mirror of
https://github.com/grafana/grafana.git
synced 2025-02-14 17:43:35 -06:00
605d056136
* * Teams: Appropriately apply user id filter in /api/teams/:id and /api/teams/search * Teams: Ensure that users searching for teams are only able see teams they have access to * Teams: Require teamGuardian admin privileges to list team members * Teams: Prevent org viewers from administering teams * Teams: Add org_id condition to team count query * Teams: clarify permission requirements in teams api docs * Teams: expand scenarios for team search tests * Teams: mock teamGuardian in tests Co-authored-by: Dan Cech <dcech@grafana.com> * remove duplicate WHERE statement * Fix for CVE-2022-21702 (cherry picked from commit 202d7c190082c094bc1dc13f7fe9464746c37f9e) * Lint and test fixes (cherry picked from commit 3e6b67d5504abf4a1d7b8d621f04d062c048e981) * check content type properly (cherry picked from commit 70b4458892bf2f776302720c10d24c9ff34edd98) * basic csrf origin check (cherry picked from commit 3adaa5ff39832364f6390881fb5b42ad47df92e1) * compare origin to host (cherry picked from commit 5443892699e8ed42836bb2b9a44744ff3e970f42) * simplify url parsing (cherry picked from commit b2ffbc9513fed75468628370a48b929d30af2b1d) * check csrf for GET requests, only compare origin (cherry picked from commit 8b81dc12d8f8a1f07852809c5b4d44f0f0b1d709) * parse content type properly (cherry picked from commit 16f76f4902e6f2188bea9606c68b551af186bdc0) * mentioned get in the comment (cherry picked from commit a7e61811ef8ae558ce721e2e3fed04ce7a5a5345) * add content-type: application/json to test HTTP requests * fix pluginproxy test * Fix linter when comparing errors Co-authored-by: Kevin Minehart <kmineh0151@gmail.com> Co-authored-by: Dan Cech <dcech@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Serge Zaitsev <serge.zaitsev@grafana.com> Co-authored-by: Vardan Torosyan <vardants@gmail.com>
183 lines
6.4 KiB
Go
183 lines
6.4 KiB
Go
package api
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"net/http"
|
|
"strconv"
|
|
|
|
"github.com/grafana/grafana/pkg/api/dtos"
|
|
"github.com/grafana/grafana/pkg/api/response"
|
|
"github.com/grafana/grafana/pkg/models"
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol/resourcepermissions"
|
|
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
|
"github.com/grafana/grafana/pkg/util"
|
|
"github.com/grafana/grafana/pkg/web"
|
|
)
|
|
|
|
// GET /api/teams/:teamId/members
|
|
func (hs *HTTPServer) GetTeamMembers(c *models.ReqContext) response.Response {
|
|
teamId, err := strconv.ParseInt(web.Params(c.Req)[":teamId"], 10, 64)
|
|
if err != nil {
|
|
return response.Error(http.StatusBadRequest, "teamId is invalid", err)
|
|
}
|
|
|
|
query := models.GetTeamMembersQuery{OrgId: c.OrgId, TeamId: teamId}
|
|
if err := hs.teamGuardian.CanAdmin(c.Req.Context(), query.OrgId, query.TeamId, c.SignedInUser); err != nil {
|
|
return response.Error(403, "Not allowed to list team members", err)
|
|
}
|
|
|
|
if err := hs.SQLStore.GetTeamMembers(c.Req.Context(), &query); err != nil {
|
|
return response.Error(500, "Failed to get Team Members", err)
|
|
}
|
|
|
|
filteredMembers := make([]*models.TeamMemberDTO, 0, len(query.Result))
|
|
for _, member := range query.Result {
|
|
if dtos.IsHiddenUser(member.Login, c.SignedInUser, hs.Cfg) {
|
|
continue
|
|
}
|
|
|
|
member.AvatarUrl = dtos.GetGravatarUrl(member.Email)
|
|
member.Labels = []string{}
|
|
|
|
if hs.License.FeatureEnabled("teamgroupsync") && member.External {
|
|
authProvider := GetAuthProviderLabel(member.AuthModule)
|
|
member.Labels = append(member.Labels, authProvider)
|
|
}
|
|
|
|
filteredMembers = append(filteredMembers, member)
|
|
}
|
|
|
|
return response.JSON(200, filteredMembers)
|
|
}
|
|
|
|
// POST /api/teams/:teamId/members
|
|
func (hs *HTTPServer) AddTeamMember(c *models.ReqContext) response.Response {
|
|
cmd := models.AddTeamMemberCommand{}
|
|
var err error
|
|
if err := web.Bind(c.Req, &cmd); err != nil {
|
|
return response.Error(http.StatusBadRequest, "bad request data", err)
|
|
}
|
|
cmd.OrgId = c.OrgId
|
|
cmd.TeamId, err = strconv.ParseInt(web.Params(c.Req)[":teamId"], 10, 64)
|
|
if err != nil {
|
|
return response.Error(http.StatusBadRequest, "teamId is invalid", err)
|
|
}
|
|
|
|
if !hs.Features.IsEnabled(featuremgmt.FlagAccesscontrol) {
|
|
if err := hs.teamGuardian.CanAdmin(c.Req.Context(), cmd.OrgId, cmd.TeamId, c.SignedInUser); err != nil {
|
|
return response.Error(403, "Not allowed to add team member", err)
