WIP: check permissions for delete/post dashboard

pkg/api/api.go

@@ -234,7 +234,7 @@ func (hs *HttpServer) registerRoutes() {
 
 
 		// Dashboard
 		// Dashboard
 		r.Group("/dashboards", func() {
 		r.Group("/dashboards", func() {
-			r.Combo("/db/:slug").Get(wrap(GetDashboard)).Delete(DeleteDashboard)
+			r.Combo("/db/:slug").Get(wrap(GetDashboard)).Delete(wrap(DeleteDashboard))
 
 
 			r.Get("/id/:dashboardId/versions", wrap(GetDashboardVersions))
 			r.Get("/id/:dashboardId/versions", wrap(GetDashboardVersions))
 			r.Get("/id/:dashboardId/versions/:id", wrap(GetDashboardVersion))
 			r.Get("/id/:dashboardId/versions/:id", wrap(GetDashboardVersion))
@@ -242,7 +242,7 @@ func (hs *HttpServer) registerRoutes() {
 
 
 			r.Post("/calculate-diff", bind(dtos.CalculateDiffOptions{}), wrap(CalculateDashboardDiff))
 			r.Post("/calculate-diff", bind(dtos.CalculateDiffOptions{}), wrap(CalculateDashboardDiff))
 
 
-			r.Post("/db", reqEditorRole, bind(m.SaveDashboardCommand{}), wrap(PostDashboard))
+			r.Post("/db", bind(m.SaveDashboardCommand{}), wrap(PostDashboard))
 			r.Get("/file/:file", GetDashboardFromJsonFile)
 			r.Get("/file/:file", GetDashboardFromJsonFile)
 			r.Get("/home", wrap(GetHomeDashboard))
 			r.Get("/home", wrap(GetHomeDashboard))
 			r.Get("/tags", GetDashboardTags)
 			r.Get("/tags", GetDashboardTags)

pkg/api/dashboard.go

@@ -47,7 +47,7 @@ func GetDashboard(c *middleware.Context) Response {
 
 
 	dash := query.Result
 	dash := query.Result
 
 
-	canView, canEdit, canSave, err := getPermissions(dash, c.OrgRole, c.IsGrafanaAdmin, c.OrgId, c.UserId)
+	canView, canEdit, canSave, err := getPermissions(dash, c.OrgRole, c.IsGrafanaAdmin, c.UserId)
 	if err != nil {
 	if err != nil {
 		return ApiError(500, "Error while checking dashboard permissions", err)
 		return ApiError(500, "Error while checking dashboard permissions", err)
 	}
 	}
@@ -97,7 +97,7 @@ func GetDashboard(c *middleware.Context) Response {
 	return Json(200, dto)
 	return Json(200, dto)
 }
 }
 
 
-func getPermissions(dash *m.Dashboard, orgRole m.RoleType, isGrafanaAdmin bool, orgId int64, userId int64) (bool, bool, bool, error) {
+func getPermissions(dash *m.Dashboard, orgRole m.RoleType, isGrafanaAdmin bool, userId int64) (bool, bool, bool, error) {
 	if !dash.HasAcl {
 	if !dash.HasAcl {
 		return true, canEditDashboard(orgRole), orgRole == m.ROLE_ADMIN || orgRole == m.ROLE_EDITOR, nil
 		return true, canEditDashboard(orgRole), orgRole == m.ROLE_ADMIN || orgRole == m.ROLE_EDITOR, nil
 	}
 	}
@@ -108,7 +108,7 @@ func getPermissions(dash *m.Dashboard, orgRole m.RoleType, isGrafanaAdmin bool,
 		dashId = dash.ParentId
 		dashId = dash.ParentId
 	}
 	}
 
 
-	canView, canEdit, canSave, err := guardian.CheckDashboardPermissions(dashId, orgRole, isGrafanaAdmin, orgId, userId)
+	canView, canEdit, canSave, err := guardian.CheckDashboardPermissions(dashId, orgRole, isGrafanaAdmin, userId)
 	if err != nil {
 	if err != nil {
 		return false, false, false, err
 		return false, false, false, err
 	}
 	}
@@ -127,24 +127,31 @@ func getUserLogin(userId int64) string {
 	}
 	}
 }
 }
 
