Dashboard: Loading dashboard settings resets folder id when user/team have admin access to dashboard, but not the folder

[marefr]

What happened:
Entered dashboard settings, then saving dashboard returning 403 unauthorized.

What you expected to happen:
Successful save of dashboard.

How to reproduce it (as minimally and precisely as possible):

1. A user user a with org role Viewer.
2. user a is member of team b.
3. A folder folder c with no specific permission for user a or team b.
4. A dashboard dashboard d in folder c with team b permission to Admin
5. user a login and opens dashboard d
6. user a can successfully save the dashboard
7. user a enters dashboard settings
8. user a can no longer save the dashboard - 403 unauthorized

Anything else we need to know?:
After investigation seems like loading dashboard settings resets the folder selection to empty/zero and by that the 403 unauthorized is returned since the dashboard is trying to be saved in the General folder.

Environment:

• Grafana version: master (1bde4de) and 7.0.3

[dprokop]

@marefr so the question here is. Should the user have possibility to save the dashboard at all? Since he/she is a viewer within a team which has admin rights for a given dashboard.

[torkelo]

This scenario is a bit problematic, not sure if we can support this permission setup well without tricky hacks.

[torkelo]

6. user a can successfully save the dashboard

I am a bit unsure if we should allow a save of a dashboard to a folder you only have view permissions for.

[dprokop]

I am a bit unsure if we should allow a save of a dashboard to a folder you only have view permissions for.

yes, I'm actually concerned with this as well. Not sure how the permissions are designed. If it's team or the user permissions that take precedence in such scenario

[marefr]

It's working from an HTTP API/backend perspective. It's definitely an edge case that you can have editor/admin access to a dashboard, but not the folder. However, clearly users are dependent on this feature. I don't understand why dashboard have to make changes to the dashboard model by resetting the folder id when opening the dashboard settings.

[torkelo]

It’s just complex to have a drop down with an option that your not allowed to select yourself

[torkelo]

For example the folder picker is designed to not show dashboards your now allowed to save to , so this scenario is a bit messy with the folder picker having a value that is not available to choose from

[torkelo]

But I think we can solve it

[dprokop]

@torkelo @marefr Moving to 7.1