Ling0925
/
buster
mirror of https://github.com/buster-so/buster.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #523 from buster-so/staging 

Bugfix on cascading permissions for dashboards -> metrics
This commit is contained in:
dal 2025-07-16 11:34:24 -07:00 committed by GitHub
parent 3864392904 36f2f04810
commit bc1fbb0d7e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
9 changed files with 236 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
apps/api/libs/handlers/src/metrics/get_metric_data_handler.rs
View File

@ -1,11 +1,10 @@
use anyhow::{anyhow, Result}; use anyhow::{anyhow, Result};
use chrono::Utc;
use database::{ use database::{
pool::get_pg_pool, pool::get_pg_pool,
schema::{dashboard_files, metric_files, metric_files_to_dashboard_files}, schema::metric_files,
types::{data_metadata::DataMetadata, MetricYml}, types::{data_metadata::DataMetadata, MetricYml},
}; };
use diesel::{BoolExpressionMethods, ExpressionMethods, JoinOnDsl, QueryDsl}; use diesel::{ExpressionMethods, QueryDsl};
use diesel_async::RunQueryDsl; use diesel_async::RunQueryDsl;
use indexmap::IndexMap; use indexmap::IndexMap;
use middleware::AuthenticatedUser; use middleware::AuthenticatedUser;
@ -68,41 +67,18 @@ pub async fn get_metric_data_handler(
if is_permission_error { if is_permission_error {
tracing::warn!( tracing::warn!(
"Initial metric access failed due to potential permission issue: {}. Checking public dashboard access.", "Initial metric access failed due to potential permission issue: {}. Checking dashboard access.",
e e
); );
// --- Step 3: Check if metric belongs to a valid public dashboard --- // Check if user has access to ANY dashboard containing this metric (including public dashboards)
let mut conn_check = get_pg_pool().get().await?; let has_dashboard_access = sharing::check_metric_dashboard_access(&request.metric_id, &user.id)
let now = Utc::now();
let public_dashboard_exists = match metric_files_to_dashboard_files::table
.inner_join(dashboard_files::table.on(
dashboard_files::id.eq(metric_files_to_dashboard_files::dashboard_file_id),
))
.filter(metric_files_to_dashboard_files::metric_file_id.eq(request.metric_id))
.filter(dashboard_files::publicly_accessible.eq(true))
.filter(dashboard_files::deleted_at.is_null())
.filter(
dashboard_files::public_expiry_date
.is_null()
.or(dashboard_files::public_expiry_date.gt(now)),
)
.select(dashboard_files::id) // Select any column to check existence
.first::<Uuid>(&mut conn_check) // Try to get the first matching ID
.await .await
{ .unwrap_or(false);
Ok(id) => Some(id),
Err(diesel::NotFound) => None,
Err(e) => {
tracing::error!("Error checking if public dashboard exists: {}", e);
return Err(anyhow!("Error checking if public dashboard exists: {}", e));
}
};
if public_dashboard_exists.is_some() { if has_dashboard_access {
// --- Step 4: Public dashboard found, fetch metric bypassing permissions --- // User has access to a dashboard containing this metric
tracing::info!("Found associated public dashboard. Fetching metric definition without direct permissions."); tracing::info!("Found associated dashboard with user access. Fetching metric with dashboard context.");
match get_metric_for_dashboard_handler( match get_metric_for_dashboard_handler(
&request.metric_id, &request.metric_id,
&user, &user,
@ -113,19 +89,19 @@ pub async fn get_metric_data_handler(
{ {
Ok(metric_via_dashboard) => { Ok(metric_via_dashboard) => {
tracing::debug!( tracing::debug!(
"Successfully retrieved metric via public dashboard association." "Successfully retrieved metric via dashboard association."
); );
metric_via_dashboard // Use this metric definition metric_via_dashboard // Use this metric definition
} }
Err(fetch_err) => { Err(fetch_err) => {
// If fetching via dashboard fails unexpectedly, return that error // If fetching via dashboard fails unexpectedly, return that error
tracing::error!("Failed to fetch metric via dashboard context even though public dashboard exists: {}", fetch_err); tracing::error!("Failed to fetch metric via dashboard context: {}", fetch_err);
return Err(fetch_err); return Err(fetch_err);
} }
} }
} else { } else {
// No public dashboard association found, return the original permission error // No dashboard access, return the original permission error
tracing::warn!("No valid public dashboard association found for metric. Returning original error."); tracing::warn!("No dashboard association found for metric. Returning original error.");
return Err(e); return Err(e);
} }
} else { } else {

