* Trim leading and trailing whitespaces from email and username on signup
* Check whether the provided email address is the same as where the invitation sent
Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com>
We also need to upgrade the linter together with the Go version, all the changes should relate to either fixing linting problems or upgrading the Go version used to build Grafana.
* remove support for v1
(cherry picked from commit 8630a7a991af74edc4030f57d37a4bc263202fde)
* Security: Make proxy endpoints not leak sensitive HTTP headers
Fixes CVE-2022-31130
(cherry picked from commit 2974574a53ab6d26be7b706e76271173a91fea3a)
* Security: Fix do not forward login cookie in outgoing requests
(cherry picked from commit 54a32fc83b233f5910495b5fcca0b4f881221538)
* Add test for username/login field conflict
(cherry picked from commit 7aabcf2694)
* Swap order of login fields
(cherry picked from commit 5ec176cada)
* "Release: Updated versions in package to 8.5.14" (#547)
Co-authored-by: Will Browne <will.browne@grafana.com>
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>
Co-authored-by: Grot (@grafanabot) <43478413+grafanabot@users.noreply.github.com>
* Data source: prevent from using auth proxy header as custom data source header (#477)
* apply security changes for auth proxy permission escalation
* add links to CVE
* remove duplicate check
* apply security fix for admin only folder migration (#484)
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
* API: Fix snapshot responses (#52998)
* API: Fix response status when snapshots are not found
* API: Fix response status when snapshot key is empty
* Apply suggestions from code review
(cherry picked from commit 5fec6cc4f5)
* grant data source reader to all users when running oss or enterprise
without license
* fix asserts in alerting tests
* add oss licensing service for test setup
* fix tests to pass in enterprise
* lint
* fix tests
* set setting.IsEnterprise flag for tests
Co-authored-by: Yuriy Tseretyan <yuriy.tseretyan@grafana.com>
(cherry picked from commit 1796a1d277)
* introduce a fallback handler that checks that role is Viewer.
* update UI nav links to allow alerting tabs for anonymous user
* update rule api to check for Viewer role instead of SignedIn when RBAC is disabled
(cherry picked from commit f7f2253072)
* refactor RBAC checks
* fix a test
* another test fix
* and another
(cherry picked from commit 68ca5b2e05)
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
* Update API Keys UI to adjust based on users permissions
Since API Keys support now RBAC we need to ensure that UI
is adjusted based on the user permissions.
* Applying PR suggestions
(cherry picked from commit cbd2d09d70)
Co-authored-by: Vardan Torosyan <vardants@gmail.com>
For a proxied request, e.g. Grafana's datasource or plugin proxy:
If the request is cancelled, e.g. from the browser, the HTTP status code is
now 499 Client closed request instead of 502 Bad gateway.
If the request times out, e.g. takes longer time than allowed, the HTTP status
code is now 504 Gateway timeout instead of 502 Bad gateway.
This also means that request metrics and logs will get their status codes
adjusted according to above.
Fixes#46337Fixes#46338
(cherry picked from commit 4bc582570e)
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
* Create fixed roles for reading API Keys and service accounts
* Handle PR comments and fix the listing of token
(cherry picked from commit 782ec05d8c)
Co-authored-by: Vardan Torosyan <vardants@gmail.com>
* Add new alert rule to alerting section
* Check access control for ability to create
(cherry picked from commit 7905957ee8)
Co-authored-by: Ashley Harrison <ashley.harrison@grafana.com>
* use common traceID context value for opentracing and opentelemetry
* support sampled trace IDs as well
* inject traceID into NormalResponse on errors
* Finally the test passed
* fix the test
* fix linter
* change the function parameter
Co-authored-by: Ying WANG <ying.wang@grafana.com>
(cherry picked from commit 41012af997)
Co-authored-by: Serge Zaitsev <serge.zaitsev@grafana.com>
* forbid setting role higher than user's role
* change response code
* can assign API key permissions to non-admin users
* add: assign viewer role directly upon creation
* refactor: add AddSATcommand infavor of AddAPIkey
* refactor: frontend fixes for ServiceAccountToken
Co-authored-by: eleijonmarck <eric.leijonmarck@gmail.com>
(cherry picked from commit a245531f0c)
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
* Chore: remove bus from contexthandler
* remove bus from orgredirect
(cherry picked from commit 2cf88cfec8)
Co-authored-by: Serge Zaitsev <serge.zaitsev@grafana.com>
* Nav: Show overlay icons based on allowed list
* user essentials mob! 🔱
* Navigation: clean up and use new backend prop to show plus icons and
improve visual styling
* Nav: Fix top padding
* refactor to not use showIconInNavbar in NavBarMenuItem
* remove a missed bit
* refactor icon into const
Co-authored-by: Ashley Harrison <ashley.harrison@grafana.com>
(cherry picked from commit 85de0d88c7)
Co-authored-by: Maria Alexandra <239999+axelavargas@users.noreply.github.com>
* Chore: Remove bus from alerting rule
* fix alerting tests
* fix provide service
(cherry picked from commit b31c7d3654)
Co-authored-by: Serge Zaitsev <serge.zaitsev@grafana.com>
* pass in user to attribute scope resolver
* add SQL filter to annotation listing
* check annotation FGAC permissions before exposing them for commenting
* remove the requirement to be able to list all annotations from annotation listing endpoint
* adding tests for annotation listing
* remove changes that got moved to a different PR
* unused var
* Update pkg/services/sqlstore/annotation.go
Co-authored-by: Ezequiel Victorero <evictorero@gmail.com>
* remove unneeded check
* remove unneeded check
* undo accidental change
* undo accidental change
* doc update
* move tests
* redo the approach for passing the user in for scope resolution
* accidental change
* cleanup
* error handling
Co-authored-by: Ezequiel Victorero <evictorero@gmail.com>
(cherry picked from commit ef4c2672b3)
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
* add FGAC actions for silences table
* redirect users without permissions
* add permissions checks to routes
* add fgac to notifications and contact points
* fgac for notification policies
* fix mute timing authorization
* use consistent naming for checking grafana alertmanager
* tests for fgac in contact points and notification policies
* bump up timeout on rule editor test
* use new permissions util
* break out route evaluation into util
* Remove test timeout
* Change permissions for the alert-notifiers endpoint
* Use signed in handler for alert-notifiers when unified alerting enabled
Co-authored-by: Konrad Lalik <konrad.lalik@grafana.com>
(cherry picked from commit 49505b9a3b)
Co-authored-by: Nathan Rodman <nathanrodman@gmail.com>
* AccessControl: Remove package variables for roles and grants
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
* Check for inheritance during role registration
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
* Moving back role definition to accessscontrol
* Make settings reader role public
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
* Nits
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
* Forgot to update this
* Account for declaration error
* Fixing pkg/api init ossac
* Account for error in tests
* Update test to verify inheritance
* Nits.
* Place br inheritance behind a feature toggle
* Parent -> Parents
* Nit.
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
