Hi, I’m doing pentest for a client and reported a finding stating that viewer can access query history by sending GET request to /api/query-history. Is it intended? The documentation says Explore is not accessible to viewer by default.
TIA
Ashwin
1 Like
You may try to report it as security issue: Report a security issue | Grafana Labs
Hey!
It’s correct that a user with Viewer permissions can access the /api/query-history endpoint, but since a Viewer does not have sufficient permissions to use the Explore feature, the results will always be the same (empty):
{"result":{"totalCount":0,"queryHistory":null,"page":1,"perPage":100}}
However, if a user has been “downgraded” from Editor to Viewer, then the Explorer history can be retrieved.
To me, this has none to negligible security impact, and would consider this to be a security improvement that we can make to not allow a Viewer to access that endpoint, but not erasing the history.
Thanks all! We have added an item to our backlog to have a look at this Query History: Do not return results from API if user is in the viewer role · Issue #88722 · grafana/grafana · GitHub