91
apps/api/libs/handlers/src/metrics/get_metric_for_dashboard_handler.rs
View File

@ -157,48 +157,61 @@ pub async fn get_metric_for_dashboard_handler(
tracing::debug!(metric_id = %metric_id, user_id = %user.id, ?permission, "Granting access via direct permission."); tracing::debug!(metric_id = %metric_id, user_id = %user.id, ?permission, "Granting access via direct permission.");
} }
} else { } else {
// No sufficient direct/admin permission, check public access rules // No sufficient direct/admin permission, check if user has access via a dashboard
tracing::debug!(metric_id = %metric_id, "Insufficient direct/admin permission. Checking public access rules."); tracing::debug!(metric_id = %metric_id, "Insufficient direct/admin permission. Checking dashboard access.");
if !metric_file.publicly_accessible {
tracing::warn!(metric_id = %metric_id, user_id = %user.id, "Permission denied (not public, insufficient direct permission).");
return Err(anyhow!("You don't have permission to view this metric"));
}
tracing::debug!(metric_id = %metric_id, "Metric is publicly accessible.");
// Check if the public access has expired let has_dashboard_access = sharing::check_metric_dashboard_access(metric_id, &user.id)
if let Some(expiry_date) = metric_file.public_expiry_date { .await
tracing::debug!(metric_id = %metric_id, ?expiry_date, "Checking expiry date"); .unwrap_or(false);
if expiry_date < chrono::Utc::now() {
tracing::warn!(metric_id = %metric_id, "Public access expired");
return Err(anyhow!("Public access to this metric has expired"));
}
}
// Check if a password is required if has_dashboard_access {
tracing::debug!(metric_id = %metric_id, has_password = metric_file.public_password.is_some(), "Checking password requirement"); // User has access to a dashboard containing this metric, grant CanView
if let Some(required_password) = &metric_file.public_password { tracing::debug!(metric_id = %metric_id, user_id = %user.id, "User has access via dashboard. Granting CanView.");
tracing::debug!(metric_id = %metric_id, "Password required. Checking provided password.");
match password {
Some(provided_password) => {
if provided_password != *required_password {
// Incorrect password provided
tracing::warn!(metric_id = %metric_id, user_id = %user.id, "Incorrect public password provided");
return Err(anyhow!("Incorrect password for public access"));
}
// Correct password provided, grant CanView via public access
tracing::debug!(metric_id = %metric_id, user_id = %user.id, "Correct public password provided. Granting CanView.");
permission = AssetPermissionRole::CanView;
}
None => {
// Password required but none provided
tracing::warn!(metric_id = %metric_id, user_id = %user.id, "Public password required but none provided");
return Err(anyhow!("public_password required for this metric"));
}
}
} else {
// Publicly accessible, not expired, and no password required
tracing::debug!(metric_id = %metric_id, "Public access granted (no password required).");
permission = AssetPermissionRole::CanView; permission = AssetPermissionRole::CanView;
} else {
// No dashboard access, check public access rules
tracing::debug!(metric_id = %metric_id, "No dashboard access. Checking public access rules.");
if !metric_file.publicly_accessible {
tracing::warn!(metric_id = %metric_id, user_id = %user.id, "Permission denied (not public, no dashboard access, insufficient direct permission).");
return Err(anyhow!("You don't have permission to view this metric"));
}
tracing::debug!(metric_id = %metric_id, "Metric is publicly accessible.");
// Check if the public access has expired
if let Some(expiry_date) = metric_file.public_expiry_date {
tracing::debug!(metric_id = %metric_id, ?expiry_date, "Checking expiry date");
if expiry_date < chrono::Utc::now() {
tracing::warn!(metric_id = %metric_id, "Public access expired");
return Err(anyhow!("Public access to this metric has expired"));
}
}
// Check if a password is required
tracing::debug!(metric_id = %metric_id, has_password = metric_file.public_password.is_some(), "Checking password requirement");
if let Some(required_password) = &metric_file.public_password {
tracing::debug!(metric_id = %metric_id, "Password required. Checking provided password.");
match password {
Some(provided_password) => {
if provided_password != *required_password {
// Incorrect password provided
tracing::warn!(metric_id = %metric_id, user_id = %user.id, "Incorrect public password provided");
return Err(anyhow!("Incorrect password for public access"));
}
// Correct password provided, grant CanView via public access
tracing::debug!(metric_id = %metric_id, user_id = %user.id, "Correct public password provided. Granting CanView.");
permission = AssetPermissionRole::CanView;
}
None => {
// Password required but none provided
tracing::warn!(metric_id = %metric_id, user_id = %user.id, "Public password required but none provided");
return Err(anyhow!("public_password required for this metric"));
}
}
} else {
// Publicly accessible, not expired, and no password required
tracing::debug!(metric_id = %metric_id, "Public access granted (no password required).");
permission = AssetPermissionRole::CanView;
}
} }
} }

91
apps/api/libs/handlers/src/metrics/get_metric_handler.rs
View File

@ -155,48 +155,61 @@ pub async fn get_metric_handler(
tracing::debug!(metric_id = %metric_id, user_id = %user.id, ?permission, "Granting access via direct permission."); tracing::debug!(metric_id = %metric_id, user_id = %user.id, ?permission, "Granting access via direct permission.");
} }
} else { } else {
// No sufficient direct/admin permission, check public access rules // No sufficient direct/admin permission, check if user has access via a dashboard
tracing::debug!(metric_id = %metric_id, "Insufficient direct/admin permission. Checking public access rules."); tracing::debug!(metric_id = %metric_id, "Insufficient direct/admin permission. Checking dashboard access.");
if !metric_file.publicly_accessible {
tracing::warn!(metric_id = %metric_id, user_id = %user.id, "Permission denied (not public, insufficient direct permission).");
return Err(anyhow!("You don't have permission to view this metric"));
}
tracing::debug!(metric_id = %metric_id, "Metric is publicly accessible.");
// Check if the public access has expired let has_dashboard_access = sharing::check_metric_dashboard_access(metric_id, &user.id)
if let Some(expiry_date) = metric_file.public_expiry_date { .await
tracing::debug!(metric_id = %metric_id, ?expiry_date, "Checking expiry date"); .unwrap_or(false);
if expiry_date < chrono::Utc::now() {
tracing::warn!(metric_id = %metric_id, "Public access expired");
return Err(anyhow!("Public access to this metric has expired"));
}
}
// Check if a password is required if has_dashboard_access {
tracing::debug!(metric_id = %metric_id, has_password = metric_file.public_password.is_some(), "Checking password requirement"); // User has access to a dashboard containing this metric, grant CanView
if let Some(required_password) = &metric_file.public_password { tracing::debug!(metric_id = %metric_id, user_id = %user.id, "User has access via dashboard. Granting CanView.");
tracing::debug!(metric_id = %metric_id, "Password required. Checking provided password.");
match password {
Some(provided_password) => {
if provided_password != *required_password {
// Incorrect password provided
tracing::warn!(metric_id = %metric_id, user_id = %user.id, "Incorrect public password provided");
return Err(anyhow!("Incorrect password for public access"));
}
// Correct password provided, grant CanView via public access
tracing::debug!(metric_id = %metric_id, user_id = %user.id, "Correct public password provided. Granting CanView.");
permission = AssetPermissionRole::CanView;
}
None => {
// Password required but none provided
tracing::warn!(metric_id = %metric_id, user_id = %user.id, "Public password required but none provided");
return Err(anyhow!("public_password required for this metric"));
}
}
} else {
// Publicly accessible, not expired, and no password required
tracing::debug!(metric_id = %metric_id, "Public access granted (no password required).");
permission = AssetPermissionRole::CanView; permission = AssetPermissionRole::CanView;
} else {
// No dashboard access, check public access rules
tracing::debug!(metric_id = %metric_id, "No dashboard access. Checking public access rules.");
if !metric_file.publicly_accessible {
tracing::warn!(metric_id = %metric_id, user_id = %user.id, "Permission denied (not public, no dashboard access, insufficient direct permission).");
return Err(anyhow!("You don't have permission to view this metric"));
}
tracing::debug!(metric_id = %metric_id, "Metric is publicly accessible.");
// Check if the public access has expired
if let Some(expiry_date) = metric_file.public_expiry_date {
tracing::debug!(metric_id = %metric_id, ?expiry_date, "Checking expiry date");
if expiry_date < chrono::Utc::now() {
tracing::warn!(metric_id = %metric_id, "Public access expired");
return Err(anyhow!("Public access to this metric has expired"));
}
}
// Check if a password is required
tracing::debug!(metric_id = %metric_id, has_password = metric_file.public_password.is_some(), "Checking password requirement");
if let Some(required_password) = &metric_file.public_password {
tracing::debug!(metric_id = %metric_id, "Password required. Checking provided password.");
match password {
Some(provided_password) => {
if provided_password != *required_password {
// Incorrect password provided
tracing::warn!(metric_id = %metric_id, user_id = %user.id, "Incorrect public password provided");
return Err(anyhow!("Incorrect password for public access"));
}
// Correct password provided, grant CanView via public access
tracing::debug!(metric_id = %metric_id, user_id = %user.id, "Correct public password provided. Granting CanView.");
permission = AssetPermissionRole::CanView;
}
None => {
// Password required but none provided
tracing::warn!(metric_id = %metric_id, user_id = %user.id, "Public password required but none provided");
return Err(anyhow!("public_password required for this metric"));
}
}
} else {
// Publicly accessible, not expired, and no password required
tracing::debug!(metric_id = %metric_id, "Public access granted (no password required).");
permission = AssetPermissionRole::CanView;
}
} }
} }

80
apps/api/libs/sharing/src/asset_access_checks.rs
View File

@ -1,4 +1,8 @@
use database::enums::{AssetPermissionRole, UserOrganizationRole}; use database::enums::{AssetPermissionRole, AssetType, IdentityType, UserOrganizationRole};
use database::pool::get_pg_pool;
use database::schema::{asset_permissions, dashboard_files, metric_files_to_dashboard_files};
use diesel::{BoolExpressionMethods, ExpressionMethods, JoinOnDsl, QueryDsl, OptionalExtension};
use diesel_async::RunQueryDsl;
use middleware::OrganizationMembership; use middleware::OrganizationMembership;
use uuid::Uuid; use uuid::Uuid;
@ -39,6 +43,80 @@ pub fn check_permission_access(
false false
} }
/// Checks if a user has access to a metric through any associated dashboard.
///
/// This function is used to implement permission cascading from dashboards to metrics.
/// If a user has access to any dashboard containing the metric (either through direct permissions
/// or if the dashboard is public), they get at least CanView permission.
///
/// # Arguments
/// * `metric_id` - UUID of the metric to check
/// * `user_id` - UUID of the user to check permissions for
///
/// # Returns
/// * `Result<bool>` - True if the user has access to any dashboard containing the metric, false otherwise
pub async fn check_metric_dashboard_access(
metric_id: &Uuid,
user_id: &Uuid,
) -> Result<bool, diesel::result::Error> {
let mut conn = get_pg_pool().get().await.map_err(|e| {
diesel::result::Error::DatabaseError(
diesel::result::DatabaseErrorKind::UnableToSendCommand,
Box::new(e.to_string()),
)
})?;
// First check if user has direct access to any dashboard containing this metric
let has_direct_access = metric_files_to_dashboard_files::table
.inner_join(
dashboard_files::table
.on(dashboard_files::id.eq(metric_files_to_dashboard_files::dashboard_file_id)),
)
.inner_join(
asset_permissions::table.on(
asset_permissions::asset_id.eq(dashboard_files::id)
.and(asset_permissions::asset_type.eq(AssetType::DashboardFile))
.and(asset_permissions::identity_id.eq(user_id))
.and(asset_permissions::identity_type.eq(IdentityType::User))
.and(asset_permissions::deleted_at.is_null())
),
)
.filter(metric_files_to_dashboard_files::metric_file_id.eq(metric_id))
.filter(dashboard_files::deleted_at.is_null())
.filter(metric_files_to_dashboard_files::deleted_at.is_null())
.select(dashboard_files::id)
.first::<Uuid>(&mut conn)
.await
.optional()?;
if has_direct_access.is_some() {
return Ok(true);
}
// Now check if metric belongs to any PUBLIC dashboard (not expired)
let now = chrono::Utc::now();
let has_public_access = metric_files_to_dashboard_files::table
.inner_join(
dashboard_files::table
.on(dashboard_files::id.eq(metric_files_to_dashboard_files::dashboard_file_id)),
)
.filter(metric_files_to_dashboard_files::metric_file_id.eq(metric_id))
.filter(dashboard_files::deleted_at.is_null())
.filter(metric_files_to_dashboard_files::deleted_at.is_null())
.filter(dashboard_files::publicly_accessible.eq(true))
.filter(
dashboard_files::public_expiry_date
.is_null()
.or(dashboard_files::public_expiry_date.gt(now)),
)
.select(dashboard_files::id)
.first::<Uuid>(&mut conn)
.await
.optional()?;
Ok(has_public_access.is_some())
}
#[cfg(test)] #[cfg(test)]
mod tests { mod tests {
use super::*; use super::*;

