Closed dmitry-tiger closed 1 year ago
I am also running into this issue. Some more information about this I've found is that, even as an admin user, the page normally only fetches the first page of users. Additionally, the api/plugin-proxy/grafana-oncall-app/api/internal/v1/schedules/S7EVLEB5YRQ7C/next_shifts_per_user
endpoint called on this page returns null
for any users not on the first page of users.
A workaround... sorta... that I've found for folks affected by this is that because of the internal caching in the plugin, users can go to the second page of the users tab before navigating to this schedule, and they will be able to see those users in the schedule.
I still have this problem. the user must be admin in organization to see the the other oncall name and information in schedule. even team admins cannot see their team oncall schedule correctly.
grafana version: 9.5.5 oncall version: v1.3.96 oncall plugin version: 1.3.100
the request that return 403 with response {"detail":"You do not have permission to perform this action."}
is this in curl format:
curl 'https://grafana.xxx.yyy/api/plugin-proxy/grafana-oncall-app/api/internal/v1/users/U3MN2KRX1HFK8?from_organization=false' \
-H 'authority: grafana.xxx.yyy' \
-H 'accept: application/json, text/plain, */*' \
-H 'accept-language: en-GB,en;q=0.9' \
-H 'cache-control: no-cache' \
-H 'cookie: grafana_session=8a2322f495f4a1ae2cf71315f4c1c596; grafana_session_expiry=1707122296; redirect_to=%2Fexplore' \
-H 'pragma: no-cache' \
-H 'referer: https://grafana.xxx.yyy/a/grafana-oncall-app/schedules/S8VPY2GH3Z8UT?p=1' \
-H 'sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120", "Google Chrome";v="120"' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'sec-ch-ua-platform: "Linux"' \
-H 'sec-fetch-dest: empty' \
-H 'sec-fetch-mode: cors' \
-H 'sec-fetch-site: same-origin' \
-H 'user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36' \
--compressed
Non admin users can't view people who is not on the first users page (/api/internal/v1/users/?page=1&search=) because oncall plugin sends requests for each missing person (/api/internal/v1/users/) which leads to error 403 "You do not have permission to perform this action."
It happens because only admins or owner has permission retrieve user in user view
How to reproduce