feat: grafana仪表盘无权限跳转403页面 --story=121873358 (#4939)

bkmonitor/packages/monitor_adapter/grafana/urls.py

@@ -15,7 +15,7 @@
 urlpatterns = [
     re_path(r"^$", views.GrafanaSwitchOrgView.as_view()),
     re_path(r"^home$", views.GrafanaSwitchOrgView.as_view()),
-    re_path(r"^d/[a-zA-Z_0-9]+$", views.GrafanaSwitchOrgView.as_view()),
+    re_path(r"^d/[-_a-zA-Z0-9]+$", views.GrafanaSwitchOrgView.as_view()),
     re_path(r"^public/", views.StaticView.as_view()),
     re_path(r"^avatar/", views.StaticView.as_view()),
     re_path(r"^api/", views.ApiProxyView.as_view()),

bkmonitor/packages/monitor_adapter/grafana/views.py

@@ -15,7 +15,12 @@
 from blueapps.middleware.xss.decorators import escape_exempt
 from django.conf import settings
 from django.contrib import auth
-from django.http import Http404, HttpResponse, HttpResponseForbidden
+from django.http import (
+    Http404,
+    HttpResponse,
+    HttpResponseForbidden,
+    HttpResponseRedirect,
+)
 from django.shortcuts import redirect
 from django.utils import timezone
 from django.utils.decorators import method_decorator
@@ -24,12 +29,15 @@
 from rest_framework.exceptions import ValidationError
 
 from bk_dataview.api import get_or_create_org
+from bk_dataview.permissions import GrafanaRole
 from bk_dataview.views import ProxyView, StaticView, SwitchOrgView
 from bkm_space.api import SpaceApi
+from bkmonitor.iam.action import ActionEnum
 from bkmonitor.models.external_iam import ExternalPermission
 from core.drf_resource import api
 from core.errors.api import BKAPIError
 from monitor.models import GlobalConfig
+from monitor_web.grafana.permissions import DashboardPermission
 from monitor_web.grafana.utils import patch_home_panels
 
 __all__ = ["ProxyView", "StaticView", "SwitchOrgView", "RedirectDashboardView"]
@@ -97,6 +105,8 @@ def dispatch(self, request, *args, **kwargs):
 
 
 class GrafanaSwitchOrgView(SwitchOrgView):
+    RE_DASHBORD_UID = re.compile(r"/d/([a-zA-Z0-9_-]+)")
+
     @staticmethod
     def is_allowed_external_request(request):
         if not request.org_name:
@@ -137,6 +147,18 @@ def dispatch(self, request, *args, **kwargs):
             if not self.is_allowed_external_request(request):
                 return HttpResponseForbidden(f"外部用户{request.external_user}无该仪表盘访问或操作权限")
 
+        # 提前进行单仪表盘权限校验，跳转至403页面
+        match_result = self.RE_DASHBORD_UID.findall(request.path)
+        if match_result:
+            uid = match_result[0]
+            _, role, dashboard_permissions = DashboardPermission.get_user_permission(
+                username=request.user.username, org_name=org_name
+            )
+            if role < GrafanaRole.Viewer and uid not in dashboard_permissions:
+                return HttpResponseRedirect(
+                    f"/?bizId={org_name}&needMenu=false#/exception/403?actionId={ActionEnum.VIEW_SINGLE_DASHBOARD.id}"
+                )
+
         return super(GrafanaSwitchOrgView, self).dispatch(request, *args, **kwargs)
 
 

bkmonitor/packages/monitor_web/grafana/resources/manage.py

@@ -121,6 +121,8 @@ def perform_request(self, params):
                     role >= GrafanaRole.Editor
                     or dashboard_permissions.get(record["uid"], GrafanaPermission.View) >= GrafanaPermission.Edit
                 )
+                # 是否有权限
+                record["has_permission"] = role > GrafanaRole.Anonymous or record["uid"] in dashboard_permissions
                 folder_id = record.pop("folderId", 0)
                 record.pop("folderUid", None)
                 record.pop("folderTitle", None)