2
apps/api/libs/sharing/src/lib.rs
View File

@ -19,4 +19,4 @@ pub use types::{
SerializableAssetPermission, UserInfo, SerializableAssetPermission, UserInfo,
}; };
pub use user_lookup::find_user_by_email; pub use user_lookup::find_user_by_email;
pub use asset_access_checks::check_permission_access; pub use asset_access_checks::{check_permission_access, check_metric_dashboard_access};

4
apps/web/src/api/createAxiosInstance.ts
View File

@ -51,6 +51,10 @@ export const defaultAxiosRequestHandler = async (
token = (await options?.checkTokenValidity()?.then((res) => res?.access_token || '')) || ''; token = (await options?.checkTokenValidity()?.then((res) => res?.access_token || '')) || '';
} }
if (!token) {
throw new Error('User authentication error - no token found');
}
(config.headers as AxiosRequestHeaders).Authorization = `Bearer ${token}`; (config.headers as AxiosRequestHeaders).Authorization = `Bearer ${token}`;
return config; return config;

2
apps/web/src/app/app/layout.tsx
View File

@ -28,7 +28,7 @@ export default async function Layout({
const userInfoState = queryClient.getQueryState(queryKeys.userGetUserMyself.queryKey); const userInfoState = queryClient.getQueryState(queryKeys.userGetUserMyself.queryKey);
const is402Error = userInfoState?.status === 'error' && userInfoState?.error?.status === 402; const is402Error = userInfoState?.status === 'error' && userInfoState?.error?.status === 402; //402 is the payment required error code
if (is402Error) { if (is402Error) {
return <ClientRedirect to={createBusterRoute({ route: BusterRoutes.INFO_GETTING_STARTED })} />; return <ClientRedirect to={createBusterRoute({ route: BusterRoutes.INFO_GETTING_STARTED })} />;

