Commit 46412c84 by Torkel Ödegaard

dasboard_history: security fix, added orgId filter to dashboard version lookup

parent 3ba8aeb9
...@@ -346,6 +346,9 @@ func CalculateDashboardDiff(c *middleware.Context, apiOptions dtos.CalculateDiff ...@@ -346,6 +346,9 @@ func CalculateDashboardDiff(c *middleware.Context, apiOptions dtos.CalculateDiff
result, err := dashdiffs.CalculateDiff(&options) result, err := dashdiffs.CalculateDiff(&options)
if err != nil { if err != nil {
if err == m.ErrDashboardVersionNotFound {
return ApiError(404, "Dashboard version not found", err)
}
return ApiError(500, "Unable to compute diff", err) return ApiError(500, "Unable to compute diff", err)
} }
......
...@@ -65,6 +65,7 @@ func CalculateDiff(options *Options) (*Result, error) { ...@@ -65,6 +65,7 @@ func CalculateDiff(options *Options) (*Result, error) {
baseVersionQuery := models.GetDashboardVersionQuery{ baseVersionQuery := models.GetDashboardVersionQuery{
DashboardId: options.Base.DashboardId, DashboardId: options.Base.DashboardId,
Version: options.Base.Version, Version: options.Base.Version,
OrgId: options.OrgId,
} }
if err := bus.Dispatch(&baseVersionQuery); err != nil { if err := bus.Dispatch(&baseVersionQuery); err != nil {
...@@ -74,6 +75,7 @@ func CalculateDiff(options *Options) (*Result, error) { ...@@ -74,6 +75,7 @@ func CalculateDiff(options *Options) (*Result, error) {
newVersionQuery := models.GetDashboardVersionQuery{ newVersionQuery := models.GetDashboardVersionQuery{
DashboardId: options.New.DashboardId, DashboardId: options.New.DashboardId,
Version: options.New.Version, Version: options.New.Version,
OrgId: options.OrgId,
} }
if err := bus.Dispatch(&newVersionQuery); err != nil { if err := bus.Dispatch(&newVersionQuery); err != nil {
......
...@@ -10,15 +10,22 @@ func init() { ...@@ -10,15 +10,22 @@ func init() {
bus.AddHandler("sql", GetDashboardVersions) bus.AddHandler("sql", GetDashboardVersions)
} }
// GetDashboardVersion gets the dashboard version for the given dashboard ID // GetDashboardVersion gets the dashboard version for the given dashboard ID and version number.
// and version number.
func GetDashboardVersion(query *m.GetDashboardVersionQuery) error { func GetDashboardVersion(query *m.GetDashboardVersionQuery) error {
result, err := getDashboardVersion(query.DashboardId, query.Version) version := m.DashboardVersion{}
has, err := x.Where("dashboard_version.dashboard_id=? AND dashboard_version.version=? AND dashboard.org_id=?", query.DashboardId, query.Version, query.OrgId).
Join("LEFT", "dashboard", `dashboard.id = dashboard_version.dashboard_id`).
Get(&version)
if err != nil { if err != nil {
return err return err
} }
query.Result = result if !has {
return m.ErrDashboardVersionNotFound
}
query.Result = &version
return nil return nil
} }
...@@ -50,33 +57,3 @@ func GetDashboardVersions(query *m.GetDashboardVersionsQuery) error { ...@@ -50,33 +57,3 @@ func GetDashboardVersions(query *m.GetDashboardVersionsQuery) error {
} }
return nil return nil
} }
// getDashboardVersion is a helper function that gets the dashboard version for
// the given dashboard ID and version ID.
func getDashboardVersion(dashboardId int64, version int) (*m.DashboardVersion, error) {
dashboardVersion := m.DashboardVersion{}
has, err := x.Where("dashboard_id=? AND version=?", dashboardId, version).Get(&dashboardVersion)
if err != nil {
return nil, err
}
if !has {
return nil, m.ErrDashboardVersionNotFound
}
dashboardVersion.Data.Set("id", dashboardVersion.DashboardId)
return &dashboardVersion, nil
}
// getDashboard gets a dashboard by ID. Used for retrieving the dashboard
// associated with dashboard versions.
func getDashboard(dashboardId int64) (*m.Dashboard, error) {
dashboard := m.Dashboard{Id: dashboardId}
has, err := x.Get(&dashboard)
if err != nil {
return nil, err
}
if has == false {
return nil, m.ErrDashboardNotFound
}
return &dashboard, nil
}
...@@ -23,67 +23,59 @@ func NewXormLogger(level glog.Lvl, grafanaLog glog.Logger) *XormLogger { ...@@ -23,67 +23,59 @@ func NewXormLogger(level glog.Lvl, grafanaLog glog.Logger) *XormLogger {
} }
// Error implement core.ILogger // Error implement core.ILogger
func (s *XormLogger) Err(v ...interface{}) error { func (s *XormLogger) Error(v ...interface{}) {
if s.level <= glog.LvlError { if s.level <= glog.LvlError {
s.grafanaLog.Error(fmt.Sprint(v...)) s.grafanaLog.Error(fmt.Sprint(v...))
} }
return nil
} }
// Errorf implement core.ILogger // Errorf implement core.ILogger
func (s *XormLogger) Errf(format string, v ...interface{}) error { func (s *XormLogger) Errorf(format string, v ...interface{}) {
if s.level <= glog.LvlError { if s.level <= glog.LvlError {
s.grafanaLog.Error(fmt.Sprintf(format, v...)) s.grafanaLog.Error(fmt.Sprintf(format, v...))
} }
return nil
} }
// Debug implement core.ILogger // Debug implement core.ILogger
func (s *XormLogger) Debug(v ...interface{}) error { func (s *XormLogger) Debug(v ...interface{}) {
if s.level <= glog.LvlDebug { if s.level <= glog.LvlDebug {
s.grafanaLog.Debug(fmt.Sprint(v...)) s.grafanaLog.Debug(fmt.Sprint(v...))
} }
return nil
} }
// Debugf implement core.ILogger // Debugf implement core.ILogger
func (s *XormLogger) Debugf(format string, v ...interface{}) error { func (s *XormLogger) Debugf(format string, v ...interface{}) {
if s.level <= glog.LvlDebug { if s.level <= glog.LvlDebug {
s.grafanaLog.Debug(fmt.Sprintf(format, v...)) s.grafanaLog.Debug(fmt.Sprintf(format, v...))
} }
return nil
} }
// Info implement core.ILogger // Info implement core.ILogger
func (s *XormLogger) Info(v ...interface{}) error { func (s *XormLogger) Info(v ...interface{}) {
if s.level <= glog.LvlInfo { if s.level <= glog.LvlInfo {
s.grafanaLog.Info(fmt.Sprint(v...)) s.grafanaLog.Info(fmt.Sprint(v...))
} }
return nil
} }
// Infof implement core.ILogger // Infof implement core.ILogger
func (s *XormLogger) Infof(format string, v ...interface{}) error { func (s *XormLogger) Infof(format string, v ...interface{}) {
if s.level <= glog.LvlInfo { if s.level <= glog.LvlInfo {
s.grafanaLog.Info(fmt.Sprintf(format, v...)) s.grafanaLog.Info(fmt.Sprintf(format, v...))
} }
return nil
} }
// Warn implement core.ILogger // Warn implement core.ILogger
func (s *XormLogger) Warning(v ...interface{}) error { func (s *XormLogger) Warn(v ...interface{}) {
if s.level <= glog.LvlWarn { if s.level <= glog.LvlWarn {
s.grafanaLog.Warn(fmt.Sprint(v...)) s.grafanaLog.Warn(fmt.Sprint(v...))
} }
return nil
} }
// Warnf implement core.ILogger // Warnf implement core.ILogger
func (s *XormLogger) Warningf(format string, v ...interface{}) error { func (s *XormLogger) Warnf(format string, v ...interface{}) {
if s.level <= glog.LvlWarn { if s.level <= glog.LvlWarn {
s.grafanaLog.Warn(fmt.Sprintf(format, v...)) s.grafanaLog.Warn(fmt.Sprintf(format, v...))
} }
return nil
} }
// Level implement core.ILogger // Level implement core.ILogger
...@@ -103,8 +95,7 @@ func (s *XormLogger) Level() core.LogLevel { ...@@ -103,8 +95,7 @@ func (s *XormLogger) Level() core.LogLevel {
} }
// SetLevel implement core.ILogger // SetLevel implement core.ILogger
func (s *XormLogger) SetLevel(l core.LogLevel) error { func (s *XormLogger) SetLevel(l core.LogLevel) {
return nil
} }
// ShowSQL implement core.ILogger // ShowSQL implement core.ILogger
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment