Commit 46412c84 by Torkel Ödegaard

dasboard_history: security fix, added orgId filter to dashboard version lookup

parent 3ba8aeb9
......@@ -346,6 +346,9 @@ func CalculateDashboardDiff(c *middleware.Context, apiOptions dtos.CalculateDiff
result, err := dashdiffs.CalculateDiff(&options)
if err != nil {
if err == m.ErrDashboardVersionNotFound {
return ApiError(404, "Dashboard version not found", err)
}
return ApiError(500, "Unable to compute diff", err)
}
......
......@@ -65,6 +65,7 @@ func CalculateDiff(options *Options) (*Result, error) {
baseVersionQuery := models.GetDashboardVersionQuery{
DashboardId: options.Base.DashboardId,
Version: options.Base.Version,
OrgId: options.OrgId,
}
if err := bus.Dispatch(&baseVersionQuery); err != nil {
......@@ -74,6 +75,7 @@ func CalculateDiff(options *Options) (*Result, error) {
newVersionQuery := models.GetDashboardVersionQuery{
DashboardId: options.New.DashboardId,
Version: options.New.Version,
OrgId: options.OrgId,
}
if err := bus.Dispatch(&newVersionQuery); err != nil {
......
......@@ -10,15 +10,22 @@ func init() {
bus.AddHandler("sql", GetDashboardVersions)
}
// GetDashboardVersion gets the dashboard version for the given dashboard ID
// and version number.
// GetDashboardVersion gets the dashboard version for the given dashboard ID and version number.
func GetDashboardVersion(query *m.GetDashboardVersionQuery) error {
result, err := getDashboardVersion(query.DashboardId, query.Version)
version := m.DashboardVersion{}
has, err := x.Where("dashboard_version.dashboard_id=? AND dashboard_version.version=? AND dashboard.org_id=?", query.DashboardId, query.Version, query.OrgId).
Join("LEFT", "dashboard", `dashboard.id = dashboard_version.dashboard_id`).
Get(&version)
if err != nil {
return err
}
query.Result = result
if !has {
return m.ErrDashboardVersionNotFound
}
query.Result = &version
return nil
}
......@@ -50,33 +57,3 @@ func GetDashboardVersions(query *m.GetDashboardVersionsQuery) error {
}
return nil
}
// getDashboardVersion is a helper function that gets the dashboard version for
// the given dashboard ID and version ID.
func getDashboardVersion(dashboardId int64, version int) (*m.DashboardVersion, error) {
dashboardVersion := m.DashboardVersion{}
has, err := x.Where("dashboard_id=? AND version=?", dashboardId, version).Get(&dashboardVersion)
if err != nil {
return nil, err
}
if !has {
return nil, m.ErrDashboardVersionNotFound
}
dashboardVersion.Data.Set("id", dashboardVersion.DashboardId)
return &dashboardVersion, nil
}
// getDashboard gets a dashboard by ID. Used for retrieving the dashboard
// associated with dashboard versions.
func getDashboard(dashboardId int64) (*m.Dashboard, error) {
dashboard := m.Dashboard{Id: dashboardId}
has, err := x.Get(&dashboard)
if err != nil {
return nil, err
}
if has == false {
return nil, m.ErrDashboardNotFound
}
return &dashboard, nil
}
......@@ -23,67 +23,59 @@ func NewXormLogger(level glog.Lvl, grafanaLog glog.Logger) *XormLogger {
}
// Error implement core.ILogger
func (s *XormLogger) Err(v ...interface{}) error {
func (s *XormLogger) Error(v ...interface{}) {
if s.level <= glog.LvlError {
s.grafanaLog.Error(fmt.Sprint(v...))
}
return nil
}
// Errorf implement core.ILogger
func (s *XormLogger) Errf(format string, v ...interface{}) error {
func (s *XormLogger) Errorf(format string, v ...interface{}) {
if s.level <= glog.LvlError {
s.grafanaLog.Error(fmt.Sprintf(format, v...))
}
return nil
}
// Debug implement core.ILogger
func (s *XormLogger) Debug(v ...interface{}) error {
func (s *XormLogger) Debug(v ...interface{}) {
if s.level <= glog.LvlDebug {
s.grafanaLog.Debug(fmt.Sprint(v...))
}
return nil
}
// Debugf implement core.ILogger
func (s *XormLogger) Debugf(format string, v ...interface{}) error {
func (s *XormLogger) Debugf(format string, v ...interface{}) {
if s.level <= glog.LvlDebug {
s.grafanaLog.Debug(fmt.Sprintf(format, v...))
}
return nil
}
// Info implement core.ILogger
func (s *XormLogger) Info(v ...interface{}) error {
func (s *XormLogger) Info(v ...interface{}) {
if s.level <= glog.LvlInfo {
s.grafanaLog.Info(fmt.Sprint(v...))
}
return nil
}
// Infof implement core.ILogger
func (s *XormLogger) Infof(format string, v ...interface{}) error {
func (s *XormLogger) Infof(format string, v ...interface{}) {
if s.level <= glog.LvlInfo {
s.grafanaLog.Info(fmt.Sprintf(format, v...))
}
return nil
}
// Warn implement core.ILogger
func (s *XormLogger) Warning(v ...interface{}) error {
func (s *XormLogger) Warn(v ...interface{}) {
if s.level <= glog.LvlWarn {
s.grafanaLog.Warn(fmt.Sprint(v...))
}
return nil
}
// Warnf implement core.ILogger
func (s *XormLogger) Warningf(format string, v ...interface{}) error {
func (s *XormLogger) Warnf(format string, v ...interface{}) {
if s.level <= glog.LvlWarn {
s.grafanaLog.Warn(fmt.Sprintf(format, v...))
}
return nil
}
// Level implement core.ILogger
......@@ -103,8 +95,7 @@ func (s *XormLogger) Level() core.LogLevel {
}
// SetLevel implement core.ILogger
func (s *XormLogger) SetLevel(l core.LogLevel) error {
return nil
func (s *XormLogger) SetLevel(l core.LogLevel) {
}
// ShowSQL implement core.ILogger
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment