diff --git a/pkg/api/api.go b/pkg/api/api.go index 030c920ada2..986fbb9a74a 100644 --- a/pkg/api/api.go +++ b/pkg/api/api.go @@ -10,7 +10,6 @@ import ( "github.com/grafana/grafana/pkg/middleware" "github.com/grafana/grafana/pkg/models" ac "github.com/grafana/grafana/pkg/services/accesscontrol" - acmiddleware "github.com/grafana/grafana/pkg/services/accesscontrol/middleware" "github.com/grafana/grafana/pkg/services/dashboards" "github.com/grafana/grafana/pkg/services/datasources" "github.com/grafana/grafana/pkg/services/featuremgmt" @@ -33,8 +32,8 @@ func (hs *HTTPServer) registerRoutes() { reqCanAccessTeams := middleware.AdminOrEditorAndFeatureEnabled(hs.Cfg.EditorsCanAdmin) reqSnapshotPublicModeOrSignedIn := middleware.SnapshotPublicModeOrSignedIn(hs.Cfg) redirectFromLegacyPanelEditURL := middleware.RedirectFromLegacyPanelEditURL(hs.Cfg) - authorize := acmiddleware.Middleware(hs.AccessControl) - authorizeInOrg := acmiddleware.AuthorizeInOrgMiddleware(hs.AccessControl, hs.SQLStore) + authorize := ac.Middleware(hs.AccessControl) + authorizeInOrg := ac.AuthorizeInOrgMiddleware(hs.AccessControl, hs.SQLStore) quota := middleware.Quota(hs.QuotaService) r := hs.RouteRegister @@ -53,7 +52,7 @@ func (hs *HTTPServer) registerRoutes() { r.Get("/.well-known/change-password", redirectToChangePassword) r.Get("/profile/switch-org/:id", reqSignedInNoAnonymous, hs.ChangeActiveOrgAndRedirectToHome) r.Get("/org/", authorize(reqOrgAdmin, orgPreferencesAccessEvaluator), hs.Index) - r.Get("/org/new", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseGlobalOrg, orgsCreateAccessEvaluator), hs.Index) + r.Get("/org/new", authorizeInOrg(reqGrafanaAdmin, ac.UseGlobalOrg, orgsCreateAccessEvaluator), hs.Index) r.Get("/datasources/", authorize(reqOrgAdmin, datasources.ConfigurationPageAccess), hs.Index) r.Get("/datasources/new", authorize(reqOrgAdmin, datasources.NewPageAccess), hs.Index) r.Get("/datasources/edit/*", authorize(reqOrgAdmin, datasources.EditPageAccess), hs.Index) @@ -73,8 +72,8 @@ func (hs *HTTPServer) registerRoutes() { r.Get("/admin/users", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionUsersRead, ac.ScopeGlobalUsersAll)), hs.Index) r.Get("/admin/users/create", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionUsersCreate)), hs.Index) r.Get("/admin/users/edit/:id", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionUsersRead)), hs.Index) - r.Get("/admin/orgs", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseGlobalOrg, orgsAccessEvaluator), hs.Index) - r.Get("/admin/orgs/edit/:id", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseGlobalOrg, orgsAccessEvaluator), hs.Index) + r.Get("/admin/orgs", authorizeInOrg(reqGrafanaAdmin, ac.UseGlobalOrg, orgsAccessEvaluator), hs.Index) + r.Get("/admin/orgs/edit/:id", authorizeInOrg(reqGrafanaAdmin, ac.UseGlobalOrg, orgsAccessEvaluator), hs.Index) r.Get("/admin/stats", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionServerStatsRead)), hs.Index) r.Get("/admin/ldap", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionLDAPStatusRead)), hs.Index) r.Get("/styleguide", reqSignedIn, hs.Index) @@ -251,28 +250,28 @@ func (hs *HTTPServer) registerRoutes() { }) // create new org - apiRoute.Post("/orgs", authorizeInOrg(reqSignedIn, acmiddleware.UseGlobalOrg, ac.EvalPermission(ActionOrgsCreate)), quota("org"), routing.Wrap(hs.CreateOrg)) + apiRoute.Post("/orgs", authorizeInOrg(reqSignedIn, ac.UseGlobalOrg, ac.EvalPermission(ActionOrgsCreate)), quota("org"), routing.Wrap(hs.CreateOrg)) // search all orgs - apiRoute.Get("/orgs", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseGlobalOrg, ac.EvalPermission(ActionOrgsRead)), routing.Wrap(hs.SearchOrgs)) + apiRoute.Get("/orgs", authorizeInOrg(reqGrafanaAdmin, ac.UseGlobalOrg, ac.EvalPermission(ActionOrgsRead)), routing.Wrap(hs.SearchOrgs)) // orgs (admin routes) apiRoute.Group("/orgs/:orgId", func(orgsRoute routing.RouteRegister) { userIDScope := ac.Scope("users", "id", ac.Parameter(":userId")) - orgsRoute.Get("/", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseOrgFromContextParams, ac.EvalPermission(ActionOrgsRead)), routing.Wrap(hs.GetOrgByID)) - orgsRoute.Put("/", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseOrgFromContextParams, ac.EvalPermission(ActionOrgsWrite)), routing.Wrap(hs.UpdateOrg)) - orgsRoute.Put("/address", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseOrgFromContextParams, ac.EvalPermission(ActionOrgsWrite)), routing.Wrap(hs.UpdateOrgAddress)) - orgsRoute.Delete("/", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseOrgFromContextParams, ac.EvalPermission(ActionOrgsDelete)), routing.Wrap(hs.DeleteOrgByID)) - orgsRoute.Get("/users", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseOrgFromContextParams, ac.EvalPermission(ac.ActionOrgUsersRead, ac.ScopeUsersAll)), routing.Wrap(hs.GetOrgUsers)) - orgsRoute.Post("/users", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseOrgFromContextParams, ac.EvalPermission(ac.ActionOrgUsersAdd, ac.ScopeUsersAll)), routing.Wrap(hs.AddOrgUser)) - orgsRoute.Patch("/users/:userId", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseOrgFromContextParams, ac.EvalPermission(ac.ActionOrgUsersRoleUpdate, userIDScope)), routing.Wrap(hs.UpdateOrgUser)) - orgsRoute.Delete("/users/:userId", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseOrgFromContextParams, ac.EvalPermission(ac.ActionOrgUsersRemove, userIDScope)), routing.Wrap(hs.RemoveOrgUser)) - orgsRoute.Get("/quotas", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseOrgFromContextParams, ac.EvalPermission(ActionOrgsQuotasRead)), routing.Wrap(hs.GetOrgQuotas)) - orgsRoute.Put("/quotas/:target", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseOrgFromContextParams, ac.EvalPermission(ActionOrgsQuotasWrite)), routing.Wrap(hs.UpdateOrgQuota)) + orgsRoute.Get("/", authorizeInOrg(reqGrafanaAdmin, ac.UseOrgFromContextParams, ac.EvalPermission(ActionOrgsRead)), routing.Wrap(hs.GetOrgByID)) + orgsRoute.Put("/", authorizeInOrg(reqGrafanaAdmin, ac.UseOrgFromContextParams, ac.EvalPermission(ActionOrgsWrite)), routing.Wrap(hs.UpdateOrg)) + orgsRoute.Put("/address", authorizeInOrg(reqGrafanaAdmin, ac.UseOrgFromContextParams, ac.EvalPermission(ActionOrgsWrite)), routing.Wrap(hs.UpdateOrgAddress)) + orgsRoute.Delete("/", authorizeInOrg(reqGrafanaAdmin, ac.UseOrgFromContextParams, ac.EvalPermission(ActionOrgsDelete)), routing.Wrap(hs.DeleteOrgByID)) + orgsRoute.Get("/users", authorizeInOrg(reqGrafanaAdmin, ac.UseOrgFromContextParams, ac.EvalPermission(ac.ActionOrgUsersRead, ac.ScopeUsersAll)), routing.Wrap(hs.GetOrgUsers)) + orgsRoute.Post("/users", authorizeInOrg(reqGrafanaAdmin, ac.UseOrgFromContextParams, ac.EvalPermission(ac.ActionOrgUsersAdd, ac.ScopeUsersAll)), routing.Wrap(hs.AddOrgUser)) + orgsRoute.Patch("/users/:userId", authorizeInOrg(reqGrafanaAdmin, ac.UseOrgFromContextParams, ac.EvalPermission(ac.ActionOrgUsersRoleUpdate, userIDScope)), routing.Wrap(hs.UpdateOrgUser)) + orgsRoute.Delete("/users/:userId", authorizeInOrg(reqGrafanaAdmin, ac.UseOrgFromContextParams, ac.EvalPermission(ac.ActionOrgUsersRemove, userIDScope)), routing.Wrap(hs.RemoveOrgUser)) + orgsRoute.Get("/quotas", authorizeInOrg(reqGrafanaAdmin, ac.UseOrgFromContextParams, ac.EvalPermission(ActionOrgsQuotasRead)), routing.Wrap(hs.GetOrgQuotas)) + orgsRoute.Put("/quotas/:target", authorizeInOrg(reqGrafanaAdmin, ac.UseOrgFromContextParams, ac.EvalPermission(ActionOrgsQuotasWrite)), routing.Wrap(hs.UpdateOrgQuota)) }) // orgs (admin routes) - apiRoute.Get("/orgs/name/:name/", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseGlobalOrg, ac.EvalPermission(ActionOrgsRead)), routing.Wrap(hs.GetOrgByName)) + apiRoute.Get("/orgs/name/:name/", authorizeInOrg(reqGrafanaAdmin, ac.UseGlobalOrg, ac.EvalPermission(ActionOrgsRead)), routing.Wrap(hs.GetOrgByName)) // auth api keys apiRoute.Group("/auth/keys", func(keysRoute routing.RouteRegister) { diff --git a/pkg/api/common_test.go b/pkg/api/common_test.go index 84b913a0437..314ca999253 100644 --- a/pkg/api/common_test.go +++ b/pkg/api/common_test.go @@ -21,7 +21,6 @@ import ( "github.com/grafana/grafana/pkg/models" "github.com/grafana/grafana/pkg/services/accesscontrol" "github.com/grafana/grafana/pkg/services/accesscontrol/database" - acmiddleware "github.com/grafana/grafana/pkg/services/accesscontrol/middleware" accesscontrolmock "github.com/grafana/grafana/pkg/services/accesscontrol/mock" "github.com/grafana/grafana/pkg/services/accesscontrol/ossaccesscontrol" "github.com/grafana/grafana/pkg/services/auth" @@ -421,7 +420,7 @@ func setupHTTPServerWithCfgDb(t *testing.T, useFakeAccessControl, enableAccessCo c.Map(initCtx) }) - m.Use(acmiddleware.LoadPermissionsMiddleware(hs.AccessControl)) + m.Use(accesscontrol.LoadPermissionsMiddleware(hs.AccessControl)) // Register all routes hs.registerRoutes() diff --git a/pkg/api/http_server.go b/pkg/api/http_server.go index 8d59c483f3a..5bceecfddf2 100644 --- a/pkg/api/http_server.go +++ b/pkg/api/http_server.go @@ -28,7 +28,6 @@ import ( "github.com/grafana/grafana/pkg/plugins" "github.com/grafana/grafana/pkg/plugins/plugincontext" "github.com/grafana/grafana/pkg/services/accesscontrol" - acmiddleware "github.com/grafana/grafana/pkg/services/accesscontrol/middleware" "github.com/grafana/grafana/pkg/services/alerting" "github.com/grafana/grafana/pkg/services/cleanup" "github.com/grafana/grafana/pkg/services/comments" @@ -513,7 +512,7 @@ func (hs *HTTPServer) addMiddlewaresAndStaticRoutes() { m.Use(hs.ContextHandler.Middleware) m.Use(middleware.OrgRedirect(hs.Cfg, hs.SQLStore)) - m.Use(acmiddleware.LoadPermissionsMiddleware(hs.AccessControl)) + m.Use(accesscontrol.LoadPermissionsMiddleware(hs.AccessControl)) // needs to be after