middlware: change org when url contains orgid

closes #6948
ref #1613

pkg/api/http_server.go

@@ -150,6 +150,7 @@ func (hs *HttpServer) newMacaron() *macaron.Macaron {
 	m.Use(middleware.GetContextHandler())
 	m.Use(middleware.Sessioner(&setting.SessionOptions))
 	m.Use(middleware.RequestMetrics())
+	m.Use(middleware.OrgRedirect())
 
 	// needs to be after context handler
 	if setting.EnforceDomain {

pkg/middleware/middleware_test.go

@@ -326,6 +326,7 @@ func middlewareScenario(desc string, fn scenarioFunc) {
 		// mock out gc goroutine
 		startSessionGC = func() {}
 		sc.m.Use(Sessioner(&session.Options{}))
+		sc.m.Use(OrgRedirect())
 
 		sc.defaultHandler = func(c *Context) {
 			sc.context = c

pkg/middleware/org_redirect.go

+package middleware
+
+import (
+	"net/http"
+
+	"github.com/grafana/grafana/pkg/bus"
+	"github.com/grafana/grafana/pkg/models"
+
+	"gopkg.in/macaron.v1"
+)
+
+func OrgRedirect() macaron.Handler {
+	return func(res http.ResponseWriter, req *http.Request, c *macaron.Context) {
+		orgId := c.QueryInt64("org-id")
+		if orgId == 0 {
+			return
+		}
+
+		ctx, ok := c.Data["ctx"].(*Context)
+		if !ok || !ctx.IsSignedIn {
+			return
+		}
+
+		if orgId == ctx.OrgId {
+			return
+		}
+
+		cmd := models.SetUsingOrgCommand{UserId: ctx.UserId, OrgId: orgId}
+		if err := bus.Dispatch(&cmd); err != nil {
+			if ctx.IsApiRequest() {
+				ctx.JsonApiErr(404, "Not found", nil)
+			} else {
+				ctx.Error(404, "Not found")
+			}
+
+			return
+		}
+
+		c.Redirect(c.Req.URL.String(), 302)
+	}
+}

pkg/middleware/org_redirect_test.go

+package middleware
+
+import (
+	"testing"
+
+	"fmt"
+
+	"github.com/grafana/grafana/pkg/bus"
+	"github.com/grafana/grafana/pkg/models"
+	. "github.com/smartystreets/goconvey/convey"
+)
+
+func TestOrgRedirectMiddleware(t *testing.T) {
+
+	Convey("Can redirect to correct org", t, func() {
+		middlewareScenario("when setting a correct org for the user", func(sc *scenarioContext) {
+			sc.fakeReq("GET", "/").handler(func(c *Context) {
+				c.Session.Set(SESS_KEY_USERID, int64(12))
+			}).exec()
+
+			bus.AddHandler("test", func(query *models.SetUsingOrgCommand) error {
+				return nil
+			})
+
+			bus.AddHandler("test", func(query *models.GetSignedInUserQuery) error {
+				query.Result = &models.SignedInUser{OrgId: 1, UserId: 12}
+				return nil
+			})
+
+			sc.m.Get("/", sc.defaultHandler)
+			sc.fakeReq("GET", "/?org-id=3").exec()
+
+			Convey("change org and redirect", func() {
+				So(sc.resp.Code, ShouldEqual, 302)
+			})
+		})
+
+		middlewareScenario("when setting an invalid org for user", func(sc *scenarioContext) {
+			sc.fakeReq("GET", "/").handler(func(c *Context) {
+				c.Session.Set(SESS_KEY_USERID, int64(12))
+			}).exec()
+
+			bus.AddHandler("test", func(query *models.SetUsingOrgCommand) error {
+				return fmt.Errorf("")
+			})
+
+			bus.AddHandler("test", func(query *models.GetSignedInUserQuery) error {
+				query.Result = &models.SignedInUser{OrgId: 1, UserId: 12}
+				return nil
+			})
+
+			sc.m.Get("/", sc.defaultHandler)
+			sc.fakeReq("GET", "/?org-id=3").exec()
+
+			Convey("not allowed to change org", func() {
+				So(sc.resp.Code, ShouldEqual, 404)
+			})
+		})
+	})
+}

pkg/services/alerting/eval_context.go

@@ -113,7 +113,7 @@ func (c *EvalContext) GetRuleUrl() (string, error) {
 	if slug, err := c.GetDashboardSlug(); err != nil {
 		return "", err
 	} else {
-		ruleUrl := fmt.Sprintf("%sdashboard/db/%s?fullscreen&edit&tab=alert&panelId=%d", setting.AppUrl, slug, c.Rule.PanelId)
+		ruleUrl := fmt.Sprintf("%sdashboard/db/%s?fullscreen&edit&tab=alert&panelId=%d&org-id=%d", setting.AppUrl, slug, c.Rule.PanelId, c.Rule.OrgId)
 		return ruleUrl, nil
 	}
 }

pkg/services/sqlstore/user.go

@@ -6,6 +6,8 @@ import (
 
 	"github.com/go-xorm/xorm"
 
+	"fmt"
+
 	"github.com/grafana/grafana/pkg/bus"
 	"github.com/grafana/grafana/pkg/events"
 	m "github.com/grafana/grafana/pkg/models"
@@ -260,6 +262,20 @@ func ChangeUserPassword(cmd *m.ChangeUserPasswordCommand) error {
 }
 
 func SetUsingOrg(cmd *m.SetUsingOrgCommand) error {
+	getOrgsForUserCmd := &m.GetUserOrgListQuery{UserId: cmd.UserId}
+	GetUserOrgList(getOrgsForUserCmd)
+
+	valid := false
+	for _, other := range getOrgsForUserCmd.Result {
+		if other.OrgId == cmd.OrgId {
+			valid = true
+		}
+	}
+
+	if !valid {
+		return fmt.Errorf("user does not belong ot org")
+	}
+
 	return inTransaction(func(sess *xorm.Session) error {
 		user := m.User{}
 		sess.Id(cmd.UserId).Get(&user)