Influxdata
/
influxdb
mirror of https://github.com/influxdata/influxdb.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

fix(authorizer): use authorizeWriteOrg and authorizeReadOrg for rules

pull/14834/head
Michael Desa 2019-08-28 09:15:52 -04:00
parent 7dd70fab8f
commit d43e14eb7a
No known key found for this signature in database
GPG Key ID: 87002651EC5DFFE6
2 changed files with 8 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
authorizer/notification_rule.go
View File

@ -52,17 +52,9 @@ func (s *NotificationRuleStore) FindNotificationRules(ctx context.Context, filte
// https://github.com/golang/go/wiki/SliceTricks#filtering-without-allocating
rules := nrs[:0]
for _, nr := range nrs {
p, err := influxdb.NewPermission(influxdb.ReadAction, influxdb.OrgsResourceType, nr.GetOrgID())
if err != nil {
return nil, 0, err
if err := authorizeReadOrg(ctx, nr.GetOrgID()); err == nil {
rules = append(rules, nr)
}
err = IsAllowed(ctx, *p)
if influxdb.ErrorCode(err) == influxdb.EUnauthorized {
continue
}
rules = append(rules, nr)
}
return rules, len(rules), nil
@ -70,15 +62,9 @@ func (s *NotificationRuleStore) FindNotificationRules(ctx context.Context, filte
// CreateNotificationRule checks to see if the authorizer on context has write access to the global notification rule resource.
func (s *NotificationRuleStore) CreateNotificationRule(ctx context.Context, nr influxdb.NotificationRule, userID influxdb.ID) error {
p, err := influxdb.NewPermission(influxdb.WriteAction, influxdb.OrgsResourceType, nr.GetOrgID())
if err != nil {
if err := authorizeWriteOrg(ctx, nr.GetOrgID()); err != nil {
return err
}
if err := IsAllowed(ctx, *p); err != nil {
return err
}
return s.s.CreateNotificationRule(ctx, nr, userID)
}

10
authorizer/notification_rule_test.go
View File

@ -230,8 +230,8 @@ func TestNotificationRuleStore_FindNotificationRules(t *testing.T) {
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.OrgsResourceType,
OrgID: influxdbtesting.IDPtr(10),
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(10),
},
},
},
@ -650,8 +650,8 @@ func TestNotificationRuleStore_CreateNotificationRule(t *testing.T) {
permission: influxdb.Permission{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.OrgsResourceType,
OrgID: influxdbtesting.IDPtr(10),
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(10),
},
},
},
@ -680,7 +680,7 @@ func TestNotificationRuleStore_CreateNotificationRule(t *testing.T) {
},
wants: wants{
err: &influxdb.Error{
Msg: "write:orgs/000000000000000a/orgs is unauthorized",
Msg: "write:orgs/000000000000000a is unauthorized",
Code: influxdb.EUnauthorized,
},
},