IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-16 18:34:52 -06:00
Code Issues Packages Projects Releases Wiki Activity
18615a3357
grafana/pkg/api/dashboard_test.go

933 lines
32 KiB
Go
Raw Normal View History

WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
package api
import (
"encoding/json"
Shouldn't be able to overwrite a dashboard if you don't have permissions (#10900) * dashboards: new command for validating dashboard before update Removes validation logic from saveDashboard and later on use the new command for validating dashboard before saving a dashboard. This due to the fact that we need to validate permissions for overwriting other dashboards by uid and title. * dashboards: use the new command for validating dashboard before saving Had to refactor dashboard provisioning a bit to be able to sidetrack the permission validation in a somewhat reasonable way. Adds some initial tests of the dashboard repository, but needs to be extended later. At least now you can mock the dashboard guardian * dashboards: removes validation logic in the save dashboard api layer Use the dashboard repository solely for create/update dashboards and let it do all the validation. One exception regarding quota validation which still is in api layer since that logic is in a macaron middleware. Need to move out-commented api tests later. * dashboards: fix database tests for validate and saving dashboards * dashboards: rename dashboard repository to dashboard service Split the old dashboard repository interface in two new interfaces, IDashboardService and IDashboardProvisioningService. Makes it more explicit when using it from the provisioning package and there's no possibility of calling an incorrect method for saving a dashboard. * database: make the InitTestDB function available to use from other packages * dashboards: rename ValidateDashboardForUpdateCommand and some refactoring * dashboards: integration tests of dashboard service * dashboard: fix sqlstore test due to folder exist validation * dashboards: move dashboard service integration tests to sqlstore package Had to move it to the sqlstore package due to concurrency problems when running against mysql and postgres. Using InitTestDB from two packages added conflicts when clearing and running migrations on the test database * dashboards: refactor how to find id to be used for save permission check * dashboards: remove duplicated dashboard tests * dashboards: cleanup dashboard service integration tests * dashboards: handle save dashboard errors and return correct http status * fix: remove log statement * dashboards: import dashboard should use dashboard service Had to move alerting commands to models package due to problems with import cycles of packages. * dashboards: cleanup dashboard api tests and add some tests for post dashboard * dashboards: rename dashboard service interfaces * dashboards: rename dashboard guardian interface
2018-02-19 04:12:56 -06:00
"fmt"
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
"testing"
"github.com/grafana/grafana/pkg/api/dtos"
"github.com/grafana/grafana/pkg/bus"
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
"github.com/grafana/grafana/pkg/components/simplejson"
dashboard acl fixes
2017-06-22 16:43:55 -05:00
m "github.com/grafana/grafana/pkg/models"
alerting: propagate alert validation issues to the user instead of just 'invalid alert data' message
2018-10-13 00:53:28 -05:00
"github.com/grafana/grafana/pkg/services/alerting"
fix: fixed dashboard api tests
2017-12-12 09:15:24 -06:00
"github.com/grafana/grafana/pkg/services/dashboards"
fix: viewers can edit now works correctly
2017-12-15 07:19:49 -06:00
"github.com/grafana/grafana/pkg/setting"
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
. "github.com/smartystreets/goconvey/convey"
)
Shouldn't be able to overwrite a dashboard if you don't have permissions (#10900) * dashboards: new command for validating dashboard before update Removes validation logic from saveDashboard and later on use the new command for validating dashboard before saving a dashboard. This due to the fact that we need to validate permissions for overwriting other dashboards by uid and title. * dashboards: use the new command for validating dashboard before saving Had to refactor dashboard provisioning a bit to be able to sidetrack the permission validation in a somewhat reasonable way. Adds some initial tests of the dashboard repository, but needs to be extended later. At least now you can mock the dashboard guardian * dashboards: removes validation logic in the save dashboard api layer Use the dashboard repository solely for create/update dashboards and let it do all the validation. One exception regarding quota validation which still is in api layer since that logic is in a macaron middleware. Need to move out-commented api tests later. * dashboards: fix database tests for validate and saving dashboards * dashboards: rename dashboard repository to dashboard service Split the old dashboard repository interface in two new interfaces, IDashboardService and IDashboardProvisioningService. Makes it more explicit when using it from the provisioning package and there's no possibility of calling an incorrect method for saving a dashboard. * database: make the InitTestDB function available to use from other packages * dashboards: rename ValidateDashboardForUpdateCommand and some refactoring * dashboards: integration tests of dashboard service * dashboard: fix sqlstore test due to folder exist validation * dashboards: move dashboard service integration tests to sqlstore package Had to move it to the sqlstore package due to concurrency problems when running against mysql and postgres. Using InitTestDB from two packages added conflicts when clearing and running migrations on the test database * dashboards: refactor how to find id to be used for save permission check * dashboards: remove duplicated dashboard tests * dashboards: cleanup dashboard service integration tests * dashboards: handle save dashboard errors and return correct http status * fix: remove log statement * dashboards: import dashboard should use dashboard service Had to move alerting commands to models package due to problems with import cycles of packages. * dashboards: cleanup dashboard api tests and add some tests for post dashboard * dashboards: rename dashboard service interfaces * dashboards: rename dashboard guardian interface
2018-02-19 04:12:56 -06:00
// This tests three main scenarios.
