apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

User: Check SignedInUser OrgID in RevokeInvite (#95476)

Browse Source 
Check SignedInUser OrgID in RevokeInvite
pull/95491/head
Misi 1 year ago committed by GitHub
parent 4a13580a2f
commit fedcf47702
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 14 additions and 0 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 14
      pkg/api/org_invite.go

14
pkg/api/org_invite.go
Unescape View File

@ -195,6 +195,20 @@ func (hs *HTTPServer) inviteExistingUserToOrg(c *contextmodel.ReqContext, user *
// 404: notFoundError
// 500: internalServerError
func (hs *HTTPServer) RevokeInvite(c *contextmodel.ReqContext) response.Response {
query := tempuser.GetTempUserByCodeQuery{Code: web.Params(c.Req)[":code"]}
queryResult, err := hs.tempUserService.GetTempUserByCode(c.Req.Context(), &query)
if err != nil {
if errors.Is(err, tempuser.ErrTempUserNotFound) {
return response.Error(http.StatusNotFound, "Invite not found", nil)
}
return response.Error(http.StatusInternalServerError, "Failed to get invite", err)
}
canRevoke := c.SignedInUser.GetOrgID() == queryResult.OrgID || c.SignedInUser.GetIsGrafanaAdmin()
if !canRevoke {
return response.Error(http.StatusForbidden, "Permission denied: not permitted to revoke invite", nil)
}
if ok, rsp := hs.updateTempUserStatus(c.Req.Context(), web.Params(c.Req)[":code"], tempuser.TmpUserRevoked); !ok {
return rsp
}

Write Preview
Loading…
Cancel
Save