context handler if hs.Cfg.EnforceDomain { diff --git a/pkg/services/accesscontrol/middleware/middleware.go b/pkg/services/accesscontrol/middleware.go similarity index 65% rename from pkg/services/accesscontrol/middleware/middleware.go rename to pkg/services/accesscontrol/middleware.go index a055433ca4c..6e732cf57c9 100644 --- a/pkg/services/accesscontrol/middleware/middleware.go +++ b/pkg/services/accesscontrol/middleware.go @@ -1,21 +1,35 @@ -package middleware +package accesscontrol import ( + "context" "fmt" "net/http" "strconv" "time" "github.com/grafana/grafana/pkg/models" - "github.com/grafana/grafana/pkg/services/accesscontrol" - "github.com/grafana/grafana/pkg/services/sqlstore" "github.com/grafana/grafana/pkg/setting" "github.com/grafana/grafana/pkg/util" "github.com/grafana/grafana/pkg/web" ) -func authorize(c *models.ReqContext, ac accesscontrol.AccessControl, user *models.SignedInUser, evaluator accesscontrol.Evaluator) { - injected, err := evaluator.MutateScopes(c.Req.Context(), accesscontrol.ScopeInjector(buildScopeParams(c))) +func Middleware(ac AccessControl) func(web.Handler, Evaluator) web.Handler { + return func(fallback web.Handler, evaluator Evaluator) web.Handler { + if ac.IsDisabled() { + return fallback + } + + return func(c *models.ReqContext) { + authorize(c, ac, c.SignedInUser, evaluator) + } + } +} + +func authorize(c *models.ReqContext, ac AccessControl, user *models.SignedInUser, evaluator Evaluator) { + injected, err := evaluator.MutateScopes(c.Req.Context(), ScopeInjector(ScopeParams{ + OrgID: c.OrgId, + URLParams: web.Params(c.Req), + })) if err != nil { c.JsonApiErr(http.StatusInternalServerError, "Internal server error", err) return @@ -23,24 +37,12 @@ func authorize(c *models.ReqContext, ac accesscontrol.AccessControl, user *model hasAccess, err := ac.Evaluate(c.Req.Context(), user, injected) if !hasAccess || err != nil { - Deny(c, injected, err) + deny(c, injected, err) return } } -func Middleware(ac accesscontrol.AccessControl) func(web.Handler, accesscontrol.Evaluator) web.Handler { - return func(fallback web.Handler, evaluator accesscontrol.Evaluator) web.Handler { - if ac.IsDisabled() { - return fallback - } - - return func(c *models.ReqContext) { - authorize(c, ac, c.SignedInUser, evaluator) - } - } -} - -func Deny(c *models.ReqContext, evaluator accesscontrol.Evaluator, err error) { +func deny(c *models.ReqContext, evaluator Evaluator, err error) { id := newID() if err != nil { c.Logger.Error("Error from access control system", "error", err, "accessErrorID", id) @@ -59,13 +61,18 @@ func Deny(c *models.ReqContext, evaluator accesscontrol.Evaluator, err error) { return } + message := "" + if evaluator != nil { + message = evaluator.String() + } + // If the user triggers an error in the access control system, we // don't want the user to be aware of that, so the user gets the // same information from the system regardless of if it's an // internal server error or access denied. c.JSON(http.StatusForbidden, map[string]string{ "title": "Access denied", // the component needs to pick this up - "message": fmt.Sprintf("You'll need additional permissions to perform this action. Permissions needed: %s", evaluator.String()), + "message": fmt.Sprintf("You'll