 
-func DeleteDashboard(c *middleware.Context) {
+func DeleteDashboard(c *middleware.Context) Response {
 	slug := c.Params(":slug")
 	slug := c.Params(":slug")
 
 
 	query := m.GetDashboardQuery{Slug: slug, OrgId: c.OrgId}
 	query := m.GetDashboardQuery{Slug: slug, OrgId: c.OrgId}
 	if err := bus.Dispatch(&query); err != nil {
 	if err := bus.Dispatch(&query); err != nil {
-		c.JsonApiErr(404, "Dashboard not found", nil)
-		return
+		return ApiError(404, "Dashboard not found", err)
+	}
+
+	_, _, canSave, err := getPermissions(query.Result, c.OrgRole, c.IsGrafanaAdmin, c.UserId)
+	if err != nil {
+		return ApiError(500, "Error while checking dashboard permissions", err)
+	}
+
+	if !canSave {
+		return ApiError(403, "Does not have permission to delete this dashboard", nil)
 	}
 	}
 
 
 	cmd := m.DeleteDashboardCommand{Slug: slug, OrgId: c.OrgId}
 	cmd := m.DeleteDashboardCommand{Slug: slug, OrgId: c.OrgId}
 	if err := bus.Dispatch(&cmd); err != nil {
 	if err := bus.Dispatch(&cmd); err != nil {
-		c.JsonApiErr(500, "Failed to delete dashboard", err)
-		return
+		return ApiError(500, "Failed to delete dashboard", err)
 	}
 	}
 
 
 	var resp = map[string]interface{}{"title": query.Result.Title}
 	var resp = map[string]interface{}{"title": query.Result.Title}
 
 
-	c.JSON(200, resp)
+	return Json(200, resp)
 }
 }
 
 
 func PostDashboard(c *middleware.Context, cmd m.SaveDashboardCommand) Response {
 func PostDashboard(c *middleware.Context, cmd m.SaveDashboardCommand) Response {
@@ -153,6 +160,25 @@ func PostDashboard(c *middleware.Context, cmd m.SaveDashboardCommand) Response {
 
 
 	dash := cmd.GetDashboardModel()
 	dash := cmd.GetDashboardModel()
 
 
+	query := m.GetDashboardQuery{Slug: dash.Slug, OrgId: c.OrgId}
+	err := bus.Dispatch(&query)
+	if err == nil {
+		dash.IsFolder = query.Result.IsFolder
+		if cmd.ParentId == 0 {
+			dash.ParentId = query.Result.ParentId
+		}
+		dash.HasAcl = query.Result.HasAcl
+	}
+
+	_, _, canSave, err := getPermissions(dash, c.OrgRole, c.IsGrafanaAdmin, c.UserId)
+	if err != nil {
+		return ApiError(500, "Error while checking dashboard permissions", err)
+	}
+
+	if !canSave {
+		return ApiError(403, "Does not have permission to save this dashboard", nil)
+	}
+
 	// Check if Title is empty
 	// Check if Title is empty
 	if dash.Title == "" {
 	if dash.Title == "" {
 		return ApiError(400, m.ErrDashboardTitleEmpty.Error(), nil)
 		return ApiError(400, m.ErrDashboardTitleEmpty.Error(), nil)
@@ -178,7 +204,7 @@ func PostDashboard(c *middleware.Context, cmd m.SaveDashboardCommand) Response {
 		return ApiError(500, "Invalid alert data. Cannot save dashboard", err)
 		return ApiError(500, "Invalid alert data. Cannot save dashboard", err)
 	}
 	}
 
 
-	err := bus.Dispatch(&cmd)
+	err = bus.Dispatch(&cmd)
 	if err != nil {
 	if err != nil {
 		if err == m.ErrDashboardWithSameNameExists {
 		if err == m.ErrDashboardWithSameNameExists {
 			return Json(412, util.DynMap{"status": "name-exists", "message": err.Error()})
 			return Json(412, util.DynMap{"status": "name-exists", "message": err.Error()})

pkg/services/guardian/guardian.go

@@ -5,7 +5,7 @@ import (
 	m "github.com/grafana/grafana/pkg/models"
 	m "github.com/grafana/grafana/pkg/models"
 )
 )
 
 
-// RemoveRestrictedDashboards filters out dashboards from the list that the user does have access to
+// FilterRestrictedDashboards filters out dashboards from the list that the user does have access to
 func FilterRestrictedDashboards(dashList []int64, orgId int64, userId int64) ([]int64, error) {
 func FilterRestrictedDashboards(dashList []int64, orgId int64, userId int64) ([]int64, error) {
 	user, err := getUser(userId)
 	user, err := getUser(userId)
 	if err != nil {
 	if err != nil {
@@ -59,7 +59,7 @@ func CanDeleteFromAcl(dashboardId int64, role m.RoleType, isGrafanaAdmin bool, o
 }
 }
 
 
 // CheckDashboardPermissions determines if a user has permission to view, edit or save a dashboard
 // CheckDashboardPermissions determines if a user has permission to view, edit or save a dashboard
-func CheckDashboardPermissions(dashboardId int64, role m.RoleType, isGrafanaAdmin bool, orgId int64, userId int64) (bool, bool, bool, error) {
+func CheckDashboardPermissions(dashboardId int64, role m.RoleType, isGrafanaAdmin bool, userId int64) (bool, bool, bool, error) {
 	if role == m.ROLE_ADMIN || isGrafanaAdmin {
 	if role == m.ROLE_ADMIN || isGrafanaAdmin {
 		return true, true, true, nil
 		return true, true, true, nil
 	}
 	}