grafana/pkg/api/folder_permission.go

package api

import (
	"context"
	"net/http"
	"time"

	"github.com/grafana/grafana/pkg/api/apierrors"
	"github.com/grafana/grafana/pkg/api/dtos"
	"github.com/grafana/grafana/pkg/api/response"
	"github.com/grafana/grafana/pkg/infra/metrics"
	"github.com/grafana/grafana/pkg/services/auth/identity"
	contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
	"github.com/grafana/grafana/pkg/services/dashboards"
	"github.com/grafana/grafana/pkg/services/dashboards/dashboardaccess"
	"github.com/grafana/grafana/pkg/services/folder"
	"github.com/grafana/grafana/pkg/services/org"
	"github.com/grafana/grafana/pkg/web"
)

// swagger:route GET /folders/{folder_uid}/permissions folder_permissions getFolderPermissionList
//
// Gets all existing permissions for the folder with the given `uid`.
//
// Responses:
// 200: getFolderPermissionListResponse
// 401: unauthorisedError
// 403: forbiddenError
// 404: notFoundError
// 500: internalServerError
func (hs *HTTPServer) GetFolderPermissionList(c *contextmodel.ReqContext) response.Response {
	uid := web.Params(c.Req)[":uid"]
	folder, err := hs.folderService.Get(c.Req.Context(), &folder.GetFolderQuery{OrgID: c.SignedInUser.GetOrgID(), UID: &uid, SignedInUser: c.SignedInUser})

	if err != nil {
		return apierrors.ToFolderErrorResponse(err)
	}

	acl, err := hs.getFolderACL(c.Req.Context(), c.SignedInUser, folder)
	if err != nil {
		return response.Error(500, "Failed to get folder permissions", err)
	}

	filteredACLs := make([]*dashboards.DashboardACLInfoDTO, 0, len(acl))
	for _, perm := range acl {
		if perm.UserID > 0 && dtos.IsHiddenUser(perm.UserLogin, c.SignedInUser, hs.Cfg) {
			continue
		}
		metrics.MFolderIDsAPICount.WithLabelValues(metrics.GetFolderPermissionList).Inc()
		// nolint:staticcheck
		perm.FolderID = folder.ID
		perm.DashboardID = 0

		perm.UserAvatarURL = dtos.GetGravatarUrl(hs.Cfg, perm.UserEmail)

		if perm.TeamID > 0 {
			perm.TeamAvatarURL = dtos.GetGravatarUrlWithDefault(hs.Cfg, perm.TeamEmail, perm.Team)
		}

		if perm.Slug != "" {
			perm.URL = dashboards.GetDashboardFolderURL(perm.IsFolder, perm.UID, perm.Slug)
		}

		filteredACLs = append(filteredACLs, perm)
	}

	return response.JSON(http.StatusOK, filteredACLs)
}

// swagger:route POST /folders/{folder_uid}/permissions folder_permissions updateFolderPermissions
//
// Updates permissions for a folder. This operation will remove existing permissions if they’re not included in the request.
//
// Responses:
// 200: okResponse
// 401: unauthorisedError
// 403: forbiddenError
// 404: notFoundError
// 500: internalServerError
func (hs *HTTPServer) UpdateFolderPermissions(c *contextmodel.ReqContext) response.Response {
	apiCmd := dtos.UpdateDashboardACLCommand{}
	if err := web.Bind(c.Req, &apiCmd); err != nil {
		return response.Error(http.StatusBadRequest, "bad request data", err)
	}
	if err := validatePermissionsUpdate(apiCmd); err != nil {
		return response.Error(400, err.Error(), err)
	}

	uid := web.Params(c.Req)[":uid"]
	folder, err := hs.folderService.Get(c.Req.Context(), &folder.GetFolderQuery{OrgID: c.SignedInUser.GetOrgID(), UID: &uid, SignedInUser: c.SignedInUser})
	if err != nil {
		return apierrors.ToFolderErrorResponse(err)
	}

	items := make([]*dashboards.DashboardACL, 0, len(apiCmd.Items))
	for _, item := range apiCmd.Items {
		items = append(items, &dashboards.DashboardACL{
			OrgID:       c.SignedInUser.GetOrgID(),
			DashboardID: folder.ID, // nolint:staticcheck
			UserID:      item.UserID,
			TeamID:      item.TeamID,
			Role:        item.Role,
			Permission:  item.Permission,
			Created:     time.Now(),
			Updated:     time.Now(),
		})
		metrics.MFolderIDsAPICount.WithLabelValues(metrics.UpdateFolderPermissions).Inc()
	}

	acl, err := hs.getFolderACL(c.Req.Context(), c.SignedInUser, folder)
	if err != nil {
		return response.Error(http.StatusInternalServerError, "Error while checking folder permissions", err)
	}

	items = append(items, hs.filterHiddenACL(c.SignedInUser, acl)...)

