Skip to content

Commit

Permalink
Snapshots: Disallow anonymous user to create snapshots (#31263)
Browse files Browse the repository at this point in the history
  • Loading branch information
marefr authored and ryantxu committed Feb 24, 2021
1 parent 27a2ae7 commit a9e9566
Show file tree
Hide file tree
Showing 3 changed files with 26 additions and 22 deletions.
8 changes: 5 additions & 3 deletions pkg/middleware/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -119,15 +119,17 @@ func AdminOrFeatureEnabled(enabled bool) macaron.Handler {
}
}

// SnapshotPublicModeOrSignedIn creates a middleware that allows access
// if snapshot public mode is enabled or if user is signed in.
func SnapshotPublicModeOrSignedIn(cfg *setting.Cfg) macaron.Handler {
return func(c *models.ReqContext) {
if cfg.SnapshotPublicMode {
return
}

_, err := c.Invoke(ReqSignedIn)
if err != nil {
c.JsonApiErr(500, "Failed to invoke required signed in middleware", err)
if !c.IsSignedIn {
notAuthorized(c)
return
}
}
}
13 changes: 12 additions & 1 deletion pkg/middleware/auth_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -87,11 +87,22 @@ func TestMiddlewareAuth(t *testing.T) {

middlewareScenario(t, "Snapshot public mode disabled and unauthenticated request should return 401", func(
t *testing.T, sc *scenarioContext) {
sc.m.Get("/api/snapshot", SnapshotPublicModeOrSignedIn(sc.cfg), sc.defaultHandler)
sc.m.Get("/api/snapshot", func(c *models.ReqContext) {
c.IsSignedIn = false
}, SnapshotPublicModeOrSignedIn(sc.cfg), sc.defaultHandler)
sc.fakeReq("GET", "/api/snapshot").exec()
assert.Equal(t, 401, sc.resp.Code)
})

middlewareScenario(t, "Snapshot public mode disabled and authenticated request should return 200", func(
t *testing.T, sc *scenarioContext) {
sc.m.Get("/api/snapshot", func(c *models.ReqContext) {
c.IsSignedIn = true
}, SnapshotPublicModeOrSignedIn(sc.cfg), sc.defaultHandler)
sc.fakeReq("GET", "/api/snapshot").exec()
assert.Equal(t, 200, sc.resp.Code)
})

middlewareScenario(t, "Snapshot public mode enabled and unauthenticated request should return 200", func(
t *testing.T, sc *scenarioContext) {
sc.cfg.SnapshotPublicMode = true
Expand Down
27 changes: 9 additions & 18 deletions public/app/features/dashboard/components/ShareModal/ShareModal.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -6,21 +6,7 @@ import { ShareSnapshot } from './ShareSnapshot';
import { ShareExport } from './ShareExport';
import { ShareEmbed } from './ShareEmbed';
import { ShareModalTabModel } from './types';

const shareCommonTabs: ShareModalTabModel[] = [
{ label: 'Link', value: 'link', component: ShareLink },
{ label: 'Snapshot', value: 'snapshot', component: ShareSnapshot },
];

// prettier-ignore
const shareDashboardTabs: ShareModalTabModel[] = [
{ label: 'Export', value: 'export', component: ShareExport },
];

// prettier-ignore
const sharePanelTabs: ShareModalTabModel[] = [
{ label: 'Embed', value: 'embed', component: ShareEmbed },
];
import { contextSrv } from 'app/core/core';

const customDashboardTabs: ShareModalTabModel[] = [];
const customPanelTabs: ShareModalTabModel[] = [];
Expand All @@ -43,13 +29,18 @@ function getInitialState(props: Props): State {

function getTabs(props: Props) {
const { panel } = props;
const tabs = [...shareCommonTabs];

const tabs: ShareModalTabModel[] = [{ label: 'Link', value: 'link', component: ShareLink }];

if (contextSrv.isSignedIn) {
tabs.push({ label: 'Snapshot', value: 'snapshot', component: ShareSnapshot });
}

if (panel) {
tabs.push(...sharePanelTabs);
tabs.push({ label: 'Embed', value: 'embed', component: ShareEmbed });
tabs.push(...customPanelTabs);
} else {
tabs.push(...shareDashboardTabs);
tabs.push({ label: 'Export', value: 'export', component: ShareExport });
tabs.push(...customDashboardTabs);
}

Expand Down

0 comments on commit a9e9566

Please # to comment.