From a46d62cf486b6bd0a3b41a2fe4dbe5424b30938c Mon Sep 17 00:00:00 2001 From: Ieva Date: Tue, 31 Jan 2023 12:13:26 +0000 Subject: [PATCH] RBAC: only set basic role permissions for folders without parents (#62486) only set basic role permissions for folders without parents --- pkg/api/folder.go | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/pkg/api/folder.go b/pkg/api/folder.go index a2f483450d2..002d88c20b0 100644 --- a/pkg/api/folder.go +++ b/pkg/api/folder.go @@ -176,7 +176,7 @@ func (hs *HTTPServer) CreateFolder(c *contextmodel.ReqContext) response.Response } func (hs *HTTPServer) setDefaultFolderPermissions(ctx context.Context, orgID int64, user *user.SignedInUser, folder *folder.Folder) error { - // Set default folder permissions + isNested := folder.ParentUID != "" var permissionErr error if !accesscontrol.IsDisabled(hs.Cfg) { var permissions []accesscontrol.SetResourcePermissionCommand @@ -186,15 +186,17 @@ func (hs *HTTPServer) setDefaultFolderPermissions(ctx context.Context, orgID int }) } - permissions = append(permissions, []accesscontrol.SetResourcePermissionCommand{ - {BuiltinRole: string(org.RoleEditor), Permission: dashboards.PERMISSION_EDIT.String()}, - {BuiltinRole: string(org.RoleViewer), Permission: dashboards.PERMISSION_VIEW.String()}, - }...) + if !isNested { + permissions = append(permissions, []accesscontrol.SetResourcePermissionCommand{ + {BuiltinRole: string(org.RoleEditor), Permission: dashboards.PERMISSION_EDIT.String()}, + {BuiltinRole: string(org.RoleViewer), Permission: dashboards.PERMISSION_VIEW.String()}, + }...) + } _, permissionErr = hs.folderPermissionsService.SetPermissions(ctx, orgID, folder.UID, permissions...) return permissionErr } else if hs.Cfg.EditorsCanAdmin && user.IsRealUser() && !user.IsAnonymous { - return hs.folderService.MakeUserAdmin(ctx, orgID, user.UserID, folder.ID, true) + return hs.folderService.MakeUserAdmin(ctx, orgID, user.UserID, folder.ID, !isNested) } return nil }