From beb15d938b0f3183a93c8a714a2c3c9c071c7a85 Mon Sep 17 00:00:00 2001 From: Ieva Date: Wed, 3 Apr 2024 11:44:16 +0100 Subject: [PATCH] RBAC: Fix access checks for interactions with RBAC roles in hosted Grafana (#85485) * don't check global permissions for cloud instances * linting --- pkg/services/accesscontrol/middleware.go | 25 ++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/pkg/services/accesscontrol/middleware.go b/pkg/services/accesscontrol/middleware.go index ed79b13c604..bcc588fb4ae 100644 --- a/pkg/services/accesscontrol/middleware.go +++ b/pkg/services/accesscontrol/middleware.go @@ -338,18 +338,23 @@ func UseOrgFromRequestData(c *contextmodel.ReqContext) (int64, error) { } // UseGlobalOrgFromRequestData returns global org if `global` flag is set or the org where user is logged in. -func UseGlobalOrgFromRequestData(c *contextmodel.ReqContext) (int64, error) { - query, err := getOrgQueryFromRequest(c) - if err != nil { - // Special case of macaron handling invalid params - return NoOrgID, org.ErrOrgNotFound.Errorf("failed to get organization from context: %w", err) - } +// If RBACSingleOrganization is set, the org where user is logged in is returned - this is intended only for cloud workflows, where instances are limited to a single organization. +func UseGlobalOrgFromRequestData(cfg *setting.Cfg) func(*contextmodel.ReqContext) (int64, error) { + return func(c *contextmodel.ReqContext) (int64, error) { + query, err := getOrgQueryFromRequest(c) + if err != nil { + // Special case of macaron handling invalid params + return NoOrgID, org.ErrOrgNotFound.Errorf("failed to get organization from context: %w", err) + } - if query.Global { - return GlobalOrgID, nil - } + // We only check permissions in the global organization if we are not running a SingleOrganization setup + // That allows Organization Admins to modify global roles and make global assignments. + if query.Global && !cfg.RBACSingleOrganization { + return GlobalOrgID, nil + } - return c.SignedInUser.GetOrgID(), nil + return c.SignedInUser.GetOrgID(), nil + } } // UseGlobalOrgFromRequestParams returns global org if `global` flag is set or the org where user is logged in.