Skip to content

Navigation: Navbar shows extraneous items when unauthenticated #50341

Closed
@jmatosgrafana

Description

Viewing a snapshot (or any public route such as the 404 page) as an unauthenticated user shows extraneous items in the Navbar:

image

Search, Starred and Dashboards should not be visible as there's nothing an unauthenticated user can do with them. Similarly clicking the Grafana logo redirects to the base url which throws an Unauthorized error. This should probably redirect to /login.

Any fix needs to bear in mind anonymous auth 👍

Original report

If an unauthenticated user accesses the URL https://<grafana_instance>/dashboard/snapshot/{{constructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd?orgId=1 he is displayed a generic 404 "Page not found" error with a menu on the left side instead of being redirected to the login page.

Yet no data is being returned when interacting with the menu (and a temporary Unauthorized warning pops up).

This leads to the following security assessment: CVSS score 0.0

Hence this is not a security vulnerability. But as it is confusing for the end user it can be considered a UI bug.

Metadata

Assignees

Type

No type

Projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions