ShowIconInNavbar: true,
-		})
-		if c.OrgRole == models.ROLE_ADMIN || c.OrgRole == models.ROLE_EDITOR {
+
+		if hasAccess(hasEditPermInAnyFolder, ac.EvalPermission(dashboards.ActionDashboardsCreate)) {
+			dashboardChildNavs = append(dashboardChildNavs, &dtos.NavLink{
+				Text: "New dashboard", Icon: "plus", Url: hs.Cfg.AppSubURL + "/dashboard/new", HideFromTabs: true, Id: "new-dashboard", ShowIconInNavbar: true,
+			})
+		}
+
+		if hasAccess(ac.ReqOrgAdminOrEditor, ac.EvalPermission(dashboards.ActionFoldersCreate)) {
 			dashboardChildNavs = append(dashboardChildNavs, &dtos.NavLink{
 				Text: "New folder", SubTitle: "Create a new folder to organize your dashboards", Id: "new-folder",
 				Icon: "plus", Url: hs.Cfg.AppSubURL + "/dashboards/folder/new", HideFromTabs: true, ShowIconInNavbar: true,
 			})
 		}
-		dashboardChildNavs = append(dashboardChildNavs, &dtos.NavLink{
-			Text: "Import", SubTitle: "Import dashboard from file or Grafana.com", Id: "import", Icon: "plus",
-			Url: hs.Cfg.AppSubURL + "/dashboard/import", HideFromTabs: true, ShowIconInNavbar: true,
-		})
+
+		if hasAccess(hasEditPermInAnyFolder, ac.EvalPermission(dashboards.ActionDashboardsCreate)) {
+			dashboardChildNavs = append(dashboardChildNavs, &dtos.NavLink{
+				Text: "Import", SubTitle: "Import dashboard from file or Grafana.com", Id: "import", Icon: "plus",
+				Url: hs.Cfg.AppSubURL + "/dashboard/import", HideFromTabs: true, ShowIconInNavbar: true,
+			})
+		}
 	}
 	return dashboardChildNavs
 }
--- a/public/app/features/search/components/DashboardActions.tsx
+++ b/public/app/features/search/components/DashboardActions.tsx
@ -4,11 +4,11 @@ import { HorizontalGroup, LinkButton } from '@grafana/ui';

 export interface Props {
  folderId?: number;
-  isEditor: boolean;
-  canEdit?: boolean;
+  canCreateFolders?: boolean;
+  canCreateDashboards?: boolean;
 }

-export const DashboardActions: FC<Props> = ({ folderId, isEditor, canEdit }) => {
+export const DashboardActions: FC<Props> = ({ folderId, canCreateFolders = false, canCreateDashboards = false }) => {
  const actionUrl = (type: string) => {
    let url = `dashboard/${type}`;

@ -22,9 +22,9 @@ export const DashboardActions: FC<Props> = ({ folderId, isEditor, canEdit }) =>
  return (
    <div>
      <HorizontalGroup spacing="md" align="center">
-        {canEdit && <LinkButton href={actionUrl('new')}>New Dashboard</LinkButton>}
-        {!folderId && isEditor && <LinkButton href="dashboards/folder/new">New Folder</LinkButton>}
-        {canEdit && <LinkButton href={actionUrl('import')}>Import</LinkButton>}
+        {canCreateDashboards && <LinkButton href={actionUrl('new')}>New Dashboard</LinkButton>}
+        {!folderId && canCreateFolders && <LinkButton href="dashboards/folder/new">New Folder</LinkButton>}
+        {canCreateDashboards && <LinkButton href={actionUrl('import')}>Import</LinkButton>}
      </HorizontalGroup>
    </div>
  );
--- a/public/app/features/search/components/ManageDashboards.tsx
+++ b/public/app/features/search/components/ManageDashboards.tsx
@ -5,7 +5,7 @@ import { GrafanaTheme } from '@grafana/data';
 import { FilterInput, Spinner, stylesFactory, useTheme } from '@grafana/ui';
 import EmptyListCTA from 'app/core/components/EmptyListCTA/EmptyListCTA';
 import { contextSrv } from 'app/core/services/context_srv';
-import { FolderDTO } from 'app/types';
+import { FolderDTO, AccessControlAction } from 'app/types';

 import { useManageDashboards } from '../hooks/useManageDashboards';
 import { useSearchQuery } from '../hooks/useSearchQuery';
@ -53,10 +53,10 @@ export const ManageDashboards: FC<Props> = memo(({ folder }) => {
    results,
    loading,
    initialLoading,
-    canSave,
    allChecked,
    hasEditPermissionInFolders,
    canMove,
+    canSave,
    canDelete,
    onToggleSection,
    onToggleChecked,
@ -101,7 +101,14 @@ export const ManageDashboards: FC<Props> = memo(({ folder }) => {
        <div className="gf-form gf-form--grow m-r-2">
          <FilterInput value={query.query} onChange={onQueryChange} placeholder={'Search dashboards by name'} />
        </div>
-        <DashboardActions isEditor={isEditor} canEdit={hasEditPermissionInFolders || canSave} folderId={folderId} />
+        <DashboardActions
+          folderId={folderId}
+          canCreateFolders={contextSrv.hasAccess(AccessControlAction.FoldersCreate, isEditor)}
+          canCreateDashboards={contextSrv.hasAccess(
+            AccessControlAction.DashboardsCreate,
+            hasEditPermissionInFolders || !!canSave
+          )}
+        />
      </div>

      <div className={styles.results}>
--- a/public/app/features/search/components/ManageDashboardsNew.tsx
+++ b/public/app/features/search/components/ManageDashboardsNew.tsx
@ -6,7 +6,7 @@ import { GrafanaTheme2 } from '@grafana/data';
 import { config } from '@grafana/runtime';
 import { Input, useStyles2, Spinner } from '@grafana/ui';
 import { contextSrv } from 'app/core/services/context_srv';
-import { FolderDTO } from 'app/types';
+import { FolderDTO, AccessControlAction } from 'app/types';

 import { SEARCH_PANELS_LOCAL_STORAGE_KEY } from '../constants';
 import { useSearchQuery } from '../hooks/useSearchQuery';
@ -57,7 +57,14 @@ export const ManageDashboardsNew = React.memo(({ folder }: Props) => {
            suffix={false ? <Spinner /> : null}
          />
        </div>
-        <DashboardActions isEditor={isEditor} canEdit={hasEditPermissionInFolders || canSave} folderId={folderId} />
+        <DashboardActions
+          folderId={folderId}
+          canCreateFolders={contextSrv.hasAccess(AccessControlAction.FoldersCreate, isEditor)}
+          canCreateDashboards={contextSrv.hasAccess(
+            AccessControlAction.DashboardsCreate,
+            hasEditPermissionInFolders || !!canSave
+          )}
+        />
      </div>

      <SearchView