Check user's permissions when expiring a silence

hoangpn · hoangpn · commit ef7fa9f3014a · 2025-10-06T15:25:17.000+07:00
We implement a permission check logic at the Prometheus proxy API to ensure
that users must have the Admin or Editor role on the service/project
when they want to delete a silence for that service/project.
diff --git a/promgen/proxy.py b/promgen/proxy.py
@@ -344,6 +344,63 @@ def post(self, request, *args, **kwargs):
 class ProxyDeleteSilence(View):
     def delete(self, request, silence_id):
         url = urljoin(util.setting("alertmanager:url"), f"/api/v2/silence/{silence_id}")
+        # First, check if the silence exists
+        response = util.get(url)
+        if response.status_code != 200:
+            return HttpResponse(
+                response.text, status=response.status_code, content_type="application/json"
+            )
+
+        # Check if the user has permission to delete the silence
+        if not request.user.is_superuser:
+            silence = response.json()
+            project = None
+            service = None
+            for matcher in silence.get("matchers", []):
+                if matcher.get("name") == "project":
+                    project = matcher.get("value")
+                if matcher.get("name") == "service":
+                    service = matcher.get("value")
+            if project is None and service is None:
+                return JsonResponse(
+                    {
+                        "messages": [
+                            {
+                                "class": "alert alert-warning",
+                                "message": "Silence must have either a project or service matcher",
+                            }
+                        ]
+                    },
+                    status=HTTPStatus.UNPROCESSABLE_ENTITY,
+                )
+            permission_denied_response = JsonResponse(
+                {
+                    "messages": [
+                        {
+                            "class": "alert alert-danger",
+                            "message": "You do not have permission to delete this silence",
+                        }
+                    ]
+                },
+                status=HTTPStatus.FORBIDDEN,
+            )
+            if project:
+                project = models.Project.objects.get(name=project)
+                if (
+                    not request.user.has_perm("project_admin", project)
+                    and not request.user.has_perm("project_editor", project)
+                    and not request.user.has_perm("service_admin", project.service)
+                    and not request.user.has_perm("service_editor", project.service)
+                ):
+                    return permission_denied_response
+            elif service:
+                service = models.Service.objects.get(name=service)
+                if not request.user.has_perm(
+                    "service_admin", service
+                ) and not request.user.has_perm("service_editor", service):
+                    return permission_denied_response
+
+        # Delete the silence
         response = util.delete(url)
         return HttpResponse(
             response.text, status=response.status_code, content_type="application/json"
