Affected by GO-2022-0342 and 33 other vulnerabilities

GO-2022-0342: Grafana XSS in Dashboard Text Panel in github.com/grafana/grafana

GO-2022-0707: Grafana Authentication Bypass in github.com/grafana/grafana

GO-2024-2483: Grafana XSS via adding a link in General feature in github.com/grafana/grafana

GO-2024-2510: Grafana Cross-site Scripting (XSS) in github.com/grafana/grafana

GO-2024-2513: Grafana information disclosure in github.com/grafana/grafana

GO-2024-2515: Grafana XSS via the OpenTSDB datasource in github.com/grafana/grafana

GO-2024-2516: Grafana XSS via a column style in github.com/grafana/grafana

GO-2024-2517: Grafana XSS in header column rename in github.com/grafana/grafana

GO-2024-2519: Grafana world readable configuration files in github.com/grafana/grafana

GO-2024-2520: Grafana XSS via a query alias for the ElasticSearch datasource in github.com/grafana/grafana

GO-2024-2523: Grafana stored XSS in github.com/grafana/grafana

GO-2024-2629: Grafana's users with permissions to create a data source can CRUD all data sources in github.com/grafana/grafana

GO-2024-2661: Arbitrary file read in github.com/grafana/grafana

GO-2024-2697: Grafana: Users outside an organization can delete a snapshot with its key in github.com/grafana/grafana

GO-2024-2843: Grafana Email addresses and usernames can not be trusted in github.com/grafana/grafana

GO-2024-2844: Grafana User enumeration via forget password in github.com/grafana/grafana

GO-2024-2847: Grafana Escalation from admin to server admin when auth proxy is used in github.com/grafana/grafana

GO-2024-2848: Grafana when using email as a username can block other users from signing in in github.com/grafana/grafana

GO-2024-2851: Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins in github.com/grafana/grafana

GO-2024-2852: Grafana account takeover via OAuth vulnerability in github.com/grafana/grafana

GO-2024-2854: Grafana folders admin only permission privilege escalation in github.com/grafana/grafana

GO-2024-2855: Grafana Plugin signature bypass in github.com/grafana/grafana

GO-2024-2856: Grafana Race condition allowing privilege escalation in github.com/grafana/grafana

GO-2024-2857: Grafana Stored Cross-site Scripting in Unified Alerting in github.com/grafana/grafana

GO-2024-2867: Grafana Spoofing originalUrl of snapshots in github.com/grafana/grafana

GO-2024-3079: Grafana plugin data sources vulnerable to access control bypass in github.com/grafana/grafana

GO-2024-3215: Grafana Command Injection And Local File Inclusion Via Sql Expressions in github.com/grafana/grafana

GO-2024-3240: Grafana org admin can delete pending invites in different org in github.com/grafana/grafana

GO-2025-3438: Grafana Alerting VictorOps integration could be exposed to users with Viewer permission in github.com/grafana/grafana

GO-2025-3704: Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin in github.com/grafana/grafana

GO-2025-3740: Grafana vulnerable to authenticated users bypassing dashboard, folder permissions in github.com/grafana/grafana

GO-2025-3742: Grafana's datasource proxy API allows authorization checks to be bypassed in github.com/grafana/grafana

GO-2025-3814: Grafana's insecure DingDing Alert integration exposes sensitive information in github.com/grafana/grafana

GO-2025-3817: Grafana is vulnerable to XSS attacks through open redirects and path traversal in github.com/grafana/grafana

resourcepermissions

package

v0.0.0-test.2 Latest Latest Go to latest Published: Jul 20, 2023 License: AGPL-3.0 Imports: 21 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/grafana/grafana

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func NewStore(sql db.DB) *store
type Assignments
type BuiltinResourceHookFunc
type DeleteResourcePermissionsCmd
type Description
type GetResourcePermissionsQuery
type InheritedScopesSolver
type Options
type ResourceHooks
type ResourceValidator
type Service
- func New(options Options, cfg *setting.Cfg, router routing.RouteRegister, ...) (*Service, error)
- func (s *Service) DeleteResourcePermissions(ctx context.Context, orgID int64, resourceID string) error
- func (s *Service) GetPermissions(ctx context.Context, user *user.SignedInUser, resourceID string) ([]accesscontrol.ResourcePermission, error)
- func (s *Service) MapActions(permission accesscontrol.ResourcePermission) string
- func (s *Service) SetBuiltInRolePermission(ctx context.Context, orgID int64, builtInRole, resourceID, permission string) (*accesscontrol.ResourcePermission, error)
- func (s *Service) SetPermissions(ctx context.Context, orgID int64, resourceID string, ...) ([]accesscontrol.ResourcePermission, error)
- func (s *Service) SetTeamPermission(ctx context.Context, orgID, teamID int64, resourceID, permission string) (*accesscontrol.ResourcePermission, error)
- func (s *Service) SetUserPermission(ctx context.Context, orgID int64, user accesscontrol.User, ...) (*accesscontrol.ResourcePermission, error)
type SetResourcePermissionCommand
type SetResourcePermissionsCommand
type Store
type TeamResourceHookFunc
type User
type UserResourceHookFunc

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	ErrInvalidPermission = errors.New("invalid permission")
	ErrInvalidAssignment = errors.New("invalid assignment")
)

Functions ¶

func NewStore ¶

func NewStore(sql db.DB) *store

Types ¶

type Assignments ¶

type Assignments struct {
	Users        bool `json:"users"`
	Teams        bool `json:"teams"`
	BuiltInRoles bool `json:"builtInRoles"`
}

type BuiltinResourceHookFunc ¶

type BuiltinResourceHookFunc func(session *db.Session, orgID int64, builtInRole, resourceID, permission string) error

type DeleteResourcePermissionsCmd ¶

type DeleteResourcePermissionsCmd struct {
	Resource          string
	ResourceAttribute string
	ResourceID        string
}

type Description ¶

type Description struct {
	Assignments Assignments `json:"assignments"`
	Permissions []string    `json:"permissions"`
}

type GetResourcePermissionsQuery ¶

type GetResourcePermissionsQuery struct {
	Actions              []string
	Resource             string
	ResourceID           string
	ResourceAttribute    string
	OnlyManaged          bool
	InheritedScopes      []string
	EnforceAccessControl bool
	User                 *user.SignedInUser
}

type InheritedScopesSolver ¶

type InheritedScopesSolver func(ctx context.Context, orgID int64, resourceID string) ([]string, error)

type Options ¶

type Options struct {
	// Resource is the action and scope prefix that is generated
	Resource string
	// ResourceAttribute is the attribute the scope should be based on (e.g. id or uid)
	ResourceAttribute string
	// OnlyManaged will tell the service to return all permissions if set to false and only managed permissions if set to true
	OnlyManaged bool
	// ResourceValidator is a validator function that will be called before each assignment.
	// If set to nil the validator will be skipped
	ResourceValidator ResourceValidator
	// Assignments decides what we can assign permissions to (users/teams/builtInRoles)
	Assignments Assignments
	// PermissionsToAction is a map of friendly named permissions and what access control actions they should generate.
	// E.g. Edit permissions should generate dashboards:read, dashboards:write and dashboards:delete
	PermissionsToActions map[string][]string
	// ReaderRoleName is the display name for the generated fixed reader role
	ReaderRoleName string
	// WriterRoleName is the display name for the generated fixed writer role
	WriterRoleName string
	// RoleGroup is the group name for the generated fixed roles
	RoleGroup string
	// OnSetUser if configured will be called each time a permission is set for a user
	OnSetUser func(session *db.Session, orgID int64, user accesscontrol.User, resourceID, permission string) error
	// OnSetTeam if configured will be called each time a permission is set for a team
	OnSetTeam func(session *db.Session, orgID, teamID int64, resourceID, permission string) error
	// OnSetBuiltInRole if configured will be called each time a permission is set for a built-in role
	OnSetBuiltInRole func(session *db.Session, orgID int64, builtInRole, resourceID, permission string) error
	// InheritedScopesSolver if configured can generate additional scopes that will be used when fetching permissions for a resource
	InheritedScopesSolver InheritedScopesSolver
	// LicenseMV if configured is applied to endpoints that can modify permissions
	LicenseMW web.Handler
}

type ResourceHooks ¶

type ResourceHooks struct {
	User        UserResourceHookFunc
	Team        TeamResourceHookFunc
	BuiltInRole BuiltinResourceHookFunc
}