	if err := hs.updateDashboardAccessControl(c.Req.Context(), c.SignedInUser.GetOrgID(), folder.UID, true, items, acl); err != nil {
		return response.Error(http.StatusInternalServerError, "Failed to create permission", err)
	}

	return response.Success("Folder permissions updated")
}

var folderPermissionMap = map[string]dashboardaccess.PermissionType{
	"View":  dashboardaccess.PERMISSION_VIEW,
	"Edit":  dashboardaccess.PERMISSION_EDIT,
	"Admin": dashboardaccess.PERMISSION_ADMIN,
}

func (hs *HTTPServer) getFolderACL(ctx context.Context, user identity.Requester, folder *folder.Folder) ([]*dashboards.DashboardACLInfoDTO, error) {
	permissions, err := hs.folderPermissionsService.GetPermissions(ctx, user, folder.UID)
	if err != nil {
		return nil, err
	}

	acl := make([]*dashboards.DashboardACLInfoDTO, 0, len(permissions))
	for _, p := range permissions {
		if !p.IsManaged {
			continue
		}

		var role *org.RoleType
		if p.BuiltInRole != "" {
			tmp := org.RoleType(p.BuiltInRole)
			role = &tmp
		}

		permission := folderPermissionMap[hs.folderPermissionsService.MapActions(p)]

		acl = append(acl, &dashboards.DashboardACLInfoDTO{
			OrgID:          folder.OrgID,
			DashboardID:    folder.ID, // nolint:staticcheck
			FolderUID:      folder.ParentUID,
			Created:        p.Created,
			Updated:        p.Updated,
			UserID:         p.UserId,
			UserLogin:      p.UserLogin,
			UserEmail:      p.UserEmail,
			TeamID:         p.TeamId,
			TeamEmail:      p.TeamEmail,
			Team:           p.Team,
			Role:           role,
			Permission:     permission,
			PermissionName: permission.String(),
			UID:            folder.UID,
			Title:          folder.Title,
			URL:            folder.WithURL().URL,
			IsFolder:       true,
			Inherited:      false,
		})
		metrics.MFolderIDsAPICount.WithLabelValues(metrics.GetFolderPermissionList).Inc()
	}

	return acl, nil
}

// swagger:parameters getFolderPermissionList
type GetFolderPermissionListParams struct {
	// in:path
	// required:true
	FolderUID string `json:"folder_uid"`
}

// swagger:parameters updateFolderPermissions
type UpdateFolderPermissionsParams struct {
	// in:path
	// required:true
	FolderUID string `json:"folder_uid"`
	// in:body
	// required:true
	Body dtos.UpdateDashboardACLCommand
}

// swagger:response getFolderPermissionListResponse
type GetFolderPermissionsResponse struct {
	// in: body
	Body []*dashboards.DashboardACLInfoDTO `json:"body"`
}
-												folders: folder permission api routes

											
										
										
											2018-02-20 08:25:16 -06:00
+								package api
 								import (
-												authz: Clean up acl endpoints and dashboard guardian (#73746)

* RBAC: remove unnessisary guardian construction and update tests

* RBAC: remove usage of guardian in UpdateFolderPermissions and refactor test

* RBAC: remove usage of guardian in update and get permissions for dashboards

											
										
										
											2023-08-24 08:37:54 -05:00
+									"context"
-												Chore: Refactor api handlers to use web.Bind (#42199)

* Chore: Refactor api handlers to use web.Bind

* fix comments

* fix comment

* trying to fix most of the tests and force routing.Wrap type check

* fix library panels tests

* fix frontend logging tests

* allow passing nil as a response to skip writing

* return nil instead of the response

* rewrite login handler function types

* remove handlerFuncCtx

* make linter happy

* remove old bindings from the libraryelements

* restore comments
											
										
										
											2021-11-29 03:18:01 -06:00
+									"net/http"
-												folders: folder permission api routes

											
										
										
											2018-02-20 08:25:16 -06:00
+									"time"
-												Migrate to Wire for dependency injection (#32289)

Fixes #30144

Co-authored-by: dsotirakis <sotirakis.dim@gmail.com>
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
Co-authored-by: Ida Furjesova <ida.furjesova@grafana.com>
Co-authored-by: Jack Westbrook <jack.westbrook@gmail.com>
Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
Co-authored-by: Leon Sorokin <leeoniya@gmail.com>
Co-authored-by: Andrej Ocenas <mr.ocenas@gmail.com>
Co-authored-by: spinillos <selenepinillos@gmail.com>
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
Co-authored-by: Leonard Gram <leo@xlson.com>
											
										
										
											2021-08-25 08:11:22 -05:00
+									"github.com/grafana/grafana/pkg/api/apierrors"
-												folders: folder permission api routes

											
										
										
											2018-02-20 08:25:16 -06:00
+									"github.com/grafana/grafana/pkg/api/dtos"
-												Chore: Moves common and response into separate packages (#30298)

* Chore: moves common and response into separate packages

* Chore: moves common and response into separate packages

* Update pkg/api/utils/common.go

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>

* Chore: changes after PR comments

* Chore: move wrap to routing package

* Chore: move functions in common to response package

* Chore: move functions in common to response package

* Chore: formats imports

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
											
										
										
											2021-01-15 07:43:20 -06:00
+									"github.com/grafana/grafana/pkg/api/response"
-												Add MFolderIDsAPICount metric to count FolderIDs in api package (#80866)

* Add MFolderIDsAPICount metric to cound FolderIDs in api package

* Change counter to counter vector with method names as string values
											
										
										
											2024-01-24 05:39:11 -06:00
+									"github.com/grafana/grafana/pkg/infra/metrics"
-												authz: Clean up acl endpoints and dashboard guardian (#73746)

* RBAC: remove unnessisary guardian construction and update tests

* RBAC: remove usage of guardian in UpdateFolderPermissions and refactor test

* RBAC: remove usage of guardian in update and get permissions for dashboards

											
										
										
											2023-08-24 08:37:54 -05:00
+									"github.com/grafana/grafana/pkg/services/auth/identity"
-												Chore: Move ReqContext to contexthandler service (#62102)

* Chore: Move ReqContext to contexthandler service

* Rename package to contextmodel

* Generate ngalert files

* Remove unused imports
											
										
										
											2023-01-27 01:50:36 -06:00
+									contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
-												chore/backend: move dashboard errors to dashboard service (#51593)

* chore/backend: move dashboard errors to dashboard service

Dashboard-related models are slowly moving out of the models package and into dashboard services. This commit moves dashboard-related errors; the rest will come in later commits.

There are no logical code changes, this is only a structural (package) move.

* lint lint lint
											
										
										
											2022-06-30 08:31:54 -05:00
+									"github.com/grafana/grafana/pkg/services/dashboards"
-												Authz: Remove use of SignedInUser copy for permission evaluation (#78448)

* remove use of SignedInUserCopies

* add extra safety to not cross assign permissions

unwind circular dependency

dashboardacl->dashboardaccess

fix missing import

* correctly set teams for permissions

* fix missing inits

* nit: check err

* exit early for api keys
											
										
										
											2023-11-22 07:20:22 -06:00
+									"github.com/grafana/grafana/pkg/services/dashboards/dashboardaccess"
-												Nested Folders: Support getting of nested folder in folder service wh… (#58597)

* Nested Folders: Support getting of nested folder in folder service when feature flag is set

* Fix lint

* Fix some tests

* Fix ngalert test

* ngalert fix

* Fix API tests

* Fix some tests and lint

* Fix lint 2

* Fix library elements and panels

* Add access control to get folder

* Cleanup and minor test change
											
										
										
											2022-11-11 07:28:24 -06:00
+									"github.com/grafana/grafana/pkg/services/folder"
-												authz: Clean up acl endpoints and dashboard guardian (#73746)

* RBAC: remove unnessisary guardian construction and update tests

* RBAC: remove usage of guardian in UpdateFolderPermissions and refactor test

* RBAC: remove usage of guardian in update and get permissions for dashboards

											
										
										
											2023-08-24 08:37:54 -05:00
+									"github.com/grafana/grafana/pkg/services/org"
-												Chore: replace macaron with web package (#40136)

* replace macaron with web package

* add web.go
											
										
										
											2021-10-11 07:30:59 -05:00
+									"github.com/grafana/grafana/pkg/web"
-												folders: folder permission api routes

											
										
										
											2018-02-20 08:25:16 -06:00
+								)
-												Chore: Move swagger definitions to the handlers (#52643)


											
										
										
											2022-07-27 08:54:37 -05:00
+								// swagger:route GET /folders/{folder_uid}/permissions folder_permissions getFolderPermissionList
 								//
 								// Gets all existing permissions for the folder with the given `uid`.
 								//
 								// Responses:
 								// 200: getFolderPermissionListResponse
 								// 401: unauthorisedError
 								// 403: forbiddenError
 								// 404: notFoundError
 								// 500: internalServerError
-												Chore: Move ReqContext to contexthandler service (#62102)

* Chore: Move ReqContext to contexthandler service

* Rename package to contextmodel

* Generate ngalert files

* Remove unused imports
											
										
										
											2023-01-27 01:50:36 -06:00
+								func (hs *HTTPServer) GetFolderPermissionList(c *contextmodel.ReqContext) response.Response {
-												Nested Folders: Support getting of nested folder in folder service wh… (#58597)

* Nested Folders: Support getting of nested folder in folder service when feature flag is set

* Fix lint

* Fix some tests

* Fix ngalert test

* ngalert fix

* Fix API tests

* Fix some tests and lint

* Fix lint 2

* Fix library elements and panels

* Add access control to get folder

* Cleanup and minor test change
											
										
										
											2022-11-11 07:28:24 -06:00
+									uid := web.Params(c.Req)[":uid"]
-												Auth: Unfurl OrgID in pkg/api to allow using identity.Requester interface (#76108)

Unfurl OrgID in pkg/api to allow using identity.Requester interface
											
										
										
											2023-10-06 04:34:36 -05:00
+									folder, err := hs.folderService.Get(c.Req.Context(), &folder.GetFolderQuery{OrgID: c.SignedInUser.GetOrgID(), UID: &uid, SignedInUser: c.SignedInUser})
-												folders: folder permission api routes

											
										
										
											2018-02-20 08:25:16 -06:00
 									if err != nil {
-												Migrate to Wire for dependency injection (#32289)

Fixes #30144

Co-authored-by: dsotirakis <sotirakis.dim@gmail.com>
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
Co-authored-by: Ida Furjesova <ida.furjesova@grafana.com>
Co-authored-by: Jack Westbrook <jack.westbrook@gmail.com>
Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
Co-authored-by: Leon Sorokin <leeoniya@gmail.com>
Co-authored-by: Andrej Ocenas <mr.ocenas@gmail.com>
Co-authored-by: spinillos <selenepinillos@gmail.com>
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
Co-authored-by: Leonard Gram <leo@xlson.com>
											
										
										
											2021-08-25 08:11:22 -05:00
+										return apierrors.ToFolderErrorResponse(err)
-												folders: folder permission api routes

											
										
										
											2018-02-20 08:25:16 -06:00
+									}
-												authz: Clean up acl endpoints and dashboard guardian (#73746)

* RBAC: remove unnessisary guardian construction and update tests

* RBAC: remove usage of guardian in UpdateFolderPermissions and refactor test

* RBAC: remove usage of guardian in update and get permissions for dashboards

											
										
										
											2023-08-24 08:37:54 -05:00
+									acl, err := hs.getFolderACL(c.Req.Context(), c.SignedInUser, folder)
-												folders: folder permission api routes

											
										
										
											2018-02-20 08:25:16 -06:00
+									if err != nil {
-												Chore: Moves common and response into separate packages (#30298)

* Chore: moves common and response into separate packages

* Chore: moves common and response into separate packages

* Update pkg/api/utils/common.go

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>

* Chore: changes after PR comments

* Chore: move wrap to routing package

* Chore: move functions in common to response package

* Chore: move functions in common to response package

* Chore: formats imports

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
											
										
										
											2021-01-15 07:43:20 -06:00
+										return response.Error(500, "Failed to get folder permissions", err)
-												folders: folder permission api routes

											
										
										
											2018-02-20 08:25:16 -06:00
+									}
-												Chore: Remove dashboard ACL from models (#61749)

* Remove dashboard ACL from models

* Remove unused comment
											
										
										
											2023-01-20 07:58:47 -06:00
+									filteredACLs := make([]*dashboards.DashboardACLInfoDTO, 0, len(acl))
-												folders: folder permission api routes

											
										
										
											2018-02-20 08:25:16 -06:00
+									for _, perm := range acl {
-												Chore: Remove dashboard ACL from models (#61749)

* Remove dashboard ACL from models

* Remove unused comment
											
										
										
											2023-01-20 07:58:47 -06:00
+										if perm.UserID > 0 && dtos.IsHiddenUser(perm.UserLogin, c.SignedInUser, hs.Cfg) {
-												Add an option to hide certain users in the UI (#28942)

* Add an option to hide certain users in the UI

* revert changes for admin users routes

* fix sqlstore function name

* Improve slice management

Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>

* Hidden users: convert slice to map

* filter with user logins instead of IDs

* put HiddenUsers in Cfg struct

* hide hidden users from dashboards/folders permissions list

* Update conf/defaults.ini

Co-authored-by: Torkel Ödegaard <torkel@grafana.com>

* fix params order

* fix tests

* fix dashboard/folder update with hidden user

* add team tests

* add dashboard and folder permissions tests

* fixes after merge

* fix tests

* API: add test for org users endpoints

* update hidden users management for dashboard / folder permissions

* improve dashboard / folder permissions tests

* fixes after merge

* Guardian: add hidden acl tests

* API: add team members tests

* fix team sql syntax for postgres

* api tests update

* fix linter error

* fix tests errors after merge

Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
Co-authored-by: Torkel Ödegaard <torkel@grafana.com>
Co-authored-by: Leonard Gram <leo@xlson.com>
											
										
										
											2020-11-24 05:10:32 -06:00
+											continue
 										}
-												Add MFolderIDsAPICount metric to count FolderIDs in api package (#80866)

* Add MFolderIDsAPICount metric to cound FolderIDs in api package

* Change counter to counter vector with method names as string values
											
										
										
											2024-01-24 05:39:11 -06:00
+										metrics.MFolderIDsAPICount.WithLabelValues(metrics.GetFolderPermissionList).Inc()
-												Chore: Deprecate FolderID from DashboardACLInfoDTO (#77652)

* Chore: Deprecate FolderID from DashboardACLInfoDTO

* chore: regen specs
											
										
										
											2023-11-15 09:29:20 -06:00
+										// nolint:staticcheck
-												Chore: Remove dashboard ACL from models (#61749)

* Remove dashboard ACL from models

* Remove unused comment
											
										
										
											2023-01-20 07:58:47 -06:00
+										perm.FolderID = folder.ID
 										perm.DashboardID = 0
-												folders: folder permission api routes

											
										
										
											2018-02-20 08:25:16 -06:00
-												Chore: Remove public vars in setting package (#81018)

Removes the public variable setting.SecretKey plus some other ones. 
Introduces some new functions for creating setting.Cfg.
											
										
										
											2024-01-23 05:36:22 -06:00
+										perm.UserAvatarURL = dtos.GetGravatarUrl(hs.Cfg, perm.UserEmail)
-												permissions: return user and team avatar in folder permissions api

											
										
										
											2018-04-04 08:51:19 -05:00
-												Chore: Remove dashboard ACL from models (#61749)

* Remove dashboard ACL from models

* Remove unused comment
											
										
										
											2023-01-20 07:58:47 -06:00
+										if perm.TeamID > 0 {
-												Chore: Remove public vars in setting package (#81018)

Removes the public variable setting.SecretKey plus some other ones. 
Introduces some new functions for creating setting.Cfg.
											
										
										
											2024-01-23 05:36:22 -06:00
+											perm.TeamAvatarURL = dtos.GetGravatarUrlWithDefault(hs.Cfg, perm.TeamEmail, perm.Team)
-												permissions: return user and team avatar in folder permissions api

											
										
										
											2018-04-04 08:51:19 -05:00
+										}
-												folders: folder permission api routes

											
										
										
											2018-02-20 08:25:16 -06:00
+										if perm.Slug != "" {
-												Chore: Remove dashboard ACL from models (#61749)

* Remove dashboard ACL from models

* Remove unused comment
											
										
										
											2023-01-20 07:58:47 -06:00
+											perm.URL = dashboards.GetDashboardFolderURL(perm.IsFolder, perm.UID, perm.Slug)
-												folders: folder permission api routes

											
										
										
											2018-02-20 08:25:16 -06:00
+										}
-												Add an option to hide certain users in the UI (#28942)

* Add an option to hide certain users in the UI

* revert changes for admin users routes

* fix sqlstore function name

* Improve slice management

Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>

* Hidden users: convert slice to map

* filter with user logins instead of IDs

* put HiddenUsers in Cfg struct

* hide hidden users from dashboards/folders permissions list

* Update conf/defaults.ini

Co-authored-by: Torkel Ödegaard <torkel@grafana.com>

* fix params order

* fix tests

* fix dashboard/folder update with hidden user

* add team tests

* add dashboard and folder permissions tests

* fixes after merge

* fix tests

* API: add test for org users endpoints

* update hidden users management for dashboard / folder permissions

* improve dashboard / folder permissions tests

* fixes after merge

* Guardian: add hidden acl tests

* API: add team members tests

* fix team sql syntax for postgres

* api tests update

* fix linter error

* fix tests errors after merge

Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
Co-authored-by: Torkel Ödegaard <torkel@grafana.com>
Co-authored-by: Leonard Gram <leo@xlson.com>
											
										
										
											2020-11-24 05:10:32 -06:00
-												Rename Acl to ACL (#52342)

* Rename Acl to ACL

* Fix yaml files

* Add xorm tags and fix test
											
										
										
											2022-07-18 08:14:58 -05:00
+										filteredACLs = append(filteredACLs, perm)
-												folders: folder permission api routes

											
										
										
											2018-02-20 08:25:16 -06:00
+									}
-												Rename Acl to ACL (#52342)

* Rename Acl to ACL

* Fix yaml files

* Add xorm tags and fix test
											
										
										
											2022-07-18 08:14:58 -05:00
+									return response.JSON(http.StatusOK, filteredACLs)
-												folders: folder permission api routes

											
										
										
											2018-02-20 08:25:16 -06:00
+								}
-												Chore: Move swagger definitions to the handlers (#52643)


											
										
										
											2022-07-27 08:54:37 -05:00
+								// swagger:route POST /folders/{folder_uid}/permissions folder_permissions updateFolderPermissions
 								//
 								// Updates permissions for a folder. This operation will remove existing permissions if they’re not included in the request.
 								//
 								// Responses:
 								// 200: okResponse
 								// 401: unauthorisedError
 								// 403: forbiddenError
 								// 404: notFoundError
 								// 500: internalServerError
-												Chore: Move ReqContext to contexthandler service (#62102)

* Chore: Move ReqContext to contexthandler service

* Rename package to contextmodel

* Generate ngalert files

* Remove unused imports
											
										
										
											2023-01-27 01:50:36 -06:00
+								func (hs *HTTPServer) UpdateFolderPermissions(c *contextmodel.ReqContext) response.Response {
-												Rename Acl to ACL (#52342)

* Rename Acl to ACL

* Fix yaml files

* Add xorm tags and fix test
											
										
										
											2022-07-18 08:14:58 -05:00
+									apiCmd := dtos.UpdateDashboardACLCommand{}
-												Chore: Refactor api handlers to use web.Bind (#42199)

* Chore: Refactor api handlers to use web.Bind

* fix comments

* fix comment

* trying to fix most of the tests and force routing.Wrap type check

* fix library panels tests

* fix frontend logging tests

* allow passing nil as a response to skip writing

* return nil instead of the response

* rewrite login handler function types

* remove handlerFuncCtx

* make linter happy

* remove old bindings from the libraryelements

* restore comments
											
										
										
											2021-11-29 03:18:01 -06:00
+									if err := web.Bind(c.Req, &apiCmd); err != nil {
 										return response.Error(http.StatusBadRequest, "bad request data", err)
 									}
-												Permissions: Validate against Team/User permission role update (#29101)

* validate against role field update

* lowercase error string

* make all msgs consistent style

* fix wording

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>

* sayonara simple json

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
											
										
										
											2020-11-18 08:36:41 -06:00
+									if err := validatePermissionsUpdate(apiCmd); err != nil {
-												Chore: Moves common and response into separate packages (#30298)

* Chore: moves common and response into separate packages

* Chore: moves common and response into separate packages

* Update pkg/api/utils/common.go

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>

* Chore: changes after PR comments

* Chore: move wrap to routing package

* Chore: move functions in common to response package

* Chore: move functions in common to response package

* Chore: formats imports

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
											
										
										
											2021-01-15 07:43:20 -06:00
+										return response.Error(400, err.Error(), err)
-												Permissions: Validate against Team/User permission role update (#29101)

* validate against role field update

* lowercase error string

* make all msgs consistent style

* fix wording

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>

* sayonara simple json

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
											
										
										
											2020-11-18 08:36:41 -06:00
+									}
-												Nested Folders: Support getting of nested folder in folder service wh… (#58597)

* Nested Folders: Support getting of nested folder in folder service when feature flag is set

* Fix lint

* Fix some tests

* Fix ngalert test

* ngalert fix

* Fix API tests

* Fix some tests and lint

* Fix lint 2

* Fix library elements and panels

* Add access control to get folder

* Cleanup and minor test change
											
										
										
											2022-11-11 07:28:24 -06:00
+									uid := web.Params(c.Req)[":uid"]
-												Auth: Unfurl OrgID in pkg/api to allow using identity.Requester interface (#76108)

Unfurl OrgID in pkg/api to allow using identity.Requester interface
											
										
										
											2023-10-06 04:34:36 -05:00
+									folder, err := hs.folderService.Get(c.Req.Context(), &folder.GetFolderQuery{OrgID: c.SignedInUser.GetOrgID(), UID: &uid, SignedInUser: c.SignedInUser})
-												folders: folder permission api routes

											
										
										
											2018-02-20 08:25:16 -06:00
+									if err != nil {
-												Migrate to Wire for dependency injection (#32289)

Fixes #30144

Co-authored-by: dsotirakis <sotirakis.dim@gmail.com>
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
Co-authored-by: Ida Furjesova <ida.furjesova@grafana.com>
Co-authored-by: Jack Westbrook <jack.westbrook@gmail.com>
Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
Co-authored-by: Leon Sorokin <leeoniya@gmail.com>
Co-authored-by: Andrej Ocenas <mr.ocenas@gmail.com>
Co-authored-by: spinillos <selenepinillos@gmail.com>
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
Co-authored-by: Leonard Gram <leo@xlson.com>
											
										
										
											2021-08-25 08:11:22 -05:00
+										return apierrors.ToFolderErrorResponse(err)
-												folders: folder permission api routes

											
										
										
											2018-02-20 08:25:16 -06:00
+									}
-												Chore: Remove dashboard ACL from models (#61749)

* Remove dashboard ACL from models

* Remove unused comment
											
										
										
											2023-01-20 07:58:47 -06:00
+									items := make([]*dashboards.DashboardACL, 0, len(apiCmd.Items))
-												folders: folder permission api routes

											
										
										
											2018-02-20 08:25:16 -06:00
+									for _, item := range apiCmd.Items {
-												Chore: Remove dashboard ACL from models (#61749)

* Remove dashboard ACL from models

* Remove unused comment
											
										
										
											2023-01-20 07:58:47 -06:00
+										items = append(items, &dashboards.DashboardACL{
-												Auth: Unfurl OrgID in pkg/api to allow using identity.Requester interface (#76108)

Unfurl OrgID in pkg/api to allow using identity.Requester interface
											
										
										
											2023-10-06 04:34:36 -05:00
+											OrgID:       c.SignedInUser.GetOrgID(),
-												Chore: Deprecate ID from Folder (#78281)

* Chore: Deprecate ID from Folder

* chore: add more linter comments

* chore: add missing lint comment
											
										
										
											2023-11-20 14:44:51 -06:00
+											DashboardID: folder.ID, // nolint:staticcheck
-												Backend: Rename variables for style conformance (#29097)

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
											
										
										
											2020-11-17 10:09:14 -06:00
+											UserID:      item.UserID,
 											TeamID:      item.TeamID,
-												folders: folder permission api routes

											
										
										
											2018-02-20 08:25:16 -06:00
+											Role:        item.Role,
 											Permission:  item.Permission,
 											Created:     time.Now(),
 											Updated:     time.Now(),
 										})
-												Add MFolderIDsAPICount metric to count FolderIDs in api package (#80866)

* Add MFolderIDsAPICount metric to cound FolderIDs in api package

* Change counter to counter vector with method names as string values
											
										
										
											2024-01-24 05:39:11 -06:00
+										metrics.MFolderIDsAPICount.WithLabelValues(metrics.UpdateFolderPermissions).Inc()
-												folders: folder permission api routes

											
										
										
											2018-02-20 08:25:16 -06:00
+									}
-												authz: Clean up acl endpoints and dashboard guardian (#73746)

* RBAC: remove unnessisary guardian construction and update tests

* RBAC: remove usage of guardian in UpdateFolderPermissions and refactor test

* RBAC: remove usage of guardian in update and get permissions for dashboards

											
										
										
											2023-08-24 08:37:54 -05:00
+									acl, err := hs.getFolderACL(c.Req.Context(), c.SignedInUser, folder)
-												Add an option to hide certain users in the UI (#28942)

* Add an option to hide certain users in the UI

* revert changes for admin users routes

* fix sqlstore function name

* Improve slice management

Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>

* Hidden users: convert slice to map

* filter with user logins instead of IDs

* put HiddenUsers in Cfg struct

* hide hidden users from dashboards/folders permissions list

* Update conf/defaults.ini

Co-authored-by: Torkel Ödegaard <torkel@grafana.com>

* fix params order

* fix tests

* fix dashboard/folder update with hidden user

* add team tests

* add dashboard and folder permissions tests

* fixes after merge

* fix tests

* API: add test for org users endpoints

* update hidden users management for dashboard / folder permissions

* improve dashboard / folder permissions tests

* fixes after merge

* Guardian: add hidden acl tests

* API: add team members tests

* fix team sql syntax for postgres

* api tests update

* fix linter error

* fix tests errors after merge

Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
Co-authored-by: Torkel Ödegaard <torkel@grafana.com>
Co-authored-by: Leonard Gram <leo@xlson.com>
											
										
										
											2020-11-24 05:10:32 -06:00
+									if err != nil {
-												authz: Clean up acl endpoints and dashboard guardian (#73746)

* RBAC: remove unnessisary guardian construction and update tests

* RBAC: remove usage of guardian in UpdateFolderPermissions and refactor test

* RBAC: remove usage of guardian in update and get permissions for dashboards

											
										
										
											2023-08-24 08:37:54 -05:00
+										return response.Error(http.StatusInternalServerError, "Error while checking folder permissions", err)
-												Add an option to hide certain users in the UI (#28942)

* Add an option to hide certain users in the UI

* revert changes for admin users routes

* fix sqlstore function name

* Improve slice management

Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>

* Hidden users: convert slice to map

* filter with user logins instead of IDs

* put HiddenUsers in Cfg struct

* hide hidden users from dashboards/folders permissions list

* Update conf/defaults.ini

Co-authored-by: Torkel Ödegaard <torkel@grafana.com>

* fix params order

* fix tests

* fix dashboard/folder update with hidden user

* add team tests

* add dashboard and folder permissions tests

* fixes after merge

* fix tests

* API: add test for org users endpoints

* update hidden users management for dashboard / folder permissions

* improve dashboard / folder permissions tests

* fixes after merge

* Guardian: add hidden acl tests

* API: add team members tests

* fix team sql syntax for postgres

* api tests update

* fix linter error

* fix tests errors after merge

Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
Co-authored-by: Torkel Ödegaard <torkel@grafana.com>
Co-authored-by: Leonard Gram <leo@xlson.com>
											
										
										
											2020-11-24 05:10:32 -06:00
+									}
-												authz: Clean up acl endpoints and dashboard guardian (#73746)

* RBAC: remove unnessisary guardian construction and update tests

* RBAC: remove usage of guardian in UpdateFolderPermissions and refactor test

* RBAC: remove usage of guardian in update and get permissions for dashboards

											
										
										
											2023-08-24 08:37:54 -05:00
+									items = append(items, hs.filterHiddenACL(c.SignedInUser, acl)...)
-												folders: folder permission api routes

											
										
										
											2018-02-20 08:25:16 -06:00
-												Auth: Unfurl OrgID in pkg/api to allow using identity.Requester interface (#76108)

Unfurl OrgID in pkg/api to allow using identity.Requester interface
											
										
										
											2023-10-06 04:34:36 -05:00
+									if err := hs.updateDashboardAccessControl(c.Req.Context(), c.SignedInUser.GetOrgID(), folder.UID, true, items, acl); err != nil {
-												authz: Clean up acl endpoints and dashboard guardian (#73746)

* RBAC: remove unnessisary guardian construction and update tests

* RBAC: remove usage of guardian in UpdateFolderPermissions and refactor test

* RBAC: remove usage of guardian in update and get permissions for dashboards

											
										
										
											2023-08-24 08:37:54 -05:00
+										return response.Error(http.StatusInternalServerError, "Failed to create permission", err)
-												folders: folder permission api routes

											
										
										
											2018-02-20 08:25:16 -06:00
+									}
-												authz: Clean up acl endpoints and dashboard guardian (#73746)

* RBAC: remove unnessisary guardian construction and update tests

* RBAC: remove usage of guardian in UpdateFolderPermissions and refactor test

* RBAC: remove usage of guardian in update and get permissions for dashboards

											
										
										
											2023-08-24 08:37:54 -05:00
+									return response.Success("Folder permissions updated")
 								}
-												Authz: Remove use of SignedInUser copy for permission evaluation (#78448)

* remove use of SignedInUserCopies

* add extra safety to not cross assign permissions

unwind circular dependency

dashboardacl->dashboardaccess

fix missing import

* correctly set teams for permissions

* fix missing inits

* nit: check err

* exit early for api keys
											
										
										
											2023-11-22 07:20:22 -06:00
+								var folderPermissionMap = map[string]dashboardaccess.PermissionType{
 									"View":  dashboardaccess.PERMISSION_VIEW,
 									"Edit":  dashboardaccess.PERMISSION_EDIT,
 									"Admin": dashboardaccess.PERMISSION_ADMIN,
-												authz: Clean up acl endpoints and dashboard guardian (#73746)

* RBAC: remove unnessisary guardian construction and update tests

* RBAC: remove usage of guardian in UpdateFolderPermissions and refactor test

* RBAC: remove usage of guardian in update and get permissions for dashboards

											
										
										
											2023-08-24 08:37:54 -05:00
+								}
 								func (hs *HTTPServer) getFolderACL(ctx context.Context, user identity.Requester, folder *folder.Folder) ([]*dashboards.DashboardACLInfoDTO, error) {
 									permissions, err := hs.folderPermissionsService.GetPermissions(ctx, user, folder.UID)
-												AC: Remove legacy AC from folders permissions API (#71526)

* Remove legacy AC from folder permissions API

* Update pkg/api/folder_permission.go

---------

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
											
										
										
											2023-07-17 11:21:01 -05:00
+									if err != nil {
-												authz: Clean up acl endpoints and dashboard guardian (#73746)

* RBAC: remove unnessisary guardian construction and update tests

* RBAC: remove usage of guardian in UpdateFolderPermissions and refactor test

* RBAC: remove usage of guardian in update and get permissions for dashboards

											
										
										
											2023-08-24 08:37:54 -05:00
+										return nil, err
-												Access control: Use access control for dashboard and folder (#44702)

* Add actions and scopes

* add resource service for dashboard and folder

* Add dashboard guardian with fgac permission evaluation

* Add CanDelete function to guardian interface

* Add CanDelete property to folder and dashboard dto and set values

* change to correct function name

* Add accesscontrol to folder endpoints

* add access control to dashboard endpoints

* check access for nav links

* Add fixed roles for dashboard and folders

* use correct package

* add hack to override guardian Constructor if accesscontrol is enabled

* Add services

* Add function to handle api backward compatability

* Add permissionServices to HttpServer

* Set permission when new dashboard is created

* Add default permission when creating new dashboard

* Set default permission when creating folder and dashboard

* Add access control filter for dashboard search

* Add to accept list

* Add accesscontrol to dashboardimport

* Disable access control in tests

* Add check to see if user is allow to create a dashboard

* Use SetPermissions

* Use function to set several permissions at once

* remove permissions for folder and dashboard on delete

* update required permission

* set permission for provisioning

* Add CanCreate to dashboard guardian and set correct permisisons for
provisioning

* Dont set admin on folder / dashboard creation

* Add dashboard and folder permission migrations

* Add tests for CanCreate

* Add roles and update descriptions

* Solve uid to id for dashboard and folder permissions

* Add folder and dashboard actions to permission filter

* Handle viewer_can_edit flag

* set folder and dashboard permissions services

* Add dashboard permissions when importing a new dashboard

* Set access control permissions on provisioning

* Pass feature flags and only set permissions if access control is enabled

* only add default permissions for folders and dashboards without folders

* Batch create permissions in migrations


* Remove `dashboards:edit` action

* Remove unused function from interface

* Update pkg/services/guardian/accesscontrol_guardian_test.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
											
										
										
											2022-03-03 08:05:47 -06:00
+									}
-												authz: Clean up acl endpoints and dashboard guardian (#73746)

* RBAC: remove unnessisary guardian construction and update tests

* RBAC: remove usage of guardian in UpdateFolderPermissions and refactor test

* RBAC: remove usage of guardian in update and get permissions for dashboards

											
										
										
											2023-08-24 08:37:54 -05:00
 									acl := make([]*dashboards.DashboardACLInfoDTO, 0, len(permissions))
 									for _, p := range permissions {
 										if !p.IsManaged {
 											continue
 										}
 										var role *org.RoleType
 										if p.BuiltInRole != "" {
 											tmp := org.RoleType(p.BuiltInRole)
 											role = &tmp
 										}
 										permission := folderPermissionMap[hs.folderPermissionsService.MapActions(p)]
 										acl = append(acl, &dashboards.DashboardACLInfoDTO{
 											OrgID:          folder.OrgID,
-												Chore: Deprecate ID from Folder (#78281)

* Chore: Deprecate ID from Folder

* chore: add more linter comments

* chore: add missing lint comment
											
										
										
											2023-11-20 14:44:51 -06:00
+											DashboardID:    folder.ID, // nolint:staticcheck
-												authz: Clean up acl endpoints and dashboard guardian (#73746)

* RBAC: remove unnessisary guardian construction and update tests

* RBAC: remove usage of guardian in UpdateFolderPermissions and refactor test

* RBAC: remove usage of guardian in update and get permissions for dashboards

											
										
										
											2023-08-24 08:37:54 -05:00
+											FolderUID:      folder.ParentUID,
 											Created:        p.Created,
 											Updated:        p.Updated,
 											UserID:         p.UserId,
 											UserLogin:      p.UserLogin,
 											UserEmail:      p.UserEmail,
 											TeamID:         p.TeamId,
 											TeamEmail:      p.TeamEmail,
 											Team:           p.Team,
 											Role:           role,
 											Permission:     permission,
 											PermissionName: permission.String(),
 											UID:            folder.UID,
 											Title:          folder.Title,
 											URL:            folder.WithURL().URL,
 											IsFolder:       true,
 											Inherited:      false,
 										})
-												Add MFolderIDsAPICount metric to count FolderIDs in api package (#80866)

* Add MFolderIDsAPICount metric to cound FolderIDs in api package

* Change counter to counter vector with method names as string values
											
										
										
											2024-01-24 05:39:11 -06:00
+										metrics.MFolderIDsAPICount.WithLabelValues(metrics.GetFolderPermissionList).Inc()
-												folders: folder permission api routes

											
										
										
											2018-02-20 08:25:16 -06:00
+									}
-												authz: Clean up acl endpoints and dashboard guardian (#73746)

* RBAC: remove unnessisary guardian construction and update tests

* RBAC: remove usage of guardian in UpdateFolderPermissions and refactor test

* RBAC: remove usage of guardian in update and get permissions for dashboards

											
										
										
											2023-08-24 08:37:54 -05:00
 									return acl, nil
-												folders: folder permission api routes

											
										
										
											2018-02-20 08:25:16 -06:00
+								}
-												Chore: Move swagger definitions to the handlers (#52643)


											
										
										
											2022-07-27 08:54:37 -05:00
 								// swagger:parameters getFolderPermissionList
 								type GetFolderPermissionListParams struct {
 									// in:path
 									// required:true
 									FolderUID string `json:"folder_uid"`
 								}
 								// swagger:parameters updateFolderPermissions
 								type UpdateFolderPermissionsParams struct {
 									// in:path
 									// required:true
 									FolderUID string `json:"folder_uid"`
 									// in:body
 									// required:true
 									Body dtos.UpdateDashboardACLCommand
 								}
 								// swagger:response getFolderPermissionListResponse
 								type GetFolderPermissionsResponse struct {
 									// in: body
-												Chore: Remove dashboard ACL from models (#61749)

* Remove dashboard ACL from models

* Remove unused comment
											
										
										
											2023-01-20 07:58:47 -06:00
+									Body []*dashboards.DashboardACLInfoDTO `json:"body"`
-												Chore: Move swagger definitions to the handlers (#52643)


											
										
										
											2022-07-27 08:54:37 -05:00
+								}