IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Auth: Lock down Grafana admin role updates if the role is externally synced (#72677)

Browse Source 
* lock down server admin role updates on the frontend if the user is externally synced

* add tests

* lock Grafana Server admin role updates from the backend

* rename variables

* check that the user has auth info

* add LDAP to providers for which Grafana Server admin role can be synced

* linting
This commit is contained in:
Ieva
2023-08-01 16:39:08 +01:00
committed by GitHub
parent d28bb03ebc
commit d3b481dac8
9 changed files with 300 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/api/user.go
View File

@@ -68,6 +68,11 @@ func (hs *HTTPServer) getUserUserProfile(c *contextmodel.ReqContext, userID int6
userProfile.AuthLabels = append(userProfile.AuthLabels, authLabel)
userProfile.IsExternal = true
userProfile.IsExternallySynced = login.IsExternallySynced(hs.Cfg, authInfo.AuthModule)
oAuthAndAllowAssignGrafanaAdmin := false
if oauthInfo := hs.SocialService.GetOAuthInfoProvider(strings.TrimPrefix(authInfo.AuthModule, "oauth_")); oauthInfo != nil {
oAuthAndAllowAssignGrafanaAdmin = oauthInfo.AllowAssignGrafanaAdmin
}
userProfile.IsGrafanaAdminExternallySynced = login.IsGrafanaAdminExternallySynced(hs.Cfg, authInfo.AuthModule, oAuthAndAllowAssignGrafanaAdmin)
}
userProfile.AccessControl = hs.getAccessControlMetadata(c, c.OrgID, "global.users:id:", strconv.FormatInt(userID, 10))