need additional permissions to perform this action. Permissions needed: %s", message), "accessErrorId": id, }) } @@ -82,17 +89,13 @@ func newID() string { return "ACE" + id } -func buildScopeParams(c *models.ReqContext) accesscontrol.ScopeParams { - return accesscontrol.ScopeParams{ - OrgID: c.OrgId, - URLParams: web.Params(c.Req), - } -} - type OrgIDGetter func(c *models.ReqContext) (int64, error) +type userCache interface { + GetSignedInUserWithCacheCtx(ctx context.Context, query *models.GetSignedInUserQuery) error +} -func AuthorizeInOrgMiddleware(ac accesscontrol.AccessControl, db sqlstore.Store) func(web.Handler, OrgIDGetter, accesscontrol.Evaluator) web.Handler { - return func(fallback web.Handler, getTargetOrg OrgIDGetter, evaluator accesscontrol.Evaluator) web.Handler { +func AuthorizeInOrgMiddleware(ac AccessControl, cache userCache) func(web.Handler, OrgIDGetter, Evaluator) web.Handler { + return func(fallback web.Handler, getTargetOrg OrgIDGetter, evaluator Evaluator) web.Handler { if ac.IsDisabled() { return fallback } @@ -102,17 +105,17 @@ func AuthorizeInOrgMiddleware(ac accesscontrol.AccessControl, db sqlstore.Store) userCopy := *(c.SignedInUser) orgID, err := getTargetOrg(c) if err != nil { - Deny(c, nil, fmt.Errorf("failed to get target org: %w", err)) + deny(c, nil, fmt.Errorf("failed to get target org: %w", err)) return } - if orgID == accesscontrol.GlobalOrgID { + if orgID == GlobalOrgID { userCopy.OrgId = orgID userCopy.OrgName = "" userCopy.OrgRole = "" } else { query := models.GetSignedInUserQuery{UserId: c.UserId, OrgId: orgID} - if err := db.GetSignedInUserWithCacheCtx(c.Req.Context(), &query); err != nil { - Deny(c, nil, fmt.Errorf("failed to authenticate user in target org: %w", err)) + if err := cache.GetSignedInUserWithCacheCtx(c.Req.Context(), &query); err != nil { + deny(c, nil, fmt.Errorf("failed to authenticate user in target org: %w", err)) return } userCopy.OrgId = query.Result.OrgId @@ -122,7 +125,7 @@ func AuthorizeInOrgMiddleware(ac accesscontrol.AccessControl, db sqlstore.Store) authorize(c, ac, &userCopy, evaluator) - // Set the signed in user permissions in that org + // Set the sign-ed in user permissions in that org c.SignedInUser.Permissions = userCopy.Permissions } } @@ -140,27 +143,17 @@ func UseOrgFromContextParams(c *models.ReqContext) (int64, error) { } func UseGlobalOrg(c *models.ReqContext) (int64, error) { - return accesscontrol.GlobalOrgID, nil -} - -// Disable returns http 404 if shouldDisable is set to true -func Disable(shouldDisable bool) web.Handler { - return func(c *models.ReqContext) { - if shouldDisable { - c.Resp.WriteHeader(http.StatusNotFound) - return - } - } + return GlobalOrgID, nil } -func LoadPermissionsMiddleware(ac accesscontrol.AccessControl) web.Handler { +func LoadPermissionsMiddleware(ac AccessControl) web.Handler { return func(c *models.ReqContext) { if ac.IsDisabled() { return } permissions, err := ac.GetUserPermissions(c.Req.Context(), c.SignedInUser, - accesscontrol.Options{ReloadCache: false}) + Options{ReloadCache: false}) if err != nil { c.JsonApiErr(http.StatusForbidden, "", err) return @@ -169,6 +162,6 @@ func LoadPermissionsMiddleware(ac accesscontrol.AccessControl) web.Handler { if c.SignedInUser.Permissions == nil { c.SignedInUser.Permissions = make(map[int64]map[string][]string) } - c.SignedInUser.Permissions[c.OrgId] = accesscontrol.GroupScopesByAction(permissions) + c.SignedInUser.Permissions[c.OrgId] = GroupScopesByAction(permissions) } } diff --git a/pkg/services/accesscontrol/middleware/middleware_test.go b/pkg/services/accesscontrol/middleware_test.go similarity index 95% rename from pkg/services/accesscontrol/middleware/middleware_test.go rename to pkg/services/accesscontrol/middleware_test.go index ab40567e42b..5fd2018363b 100644 --- a/pkg/services/accesscontrol/middleware/middleware_test.go +++ b/pkg/services/accesscontrol/middleware_test.go @@ -1,17 +1,17 @@ -package middleware +package accesscontrol_test import ( "net/http" "net/http/httptest" "testing" - "github.com/grafana/grafana/pkg/web" "github.com/stretchr/testify/assert" "github.com/grafana/grafana/pkg/infra/log" "github.com/grafana/grafana/pkg/models" "github.com/grafana/grafana/pkg/services/accesscontrol" "github.com/grafana/grafana/pkg/services/accesscontrol/mock" + "github.com/grafana/grafana/pkg/web" ) type middlewareTestCase struct { @@ -61,7 +61,7 @@ func TestMiddleware(t *testing.T) { server.UseMiddleware(web.Renderer("../../public/views", "[[", "]]")) server.Use(contextProvider()) - server.Use(Middleware(test.ac)(fallback, test.evaluator)) + server.Use(accesscontrol.Middleware(test.ac)(fallback, test.evaluator)) endpointCalled := false server.Get("/", func(c *models.ReqContext) { diff --git a/pkg/services/accesscontrol/resourcepermissions/api.go b/pkg/services/accesscontrol/resourcepermissions/api.go index 2894c74a77b..ff72e48719b 100644 --- a/pkg/services/accesscontrol/resourcepermissions/api.go +++ b/pkg/services/accesscontrol/resourcepermissions/api.go @@ -10,7 +10,6 @@ import ( "github.com/grafana/grafana/pkg/api/routing" "github.com/grafana/grafana/pkg/models" "github.com/grafana/grafana/pkg/services/accesscontrol" - "github.com/grafana/grafana/pkg/services/accesscontrol/middleware" "github.com/grafana/grafana/pkg/web" ) @@ -55,10 +54,10 @@ func (a *api) getEvaluators(actionRead, actionWrite, scope string) (read, write } func (a *api) registerEndpoints() { - auth := middleware.Middleware(a.ac) + auth := accesscontrol.Middleware(a.ac) + disable := disableMiddleware(a.ac.IsDisabled()) uidSolver := solveUID(a.service.options.UidSolver) inheritanceSolver := solveInheritedScopes(a.service.options.InheritedScopesSolver) - disable := middleware.Disable(a.ac.IsDisabled()) a.router.Group(fmt.Sprintf("/api/access-control/%s", a.service.options.Resource), func(r routing.RouteRegister) { actionRead := fmt.Sprintf("%s.permissions:read", a.service.options.Resource) actionWrite := fmt.Sprintf("%s.permissions:write", a.service.options.Resource) diff --git a/pkg/services/accesscontrol/resourcepermissions/middleware.go b/pkg/services/accesscontrol/resourcepermissions/middleware.go index b7ff11ff345..ab1c0f93ace 100644 --- a/pkg/services/accesscontrol/resourcepermissions/middleware.go +++ b/pkg/services/accesscontrol/resourcepermissions/middleware.go @@ -43,3 +43,12 @@ func solveInheritedScopes(solve InheritedScopesSolver) web.Handler { } } } + +func disableMiddleware(shouldDisable