Prevent Viewer role from overriding temp vars from URL query

2018-06-08 17:31:21 -07:00 · 2018-06-08 17:31:21 -07:00 · 3c99cabd8f
parent b8d7e317db
commit 3c99cabd8f
3 changed files with 49 additions and 3 deletions
--- a/ui/src/dashboards/actions/index.ts
+++ b/ui/src/dashboards/actions/index.ts
@ -3,6 +3,8 @@ import {replace} from 'react-router-redux'
 import _ from 'lodash'
 import queryString from 'query-string'

+import {isUserAuthorized, EDITOR_ROLE} from 'src/auth/Authorized'
+
 import {
  getDashboards as getDashboardsAJAX,
  getDashboard as getDashboardAJAX,
@ -21,6 +23,7 @@ import {errorThrown} from 'src/shared/actions/errors'

 import {
  generateURLQueryFromTempVars,
+  findUpdatedTempVarsInURLQuery,
  findInvalidTempVarsInURLQuery,
 } from 'src/dashboards/utils/tempVars'
 import {validTimeRange, validAbsoluteTimeRange} from 'src/dashboards/utils/time'
@ -39,6 +42,7 @@ import {
  notifyInvalidTempVarValueInURLQuery,
  notifyInvalidZoomedTimeRangeValueInURLQuery,
  notifyInvalidTimeRangeValueInURLQuery,
+  notifyViewerUnauthorizedToSetTempVars,
 } from 'src/shared/copy/notifications'

 import {CellType} from 'src/types/dashboard'
@ -778,9 +782,23 @@ const syncDashboardTempVarsFromURLQueries = (dashboardID, urlQueries) => (
  dispatch,
  getState
 ) => {
-  const dashboard = getState().dashboardUI.dashboards.find(
-    d => d.id === dashboardID
+  const {
+    dashboardUI,
+    auth: {isUsingAuth, me},
+  } = getState()
+  const dashboard = dashboardUI.dashboards.find(d => d.id === dashboardID)
+
+  // viewers are not currently allowed to select temp vars and/or use overrides
+  if (isUsingAuth && !isUserAuthorized(me.role, EDITOR_ROLE)) {
+    const urlQueryTempVarsWithUpdatedValues = findUpdatedTempVarsInURLQuery(
+      dashboard.templates,
+      urlQueries
    )
+    if (urlQueryTempVarsWithUpdatedValues.length) {
+      dispatch(notify(notifyViewerUnauthorizedToSetTempVars()))
+      return
+    }
+  }

  const urlQueryTempVarsWithInvalidValues = findInvalidTempVarsInURLQuery(
    dashboard.templates,
--- a/ui/src/dashboards/utils/tempVars.ts
+++ b/ui/src/dashboards/utils/tempVars.ts
@ -134,6 +134,29 @@ export const applyDashboardTempVarOverrides = (
  ),
 })

+export const findUpdatedTempVarsInURLQuery = (tempVars, urlQueries) => {
+  const urlQueryTempVarsWithInvalidValues = _.reduce(
+    urlQueries,
+    (acc, v, k) => {
+      const matchedTempVar = tempVars.find(
+        ({tempVar}) => stripTempVar(tempVar) === k
+      )
+      if (matchedTempVar) {
+        const isDifferentTempVarValue = !!matchedTempVar.values.find(
+          ({value, selected}) => selected && value !== v
+        )
+        if (isDifferentTempVarValue) {
+          acc.push({key: k, value: v})
+        }
+      }
+      return acc
+    },
+    []
+  )
+
+  return urlQueryTempVarsWithInvalidValues
+}
+
 export const findInvalidTempVarsInURLQuery = (tempVars, urlQueries) => {
  const urlQueryTempVarsWithInvalidValues = _.reduce(
    urlQueries,
--- a/ui/src/shared/copy/notifications.ts
+++ b/ui/src/shared/copy/notifications.ts
@ -202,6 +202,11 @@ export const notifyJSONFeedFailed = url => ({
  message: `Failed to fetch JSON Feed for News Feed from '${url}'`,
 })

+export const notifyViewerUnauthorizedToSetTempVars = () => ({
+  ...defaultErrorNotification,
+  message: `Viewer role unauthorized to override template variable values from URL.`,
+})
+
 //  Chronograf Admin Notifications
 //  ----------------------------------------------------------------------------
 export const notifyMappingDeleted = (id, scheme) => ({