PublicDashboards: disable form if user does not has permissions (#54853)

3 years ago · bcab0194f1
parent 9c88360ec5
commit bcab0194f1
6 changed files with 26 additions and 16 deletions
--- a/pkg/api/accesscontrol.go
+++ b/pkg/api/accesscontrol.go
@ -426,7 +426,7 @@ func (hs *HTTPServer) declareFixedRoles() error {
 			Description: "Create, write or disable a public dashboard.",
 			Group:       "Dashboards",
 			Permissions: []ac.Permission{
-				{Action: dashboards.ActionDashboardPublicWrite, Scope: dashboards.ScopeDashboardsAll},
+				{Action: dashboards.ActionDashboardsPublicWrite, Scope: dashboards.ScopeDashboardsAll},
 			},
 		},
 		Grants: []string{"Admin"},
--- a/pkg/services/dashboards/accesscontrol.go
+++ b/pkg/services/dashboards/accesscontrol.go
@ -28,8 +28,7 @@ const (
 	ActionDashboardsDelete           = "dashboards:delete"
 	ActionDashboardsPermissionsRead  = "dashboards.permissions:read"
 	ActionDashboardsPermissionsWrite = "dashboards.permissions:write"
-
-	ActionDashboardPublicWrite = "dashboards.public:write"
+	ActionDashboardsPublicWrite      = "dashboards.public:write"
 )

 var (
--- a/pkg/services/publicdashboards/api/api.go
+++ b/pkg/services/publicdashboards/api/api.go
@ -68,7 +68,7 @@ func (api *Api) RegisterAPIEndpoints() {
 		routing.Wrap(api.GetPublicDashboardConfig))

 	api.RouteRegister.Post("/api/dashboards/uid/:uid/public-config",
-		auth(middleware.ReqOrgAdmin, accesscontrol.EvalPermission(dashboards.ActionDashboardPublicWrite, uidScope)),
+		auth(middleware.ReqOrgAdmin, accesscontrol.EvalPermission(dashboards.ActionDashboardsPublicWrite, uidScope)),
 		routing.Wrap(api.SavePublicDashboardConfig))
 }

--- a/pkg/services/publicdashboards/api/api_test.go
+++ b/pkg/services/publicdashboards/api/api_test.go
@ -39,7 +39,7 @@ import (
 )

 var userAdmin = &user.SignedInUser{UserID: 1, OrgID: 1, OrgRole: org.RoleAdmin, Login: "testAdminUser"}
-var userAdminRBAC = &user.SignedInUser{UserID: 2, OrgID: 1, OrgRole: org.RoleAdmin, Login: "testAdminUserRBAC", Permissions: map[int64]map[string][]string{1: {dashboards.ActionDashboardPublicWrite: {dashboards.ScopeDashboardsAll}}}}
+var userAdminRBAC = &user.SignedInUser{UserID: 2, OrgID: 1, OrgRole: org.RoleAdmin, Login: "testAdminUserRBAC", Permissions: map[int64]map[string][]string{1: {dashboards.ActionDashboardsPublicWrite: {dashboards.ScopeDashboardsAll}}}}
 var userViewer = &user.SignedInUser{UserID: 3, OrgID: 1, OrgRole: org.RoleViewer, Login: "testViewerUser"}
 var userViewerRBAC = &user.SignedInUser{UserID: 4, OrgID: 1, OrgRole: org.RoleViewer, Login: "testViewerUserRBAC", Permissions: map[int64]map[string][]string{1: {dashboards.ActionDashboardsRead: {dashboards.ScopeDashboardsAll}}}}
 var anonymousUser *user.SignedInUser
--- a/public/app/features/dashboard/components/ShareModal/SharePublicDashboard.tsx
+++ b/public/app/features/dashboard/components/ShareModal/SharePublicDashboard.tsx
@ -18,6 +18,10 @@ import { notifyApp } from 'app/core/actions';
 import { createErrorNotification } from 'app/core/copy/appNotification';
 import { dispatch } from 'app/store/store';

