dashfolders: security for png rendering

2025-01-09 23:53:25 -06:00 · 2017-06-22 01:23:36 +02:00 · 2017-06-22 01:23:36 +02:00 · f68d2816ab
commit f68d2816ab
parent 659a59107e
3 changed files with 9 additions and 3 deletions
--- a/pkg/api/render.go
+++ b/pkg/api/render.go
@ -18,6 +18,8 @@ func RenderToPng(c *middleware.Context) {
 		Width:    queryReader.Get("width", "800"),
 		Height:   queryReader.Get("height", "400"),
 		OrgId:    c.OrgId,
+		UserId:   c.UserId,
+		OrgRole:  c.OrgRole,
 		Timeout:  queryReader.Get("timeout", "30"),
 		Timezone: queryReader.Get("tz", ""),
 	}
--- a/pkg/components/renderer/renderer.go
+++ b/pkg/components/renderer/renderer.go
@ -15,6 +15,7 @@ import (

 	"github.com/grafana/grafana/pkg/log"
 	"github.com/grafana/grafana/pkg/middleware"
+	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/util"
 )
@ -25,6 +26,8 @@ type RenderOpts struct {
 	Height   string
 	Timeout  string
 	OrgId    int64
+	UserId   int64
+	OrgRole  models.RoleType
 	Timezone string
 }

@ -72,7 +75,7 @@ func RenderToPng(params *RenderOpts) (string, error) {
 	pngPath, _ := filepath.Abs(filepath.Join(setting.ImagesDir, util.GetRandomString(20)))
 	pngPath = pngPath + ".png"

-	renderKey := middleware.AddRenderAuthKey(params.OrgId)
+	renderKey := middleware.AddRenderAuthKey(params.OrgId, params.UserId, params.OrgRole)
 	defer middleware.RemoveRenderAuthKey(renderKey)

 	cmdArgs := []string{
--- a/pkg/middleware/render_auth.go
+++ b/pkg/middleware/render_auth.go
@ -33,14 +33,15 @@ func initContextWithRenderAuth(ctx *Context) bool {

 type renderContextFunc func(key string) (string, error)

-func AddRenderAuthKey(orgId int64) string {
+func AddRenderAuthKey(orgId int64, userId int64, orgRole m.RoleType) string {
 	renderKeysLock.Lock()

 	key := util.GetRandomString(32)

 	renderKeys[key] = &m.SignedInUser{
 		OrgId:   orgId,
-		OrgRole: m.ROLE_VIEWER,
+		OrgRole: orgRole,
+		UserId:  userId,
 	}

 	renderKeysLock.Unlock()