|
|
}
|
|
}
|
|
|
|
isTeamMember, err := hs.SQLStore.IsTeamMember(c.OrgId, cmd.TeamId, cmd.UserId)
|
|
if err != nil {
|
|
return response.Error(500, "Failed to add team member.", err)
|
|
}
|
|
if isTeamMember {
|
|
return response.Error(400, "User is already added to this team", nil)
|
|
}
|
|
|
|
err = addOrUpdateTeamMember(c.Req.Context(), hs.TeamPermissionsService, cmd.UserId, cmd.OrgId, cmd.TeamId, getPermissionName(cmd.Permission))
|
|
if err != nil {
|
|
return response.Error(500, "Failed to add Member to Team", err)
|
|
}
|
|
|
|
return response.JSON(200, &util.DynMap{
|
|
"message": "Member added to Team",
|
|
})
|
|
}
|
|
|
|
// PUT /:teamId/members/:userId
|
|
func (hs *HTTPServer) UpdateTeamMember(c *models.ReqContext) response.Response {
|
|
cmd := models.UpdateTeamMemberCommand{}
|
|
if err := web.Bind(c.Req, &cmd); err != nil {
|
|
return response.Error(http.StatusBadRequest, "bad request data", err)
|
|
}
|
|
teamId, err := strconv.ParseInt(web.Params(c.Req)[":teamId"], 10, 64)
|
|
if err != nil {
|
|
return response.Error(http.StatusBadRequest, "teamId is invalid", err)
|
|
}
|
|
userId, err := strconv.ParseInt(web.Params(c.Req)[":userId"], 10, 64)
|
|
if err != nil {
|
|
return response.Error(http.StatusBadRequest, "userId is invalid", err)
|
|
}
|
|
orgId := c.OrgId
|
|
|
|
if !hs.Features.IsEnabled(featuremgmt.FlagAccesscontrol) {
|
|
if err := hs.teamGuardian.CanAdmin(c.Req.Context(), orgId, teamId, c.SignedInUser); err != nil {
|
|
return response.Error(403, "Not allowed to update team member", err)
|
|
}
|
|
}
|
|
|
|
isTeamMember, err := hs.SQLStore.IsTeamMember(orgId, teamId, userId)
|
|
if err != nil {
|
|
return response.Error(500, "Failed to update team member.", err)
|
|
}
|
|
if !isTeamMember {
|
|
return response.Error(404, "Team member not found.", nil)
|
|
}
|
|
|
|
err = addOrUpdateTeamMember(c.Req.Context(), hs.TeamPermissionsService, userId, orgId, teamId, getPermissionName(cmd.Permission))
|
|
if err != nil {
|
|
return response.Error(500, "Failed to update team member.", err)
|
|
}
|
|
return response.Success("Team member updated")
|
|
}
|
|
|
|
func getPermissionName(permission models.PermissionType) string {
|
|
permissionName := permission.String()
|
|
// Team member permission is 0, which maps to an empty string.
|
|
// However, we want the team permission service to display "Member" for team members. This is a hack to make it work.
|
|
if permissionName == "" {
|
|
permissionName = "Member"
|
|
}
|
|
return permissionName
|
|
}
|
|
|
|
// DELETE /api/teams/:teamId/members/:userId
|
|
func (hs *HTTPServer) RemoveTeamMember(c *models.ReqContext) response.Response {
|
|
orgId := c.OrgId
|
|
teamId, err := strconv.ParseInt(web.Params(c.Req)[":teamId"], 10, 64)
|
|
if err != nil {
|
|
return response.Error(http.StatusBadRequest, "teamId is invalid", err)
|
|
}
|
|
userId, err := strconv.ParseInt(web.Params(c.Req)[":userId"], 10, 64)
|
|
if err != nil {
|
|
return response.Error(http.StatusBadRequest, "userId is invalid", err)
|
|
}
|
|
|
|
if !hs.Features.IsEnabled(featuremgmt.FlagAccesscontrol) {
|
|
if err := hs.teamGuardian.CanAdmin(c.Req.Context(), orgId, teamId, c.SignedInUser); err != nil {
|
|
return response.Error(403, "Not allowed to remove team member", err)
|
|
}
|
|
}
|
|
|
|
teamIDString := strconv.FormatInt(teamId, 10)
|
|
if _, err := hs.TeamPermissionsService.SetUserPermission(c.Req.Context(), orgId, accesscontrol.User{ID: userId}, teamIDString, ""); err != nil {
|
|
if errors.Is(err, models.ErrTeamNotFound) {
|
|
return response.Error(404, "Team not found", nil)
|
|
}
|
|
|
|
if errors.Is(err, models.ErrTeamMemberNotFound) {
|
|
return response.Error(404, "Team member not found", nil)
|
|
}
|
|
|
|
return response.Error(500, "Failed to remove Member from Team", err)
|
|
}
|
|
return response.Success("Team Member removed")
|
|
}
|
|
|
|
// addOrUpdateTeamMember adds or updates a team member.
|
|
//
|
|
// Stubbable by tests.
|
|
var addOrUpdateTeamMember = func(ctx context.Context, resourcePermissionService *resourcepermissions.Service, userID, orgID, teamID int64, permission string) error {
|
|
teamIDString := strconv.FormatInt(teamID, 10)
|
|
if _, err := resourcePermissionService.SetUserPermission(ctx, orgID, accesscontrol.User{ID: userID}, teamIDString, permission); err != nil {
|
|
return fmt.Errorf("failed setting permissions for user %d in team %d: %w", userID, teamID, err)
|
|
}
|
|
return nil
|
|
}
|