+import { contextSrv } from '../../../../core/services/context_srv';
+import { AccessControlAction } from '../../../../types';
+import { isOrgAdmin } from '../../../plugins/admin/permissions';
+
 import {
  dashboardHasTemplateVariables,
  generatePublicDashboardUrl,
@ -40,6 +44,8 @@ export const SharePublicDashboard = (props: Props) => {
  const dashboardVariables = props.dashboard.getVariables();
  const selectors = e2eSelectors.pages.ShareDashboardModal.PublicDashboard;

+  const hasWritePermissions = contextSrv.hasAccess(AccessControlAction.DashboardsPublicWrite, isOrgAdmin());
+
  const [publicDashboard, setPublicDashboardConfig] = useState<PublicDashboard>({
    isEnabled: false,
    uid: '',
@ -122,13 +128,12 @@ export const SharePublicDashboard = (props: Props) => {
          <hr />
          <div>
            Before you click Save, please acknowledge the following information: <br />
-            <FieldSet>
+            <FieldSet disabled={publicDashboardPersisted(publicDashboard) || !hasWritePermissions}>
              <br />
              <div>
                <Checkbox
                  label="Your entire dashboard will be public"
                  value={acknowledgements.public}
-                  disabled={publicDashboardPersisted(publicDashboard)}
                  data-testid={selectors.WillBePublicCheckbox}
                  onChange={(e) => onAcknowledge('public', e.currentTarget.checked)}
                />
@ -138,7 +143,6 @@ export const SharePublicDashboard = (props: Props) => {
                <Checkbox
                  label="Publishing currently only works with a subset of datasources"
                  value={acknowledgements.datasources}
-                  disabled={publicDashboardPersisted(publicDashboard)}
                  data-testid={selectors.LimitedDSCheckbox}
                  onChange={(e) => onAcknowledge('datasources', e.currentTarget.checked)}
                />
@ -156,7 +160,6 @@ export const SharePublicDashboard = (props: Props) => {
              <Checkbox
                label="Making your dashboard public will cause queries to run each time the dashboard is viewed which may increase costs"
                value={acknowledgements.usage}
-                disabled={publicDashboardPersisted(publicDashboard)}
                data-testid={selectors.CostIncreaseCheckbox}
                onChange={(e) => onAcknowledge('usage', e.currentTarget.checked)}
              />
@ -175,7 +178,7 @@ export const SharePublicDashboard = (props: Props) => {
          </div>
          <div>
            <h4 className="share-modal-info-text">Public Dashboard Configuration</h4>
-            <FieldSet>
+            <FieldSet disabled={!hasWritePermissions}>
              <Label description="The public dashboard uses the default time settings of the dashboard">
                Time Range
              </Label>
@ -213,6 +216,9 @@ export const SharePublicDashboard = (props: Props) => {
                  }}
                />
              </Field>
+            </FieldSet>
+
+            <FieldSet>
              {publicDashboardPersisted(publicDashboard) && publicDashboard.isEnabled && (
                <Field label="Link URL">
                  <Input
@ -236,14 +242,18 @@ export const SharePublicDashboard = (props: Props) => {
              )}
            </FieldSet>

-            {props.dashboard.hasUnsavedChanges() && (
-              <Alert
-                title="Please save your dashboard changes before updating the public configuration"
-                severity="warning"
-              />
+            {hasWritePermissions ? (
+              props.dashboard.hasUnsavedChanges() && (
+                <Alert
+                  title="Please save your dashboard changes before updating the public configuration"
+                  severity="warning"
+                />
+              )
+            ) : (
+              <Alert title="You don't have permissions to create or update a public dashboard" severity="warning" />
            )}
            <Button
-              disabled={!acknowledged() || props.dashboard.hasUnsavedChanges()}
+              disabled={!hasWritePermissions || !acknowledged() || props.dashboard.hasUnsavedChanges()}
              onClick={onSavePublicConfig}
              data-testid={selectors.SaveConfigButton}
            >
--- a/public/app/types/accessControl.ts
+++ b/public/app/types/accessControl.ts
@ -76,6 +76,7 @@ export enum AccessControlAction {
  DashboardsCreate = 'dashboards:create',
  DashboardsPermissionsRead = 'dashboards.permissions:read',
  DashboardsPermissionsWrite = 'dashboards.permissions:write',
+  DashboardsPublicWrite = 'dashboards.public:write',

  FoldersRead = 'folders:read',
  FoldersWrite = 'folders:write',