bool) web.Handler { + return func(c *models.ReqContext) { + if shouldDisable { + c.Resp.WriteHeader(http.StatusNotFound) + return + } + } +} diff --git a/pkg/services/dashboardimport/api/api.go b/pkg/services/dashboardimport/api/api.go index 5e721ff6d1e..9c64d2b512a 100644 --- a/pkg/services/dashboardimport/api/api.go +++ b/pkg/services/dashboardimport/api/api.go @@ -11,7 +11,6 @@ import ( "github.com/grafana/grafana/pkg/models" "github.com/grafana/grafana/pkg/plugins" "github.com/grafana/grafana/pkg/services/accesscontrol" - acmiddleware "github.com/grafana/grafana/pkg/services/accesscontrol/middleware" "github.com/grafana/grafana/pkg/services/dashboardimport" "github.com/grafana/grafana/pkg/web" ) @@ -36,7 +35,7 @@ func New(dashboardImportService dashboardimport.Service, quotaService QuotaServi } func (api *ImportDashboardAPI) RegisterAPIEndpoints(routeRegister routing.RouteRegister) { - authorize := acmiddleware.Middleware(api.ac) + authorize := accesscontrol.Middleware(api.ac) routeRegister.Group("/api/dashboards", func(route routing.RouteRegister) { route.Post( "/import", diff --git a/pkg/services/ngalert/api/authorization.go b/pkg/services/ngalert/api/authorization.go index b910571e26a..72b7fc5eb7e 100644 --- a/pkg/services/ngalert/api/authorization.go +++ b/pkg/services/ngalert/api/authorization.go @@ -10,7 +10,6 @@ import ( "github.com/grafana/grafana/pkg/middleware" "github.com/grafana/grafana/pkg/models" ac "github.com/grafana/grafana/pkg/services/accesscontrol" - acmiddleware "github.com/grafana/grafana/pkg/services/accesscontrol/middleware" "github.com/grafana/grafana/pkg/services/dashboards" "github.com/grafana/grafana/pkg/services/datasources" ngmodels "github.com/grafana/grafana/pkg/services/ngalert/models" @@ -23,7 +22,7 @@ var ( //nolint:gocyclo func (api *API) authorize(method, path string) web.Handler { - authorize := acmiddleware.Middleware(api.AccessControl) + authorize := ac.Middleware(api.AccessControl) var eval ac.Evaluator = nil // Most routes follow this general authorization approach as a fallback. Exceptions are overridden directly in the below block. diff --git a/pkg/services/serviceaccounts/api/api.go b/pkg/services/serviceaccounts/api/api.go index 5acc84f090c..d94718f4250 100644 --- a/pkg/services/serviceaccounts/api/api.go +++ b/pkg/services/serviceaccounts/api/api.go @@ -12,7 +12,6 @@ import ( "github.com/grafana/grafana/pkg/middleware" "github.com/grafana/grafana/pkg/models" "github.com/grafana/grafana/pkg/services/accesscontrol" - acmiddleware "github.com/grafana/grafana/pkg/services/accesscontrol/middleware" "github.com/grafana/grafana/pkg/services/featuremgmt" "github.com/grafana/grafana/pkg/services/serviceaccounts" "github.com/grafana/grafana/pkg/services/serviceaccounts/database" @@ -53,7 +52,7 @@ func (api *ServiceAccountsAPI) RegisterAPIEndpoints( return } - auth := acmiddleware.Middleware(api.accesscontrol) + auth := accesscontrol.Middleware(api.accesscontrol) api.RouterRegister.Group("/api/serviceaccounts", func(serviceAccountsRoute routing.RouteRegister) { serviceAccountsRoute.Get("/search", auth(middleware.ReqOrgAdmin, accesscontrol.EvalPermission(serviceaccounts.ActionRead)), routing.Wrap(api.SearchOrgServiceAccountsWithPaging))