Skip to content

Commit

Permalink
[v9.5.x] Snapshots: Require delete within same org (backport) (grafan…
Browse files Browse the repository at this point in the history
…a#84762)

* Snapshots: Require delete within same org (backport) (grafana#84707)

* check orgId on delete

* test from main

(cherry picked from commit d80f83b)

* manual fix
  • Loading branch information
ryantxu authored Mar 19, 2024
1 parent bcb4317 commit f4c5a60
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 7 deletions.
3 changes: 3 additions & 0 deletions pkg/api/dashboard_snapshot.go
Original file line number Diff line number Diff line change
Expand Up @@ -349,6 +349,9 @@ func (hs *HTTPServer) DeleteDashboardSnapshot(c *contextmodel.ReqContext) respon
if queryResult == nil {
return response.Error(http.StatusNotFound, "Failed to get dashboard snapshot", nil)
}
if queryResult.OrgID != c.OrgID {
return response.Error(http.StatusUnauthorized, "OrgID mismatch", nil)
}

if queryResult.External {
err := deleteExternalDashboardSnapshot(queryResult.ExternalDeleteURL)
Expand Down
14 changes: 7 additions & 7 deletions pkg/api/dashboard_snapshot_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ func TestDashboardSnapshotAPIEndpoint_singleSnapshot(t *testing.T) {
dashSnapSvc.On("DeleteDashboardSnapshot", mock.Anything, mock.AnythingOfType("*dashboardsnapshots.DeleteDashboardSnapshotCommand")).Return(nil).Maybe()
res := &dashboardsnapshots.DashboardSnapshot{
ID: 1,
OrgID: 1,
Key: "12345",
DeleteKey: "54321",
Dashboard: jsonModel,
Expand Down Expand Up @@ -103,12 +104,11 @@ func TestDashboardSnapshotAPIEndpoint_singleSnapshot(t *testing.T) {
sc.handlerFunc = hs.DeleteDashboardSnapshotByDeleteKey
sc.fakeReqWithParams("GET", sc.url, map[string]string{"deleteKey": "12345"}).exec()

require.Equal(t, 200, sc.resp.Code)
require.Equal(t, 200, sc.resp.Code, "BODY: "+sc.resp.Body.String())
respJSON, err := simplejson.NewJson(sc.resp.Body.Bytes())
require.NoError(t, err)

assert.True(t, strings.HasPrefix(respJSON.Get("message").MustString(), "Snapshot deleted"))
assert.Equal(t, 1, respJSON.Get("id").MustInt())

assert.Equal(t, http.MethodGet, externalRequest.Method)
assert.Equal(t, ts.URL, fmt.Sprintf("http://%s", externalRequest.Host))
Expand Down Expand Up @@ -333,7 +333,7 @@ func TestGetDashboardSnapshotNotFound(t *testing.T) {
sc.handlerFunc = hs.DeleteDashboardSnapshot
sc.fakeReqWithParams("DELETE", sc.url, map[string]string{"key": "12345"}).exec()

assert.Equal(t, http.StatusNotFound, sc.resp.Code)
assert.Equal(t, http.StatusNotFound, sc.resp.Code, "BODY: "+sc.resp.Body.String())
}, sqlmock)

loggedInUserScenarioWithRole(t,
Expand All @@ -344,7 +344,7 @@ func TestGetDashboardSnapshotNotFound(t *testing.T) {
sc.handlerFunc = hs.DeleteDashboardSnapshotByDeleteKey
sc.fakeReqWithParams("DELETE", sc.url, map[string]string{"deleteKey": "12345"}).exec()

assert.Equal(t, http.StatusNotFound, sc.resp.Code)
assert.Equal(t, http.StatusNotFound, sc.resp.Code, "BODY: "+sc.resp.Body.String())
}, sqlmock)
}

Expand Down Expand Up @@ -407,7 +407,7 @@ func TestGetDashboardSnapshotFailure(t *testing.T) {
sc.handlerFunc = hs.DeleteDashboardSnapshot
sc.fakeReqWithParams("DELETE", sc.url, map[string]string{"key": "12345"}).exec()

assert.Equal(t, http.StatusForbidden, sc.resp.Code)
assert.Equal(t, http.StatusForbidden, sc.resp.Code, "BODY: "+sc.resp.Body.String())
}, sqlmock)

loggedInUserScenarioWithRole(t,
Expand All @@ -418,7 +418,7 @@ func TestGetDashboardSnapshotFailure(t *testing.T) {
sc.handlerFunc = hs.DeleteDashboardSnapshotByDeleteKey
sc.fakeReqWithParams("DELETE", sc.url, map[string]string{"deleteKey": "12345"}).exec()

assert.Equal(t, http.StatusInternalServerError, sc.resp.Code)
assert.Equal(t, http.StatusInternalServerError, sc.resp.Code, "BODY: "+sc.resp.Body.String())
}, sqlmock)

loggedInUserScenarioWithRole(t,
Expand All @@ -429,7 +429,7 @@ func TestGetDashboardSnapshotFailure(t *testing.T) {
sc.handlerFunc = hs.DeleteDashboardSnapshotByDeleteKey
sc.fakeReqWithParams("DELETE", sc.url, map[string]string{"deleteKey": "12345"}).exec()

assert.Equal(t, http.StatusForbidden, sc.resp.Code)
assert.Equal(t, http.StatusForbidden, sc.resp.Code, "BODY: "+sc.resp.Body.String())
}, sqlmock)
}

Expand Down

0 comments on commit f4c5a60

Please sign in to comment.