Authorization bypass / Access control

PoC outline (before vs after fix): Prerequisites: Grafana instance with K8s Dashboards feature enabled; a folder with UID FOLDER_UID; a user U granted dashboards:create on the folder but not folders:write. Pre-fix behavior (buggy path): - User U attempts to create a dashboard in FOLDER_UID via Grafana API. - The server checks the folder access subresource CanEdit (folders:write) and denies access if folders:write is not granted. - Result: HTTP 403 Forbidden, dashboard creation blocked despite dashboards:create being granted. Post-fix behavior (patched path): - User U attempts the same create operation. - The server performs a direct dashboards:create check scoped to the folder (instead of CanEdit on the folder subresource). - If dashboards:create is granted, the operation succeeds. - Result: HTTP 201 Created (or equivalent success response). Concrete illustrative curl (illustrative only): - Payload for creating a dashboard in a folder: curl -X POST https://grafana.example/api/dashboards -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{"dashboard":{"title":"Poc Test","uid":"poc-test-123","folderUid":"FOLDER_UID"}}' - Expected outcome: - If pre-fix: 403 Forbidden (due to CanEdit check failing). - If post-fix: 201 Created (assuming dashboards:create is granted). Notes: This PoC assumes the K8s Dashboards feature and RBAC configured to grant dashboards:create on the folder but not folders:write. The fix ensures permissions are evaluated against dashboards:create rather than the broader folders:write capability.

diff --git a/pkg/registry/apis/dashboard/register.go b/pkg/registry/apis/dashboard/register.go index 3a9ea8a266df..144cc6772136 100644 --- a/pkg/registry/apis/dashboard/register.go +++ b/pkg/registry/apis/dashboard/register.go @@ -1102,34 +1102,24 @@ func (b *DashboardsAPIBuilder) GetAuthorizer() authorizer.Authorizer { }) } -func (b *DashboardsAPIBuilder) verifyFolderAccessPermissions(ctx context.Context, user identity.Requester, folderIds ...string) error { +func (b *DashboardsAPIBuilder) verifyFolderAccessPermissions(ctx context.Context, user identity.Requester, folderID string) error { ns, err := request.NamespaceInfoFrom(ctx, false) if err != nil { return err } - folderClient := b.folderClientProvider.GetOrCreateHandler(ns.Value) - - for _, folderId := range folderIds { - resp, err := folderClient.Get(ctx, folderId, ns.OrgID, metav1.GetOptions{}, "access") - if err != nil { - if apierrors.IsNotFound(err) { - return apierrors.NewNotFound(folders.FolderResourceInfo.GroupResource(), folderId) - } - if apierrors.IsForbidden(err) { - return apierrors.NewForbidden(folders.FolderResourceInfo.GroupResource(), folderId, folder.ErrAccessDenied) - } - return err - } - var accessInfo folders.FolderAccessInfo - err = runtime.DefaultUnstructuredConverter.FromUnstructured(resp.Object, &accessInfo) - if err != nil { - logging.FromContext(ctx).Error("Failed to convert folder access response", "error", err) - return err - } - if !accessInfo.CanEdit { - return apierrors.NewForbidden(folders.FolderResourceInfo.GroupResource(), folderId, folder.ErrAccessDenied) - } + gvr := dashv1.DashboardResourceInfo.GroupVersionResource() + resp, err := b.accessClient.Check(ctx, user, authlib.CheckRequest{ + Verb: utils.VerbCreate, + Group: gvr.Group, + Resource: gvr.Resource, + Namespace: ns.Value, + }, folderID) + if err != nil { + return err + } + if !resp.Allowed { + return apierrors.NewForbidden(folders.FolderResourceInfo.GroupResource(), folderID, folder.ErrAccessDenied) } return nil