Snapshots: Disallow anonymous user to create snapshots (#31263)

8f20b13f · Marcus Efraimsson · GitHub · b5cbbc3d · 8f20b13f · 8f20b13f
Commit 8f20b13f authored Feb 17, 2021 by Marcus Efraimsson Committed by GitHub Feb 17, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 26 additions and 22 deletions

pkg/middleware/auth.go
+5 -3

pkg/middleware/auth_test.go
+12 -1

public/app/features/dashboard/components/ShareModal/ShareModal.tsx
+9 -18

No files found.
--- a/pkg/middleware/auth.go
+++ b/pkg/middleware/auth.go
@@ -119,15 +119,17 @@ func AdminOrFeatureEnabled(enabled bool) macaron.Handler {
 	}
 }

+// SnapshotPublicModeOrSignedIn creates a middleware that allows access
+// if snapshot public mode is enabled or if user is signed in.
 func SnapshotPublicModeOrSignedIn(cfg *setting.Cfg) macaron.Handler {
 	return func(c *models.ReqContext) {
 		if cfg.SnapshotPublicMode {
 			return
 		}

-		_, err := c.Invoke(ReqSignedIn)
-		if err != nil {
-			c.JsonApiErr(500, "Failed to invoke required signed in middleware", err)
+		if !c.IsSignedIn {
+			notAuthorized(c)
+			return
 		}
 	}
 }
--- a/pkg/middleware/auth_test.go
+++ b/pkg/middleware/auth_test.go
@@ -87,11 +87,22 @@ func TestMiddlewareAuth(t *testing.T) {

 	middlewareScenario(t, "Snapshot public mode disabled and unauthenticated request should return 401", func(
 		t *testing.T, sc *scenarioContext) {
-		sc.m.Get("/api/snapshot", SnapshotPublicModeOrSignedIn(sc.cfg), sc.defaultHandler)
+		sc.m.Get("/api/snapshot", func(c *models.ReqContext) {
+			c.IsSignedIn = false
+		}, SnapshotPublicModeOrSignedIn(sc.cfg), sc.defaultHandler)
 		sc.fakeReq("GET", "/api/snapshot").exec()
 		assert.Equal(t, 401, sc.resp.Code)
 	})

+	middlewareScenario(t, "Snapshot public mode disabled and authenticated request should return 200", func(
+		t *testing.T, sc *scenarioContext) {
+		sc.m.Get("/api/snapshot", func(c *models.ReqContext) {
+			c.IsSignedIn = true
+		}, SnapshotPublicModeOrSignedIn(sc.cfg), sc.defaultHandler)
+		sc.fakeReq("GET", "/api/snapshot").exec()
+		assert.Equal(t, 200, sc.resp.Code)
+	})
+
 	middlewareScenario(t, "Snapshot public mode enabled and unauthenticated request should return 200", func(
 		t *testing.T, sc *scenarioContext) {
 		sc.cfg.SnapshotPublicMode = true

--- a/public/app/features/dashboard/components/ShareModal/ShareModal.tsx
+++ b/public/app/features/dashboard/components/ShareModal/ShareModal.tsx
@@ -6,21 +6,7 @@ import { ShareSnapshot } from './ShareSnapshot';
 import { ShareExport } from './ShareExport';
 import { ShareEmbed } from './ShareEmbed';
 import { ShareModalTabModel } from './types';
-
-const shareCommonTabs: ShareModalTabModel[] = [
-  { label: 'Link', value: 'link', component: ShareLink },
-  { label: 'Snapshot', value: 'snapshot', component: ShareSnapshot },
-];
-
-// prettier-ignore
-const shareDashboardTabs: ShareModalTabModel[] = [
-  { label: 'Export', value: 'export', component: ShareExport },
-];
-
-// prettier-ignore
-const sharePanelTabs: ShareModalTabModel[] = [
-  { label: 'Embed', value: 'embed', component: ShareEmbed },
-];
+import { contextSrv } from 'app/core/core';

 const customDashboardTabs: ShareModalTabModel[] = [];
 const customPanelTabs: ShareModalTabModel[] = [];
@@ -43,13 +29,18 @@ function getInitialState(props: Props): State {

 function getTabs(props: Props) {
  const { panel } = props;
-  const tabs = [...shareCommonTabs];
+
+  const tabs: ShareModalTabModel[] = [{ label: 'Link', value: 'link', component: ShareLink }];
+
+  if (contextSrv.isSignedIn) {
+    tabs.push({ label: 'Snapshot', value: 'snapshot', component: ShareSnapshot });
+  }

  if (panel) {
-    tabs.push(...sharePanelTabs);
+    tabs.push({ label: 'Embed', value: 'embed', component: ShareEmbed });
    tabs.push(...customPanelTabs);
  } else {
-    tabs.push(...shareDashboardTabs);
+    tabs.push({ label: 'Export', value: 'export', component: ShareExport });
    tabs.push(...customDashboardTabs);
  }