15
apps/web/src/context/Supabase/SupabaseContextProvider.tsx
View File

@ -7,6 +7,9 @@ import { checkTokenValidityFromServer } from '@/api/buster_rest/nextjs/auth';
import { useMemoizedFn } from '@/hooks/useMemoizedFn'; import { useMemoizedFn } from '@/hooks/useMemoizedFn';
import { millisecondsFromUnixTimestamp } from '@/lib/timestamp'; import { millisecondsFromUnixTimestamp } from '@/lib/timestamp';
import type { UseSupabaseUserContextType } from '@/lib/supabase'; import type { UseSupabaseUserContextType } from '@/lib/supabase';
import { timeout } from '@/lib/timeout';
import { useBusterNotifications } from '../BusterNotifications';
import { flushSync } from 'react-dom';
const PREEMTIVE_REFRESH_MINUTES = 5; const PREEMTIVE_REFRESH_MINUTES = 5;
@ -16,6 +19,7 @@ const useSupabaseContextInternal = ({
supabaseContext: UseSupabaseUserContextType; supabaseContext: UseSupabaseUserContextType;
}) => { }) => {
const refreshTimerRef = useRef<ReturnType<typeof setTimeout> | undefined>(undefined); const refreshTimerRef = useRef<ReturnType<typeof setTimeout> | undefined>(undefined);
const { openErrorNotification, openInfoMessage } = useBusterNotifications();
const [accessToken, setAccessToken] = useState(supabaseContext.accessToken || ''); const [accessToken, setAccessToken] = useState(supabaseContext.accessToken || '');
const isAnonymousUser = !supabaseContext.user?.id || supabaseContext.user?.is_anonymous === true; const isAnonymousUser = !supabaseContext.user?.id || supabaseContext.user?.is_anonymous === true;
@ -45,7 +49,8 @@ const useSupabaseContextInternal = ({
accessToken, accessToken,
preemptiveRefreshMinutes: PREEMTIVE_REFRESH_MINUTES preemptiveRefreshMinutes: PREEMTIVE_REFRESH_MINUTES
}); });
onUpdateToken({ accessToken: res.access_token, expiresAt: res.expires_at }); await onUpdateToken({ accessToken: res.access_token, expiresAt: res.expires_at });
await timeout(25);
return res; return res;
} }
@ -55,6 +60,11 @@ const useSupabaseContextInternal = ({
}; };
} catch (e) { } catch (e) {
console.error(e); console.error(e);
openErrorNotification({
title: 'Error checking user authentication',
description: 'Please try again later',
duration: 120 * 1000 //2 minutes
});
throw e; throw e;
} }
}); });
@ -62,6 +72,9 @@ const useSupabaseContextInternal = ({
const onUpdateToken = useMemoizedFn( const onUpdateToken = useMemoizedFn(
async ({ accessToken, expiresAt: _expiresAt }: { accessToken: string; expiresAt: number }) => { async ({ accessToken, expiresAt: _expiresAt }: { accessToken: string; expiresAt: number }) => {
setAccessToken(accessToken); setAccessToken(accessToken);
flushSync(() => {
openInfoMessage('Token refreshed');
});
} }
); );

18
apps/web/src/lib/supabase/getSupabaseUserContext.ts
View File

@ -11,7 +11,11 @@ export const getSupabaseUserContext = async (preemptiveRefreshMinutes = 5) => {
const supabase = await createClient(); const supabase = await createClient();
// Get the session first // Get the session first
let { data: sessionData } = await supabase.auth.getSession(); let { data: sessionData, error: sessionError } = await supabase.auth.getSession();
if (sessionError) {
console.error('Error getting session:', sessionError);
}
// Check if we need to refresh the session // Check if we need to refresh the session
if (sessionData.session) { if (sessionData.session) {
@ -29,10 +33,15 @@ export const getSupabaseUserContext = async (preemptiveRefreshMinutes = 5) => {
} }
// Get user data // Get user data
const { data: userData } = await supabase.auth.getUser(); const { data: userData, error: userError } = await supabase.auth.getUser();
if (userError) {
console.error('Error getting user:', userData, userError);
}
if (!userData.user) { if (!userData.user) {
const { session: anonSession } = await signInWithAnonymousUser(); const { session: anonSession } = await signInWithAnonymousUser();
console.info('created anon session', anonSession);
return { return {
user: anonSession?.user || null, user: anonSession?.user || null,
accessToken: anonSession?.access_token accessToken: anonSession?.access_token
@ -42,6 +51,11 @@ export const getSupabaseUserContext = async (preemptiveRefreshMinutes = 5) => {
const user = userData.user; const user = userData.user;
const accessToken = sessionData.session?.access_token; const accessToken = sessionData.session?.access_token;
const refreshToken = sessionData.session?.refresh_token; const refreshToken = sessionData.session?.refresh_token;
if (!accessToken) {
console.error('No access token found for user:', user);
}
return { user, accessToken, refreshToken }; return { user, accessToken, refreshToken };
}; };