type ResourceValidator ¶

type ResourceValidator func(ctx context.Context, orgID int64, resourceID string) error

type Service ¶

type Service struct {
	// contains filtered or unexported fields
}

Service is used to create access control sub system including api / and service for managed resource permission

func New ¶

func New(
	options Options, cfg *setting.Cfg, router routing.RouteRegister, license licensing.Licensing,
	ac accesscontrol.AccessControl, service accesscontrol.Service, sqlStore db.DB,
	teamService team.Service, userService user.Service,
) (*Service, error)

func (*Service) DeleteResourcePermissions ¶

func (s *Service) DeleteResourcePermissions(ctx context.Context, orgID int64, resourceID string) error

func (*Service) GetPermissions ¶

func (s *Service) GetPermissions(ctx context.Context, user *user.SignedInUser, resourceID string) ([]accesscontrol.ResourcePermission, error)

func (*Service) MapActions ¶

func (s *Service) MapActions(permission accesscontrol.ResourcePermission) string

func (*Service) SetBuiltInRolePermission ¶

func (s *Service) SetBuiltInRolePermission(ctx context.Context, orgID int64, builtInRole, resourceID, permission string) (*accesscontrol.ResourcePermission, error)

func (*Service) SetPermissions ¶

func (s *Service) SetPermissions(
	ctx context.Context, orgID int64, resourceID string,
	commands ...accesscontrol.SetResourcePermissionCommand,
) ([]accesscontrol.ResourcePermission, error)

func (*Service) SetTeamPermission ¶

func (s *Service) SetTeamPermission(ctx context.Context, orgID, teamID int64, resourceID, permission string) (*accesscontrol.ResourcePermission, error)

func (*Service) SetUserPermission ¶

func (s *Service) SetUserPermission(ctx context.Context, orgID int64, user accesscontrol.User, resourceID, permission string) (*accesscontrol.ResourcePermission, error)

type SetResourcePermissionCommand ¶

type SetResourcePermissionCommand struct {
	Actions           []string
	Resource          string
	ResourceID        string
	ResourceAttribute string
	Permission        string
}

type SetResourcePermissionsCommand ¶

type SetResourcePermissionsCommand struct {
	User        accesscontrol.User
	TeamID      int64
	BuiltinRole string

	SetResourcePermissionCommand
}

type Store ¶

type Store interface {
	// SetUserResourcePermission sets permission for managed user role on a resource
	SetUserResourcePermission(
		ctx context.Context, orgID int64,
		user accesscontrol.User,
		cmd SetResourcePermissionCommand,
		hook UserResourceHookFunc,
	) (*accesscontrol.ResourcePermission, error)

	// SetTeamResourcePermission sets permission for managed team role on a resource
	SetTeamResourcePermission(
		ctx context.Context, orgID, teamID int64,
		cmd SetResourcePermissionCommand,
		hook TeamResourceHookFunc,
	) (*accesscontrol.ResourcePermission, error)

	// SetBuiltInResourcePermission sets permissions for managed builtin role on a resource
	SetBuiltInResourcePermission(
		ctx context.Context, orgID int64, builtinRole string,
		cmd SetResourcePermissionCommand,
		hook BuiltinResourceHookFunc,
	) (*accesscontrol.ResourcePermission, error)

	SetResourcePermissions(
		ctx context.Context, orgID int64,
		commands []SetResourcePermissionsCommand,
		hooks ResourceHooks,
	) ([]accesscontrol.ResourcePermission, error)

	// GetResourcePermissions will return all permission for supplied resource id
	GetResourcePermissions(ctx context.Context, orgID int64, query GetResourcePermissionsQuery) ([]accesscontrol.ResourcePermission, error)

	// DeleteResourcePermissions will delete all permissions for supplied resource id
	DeleteResourcePermissions(ctx context.Context, orgID int64, cmd *DeleteResourcePermissionsCmd) error
}

type TeamResourceHookFunc ¶

type TeamResourceHookFunc func(session *db.Session, orgID, teamID int64, resourceID, permission string) error

type User ¶

type User struct {
	ID         int64
	IsExternal bool
}

type UserResourceHookFunc ¶

type UserResourceHookFunc func(session *db.Session, orgID int64, user accesscontrol.User, resourceID, permission string) error

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL