fix for access denied in /viewer/capabilities handler (#24030)

adameat · web-flow · commit c724dd590c14 · 2025-09-03T12:16:19.000Z
diff --git a/ydb/core/viewer/json_pipe_req.cpp b/ydb/core/viewer/json_pipe_req.cpp
@@ -1223,7 +1223,7 @@ void TViewerPipeClient::RedirectToDatabase(const TString& database) {
     Become(&TViewerPipeClient::StateResolveDatabase);
 }
 
-bool TViewerPipeClient::NeedToRedirect() {
+bool TViewerPipeClient::NeedToRedirect(bool checkDatabaseAuth) {
     auto request = GetRequest();
     if (NeedRedirect && request) {
         NeedRedirect = false;
@@ -1233,7 +1233,7 @@ bool TViewerPipeClient::NeedToRedirect() {
             RedirectToDatabase(Database); // to find some dynamic node and redirect query there
             return true;
         }
-        if (!Viewer->CheckAccessViewer(request)) {
+        if (checkDatabaseAuth && !Viewer->CheckAccessViewer(request)) {
             ReplyAndPassAway(GetHTTPFORBIDDEN("text/html", "<html><body><h1>403 Forbidden</h1></body></html>"), "Access denied");
             return true;
         }
diff --git a/ydb/core/viewer/json_pipe_req.h b/ydb/core/viewer/json_pipe_req.h
@@ -392,7 +392,7 @@ class TViewerPipeClient : public TActorBootstrapped<TViewerPipeClient> {
     STATEFN(StateResolveDatabase);
     STATEFN(StateResolveResource);
     void RedirectToDatabase(const TString& database);
-    bool NeedToRedirect();
+    bool NeedToRedirect(bool checkDatabaseAuth = true);
     void HandleTimeout();
     void PassAway() override;
 };
diff --git a/ydb/core/viewer/viewer_capabilities.h b/ydb/core/viewer/viewer_capabilities.h
@@ -15,7 +15,7 @@ class TViewerCapabilities : public TViewerPipeClient {
     {}
 
     void Bootstrap() override {
-        if (TBase::NeedToRedirect()) {
+        if (TBase::NeedToRedirect(false/* don't check auth for capabilities on purpose */)) {
             return;
         }
         ReplyAndPassAway();

Original file line number	Diff line number	Diff line change
`@@ -1223,7 +1223,7 @@ void TViewerPipeClient::RedirectToDatabase(const TString& database) {`
`1223`	`1223`	`Become(&TViewerPipeClient::StateResolveDatabase);`
`1224`	`1224`	`}`
`1225`	`1225`
`1226`		`-bool TViewerPipeClient::NeedToRedirect() {`
	`1226`	`+bool TViewerPipeClient::NeedToRedirect(bool checkDatabaseAuth) {`
`1227`	`1227`	`auto request = GetRequest();`
`1228`	`1228`	`if (NeedRedirect && request) {`
`1229`	`1229`	`NeedRedirect = false;`
`@@ -1233,7 +1233,7 @@ bool TViewerPipeClient::NeedToRedirect() {`
`1233`	`1233`	`RedirectToDatabase(Database); // to find some dynamic node and redirect query there`
`1234`	`1234`	`return true;`
`1235`	`1235`	`}`
`1236`		`- if (!Viewer->CheckAccessViewer(request)) {`
	`1236`	`+ if (checkDatabaseAuth && !Viewer->CheckAccessViewer(request)) {`
`1237`	`1237`	`ReplyAndPassAway(GetHTTPFORBIDDEN("text/html", "<html><body><h1>403 Forbidden</h1></body></html>"), "Access denied");`
`1238`	`1238`	`return true;`
`1239`	`1239`	`}`
Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ class TViewerCapabilities : public TViewerPipeClient {`
`15`	`15`	`{}`
`16`	`16`
`17`	`17`	`void Bootstrap() override {`
`18`		`- if (TBase::NeedToRedirect()) {`
	`18`	`+ if (TBase::NeedToRedirect(false/* don't check auth for capabilities on purpose */)) {`
`19`	`19`	`return;`
`20`	`20`	`}`
`21`	`21`	`ReplyAndPassAway();`