// If a user has access to execute an action on a dashboard:
// 1. and the dashboard is in a folder which does not have an acl
// 2. and the dashboard is in a folder which does have an acl
// 3. Post dashboard response tests
dashfolders: adds comment for dashboard api tests
2018-01-30 07:09:30 -06:00
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
func TestDashboardApiEndpoint(t *testing.T) {
Convey("Given a dashboard with a parent folder which does not have an acl", t, func() {
dashboard acl fixes
2017-06-22 16:43:55 -05:00
fakeDash := m.NewDashboard("Child dash")
refactoring dashoard folder guardian
2017-06-17 17:24:38 -05:00
fakeDash.Id = 1
dashboard folder search fix
2017-06-23 15:00:26 -05:00
fakeDash.FolderId = 1
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
fakeDash.HasAcl = false
dashboards: add validation to delete dashboard by slug Validates that there are only one folder/dashboard having that slug, otherwise returns 412 Precondition Failed
2018-01-31 09:51:06 -06:00
bus.AddHandler("test", func(query *m.GetDashboardsBySlugQuery) error {
dashboards := []*m.Dashboard{fakeDash}
query.Result = dashboards
return nil
})
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
var getDashboardQueries []*m.GetDashboardQuery
dashboard acl fixes
2017-06-22 16:43:55 -05:00
bus.AddHandler("test", func(query *m.GetDashboardQuery) error {
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
query.Result = fakeDash
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
getDashboardQueries = append(getDashboardQueries, query)
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
return nil
})
provisioning: simplify db query the GetProvisionedDashboardQuery wasent used for anything else than check if a dashboard is provisioned or not. So we simplified this query to make it more maintainable.
2018-04-10 05:30:37 -05:00
bus.AddHandler("test", func(query *m.IsDashboardProvisionedQuery) error {
query.Result = false
provisioning: fixes broken tests
2018-04-10 03:48:10 -05:00
return nil
})
dashboard acl fixes
2017-06-22 16:43:55 -05:00
viewerRole := m.ROLE_VIEWER
editorRole := m.ROLE_EDITOR
aclMockResp := []*m.DashboardAclInfoDTO{
{Role: &viewerRole, Permission: m.PERMISSION_VIEW},
{Role: &editorRole, Permission: m.PERMISSION_EDIT},
}
bus.AddHandler("test", func(query *m.GetDashboardAclInfoListQuery) error {
refactoring dashboard folder security checks
2017-06-19 14:22:42 -05:00
query.Result = aclMockResp
return nil
})
refactor: rename User Groups to Teams
2017-12-08 09:25:45 -06:00
bus.AddHandler("test", func(query *m.GetTeamsByUserQuery) error {
Refactor team pages to react & design change (#12574) * Rewriting team pages in react * teams to react progress * teams: getting team by id returns same DTO as search, needed for AvatarUrl * teams: progress on new team pages * fix: team test * listing team members and removing team members now works * teams: team member page now works * ux: fixed adding team member issue * refactoring TeamPicker to conform to react coding styles better * teams: very close to being done with team page rewrite * minor style tweak * ux: polish to team pages * feature: team pages in react & everything working * fix: removed flickering when changing tabs by always rendering PageHeader
2018-07-11 13:23:07 -05:00
query.Result = []*m.TeamDTO{}
dashboard acl fixes
2017-06-22 16:43:55 -05:00
return nil
})
dashfolders: adds comment for dashboard api tests
2018-01-30 07:09:30 -06:00
// This tests two scenarios:
// 1. user is an org viewer
// 2. user is an org editor
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
Convey("When user is an Org Viewer", func() {
dashboard acl fixes
2017-06-22 16:43:55 -05:00
role := m.ROLE_VIEWER
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/db/child-dash", "/api/dashboards/db/:slug", role, func(sc *scenarioContext) {
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
dash := GetDashboardShouldReturn200(sc)
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
Convey("Should lookup dashboard by slug", func() {
So(getDashboardQueries[0].Slug, ShouldEqual, "child-dash")
})
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
Convey("Should not be able to edit or save dashboard", func() {
So(dash.Meta.CanEdit, ShouldBeFalse)
So(dash.Meta.CanSave, ShouldBeFalse)
dashfolders: use canadmin permission in settings menu
2017-06-22 17:34:19 -05:00
So(dash.Meta.CanAdmin, ShouldBeFalse)
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
})
})
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/uid/abcdefghi", "/api/dashboards/uid/:uid", role, func(sc *scenarioContext) {
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
dash := GetDashboardShouldReturn200(sc)
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
Convey("Should lookup dashboard by uid", func() {
So(getDashboardQueries[0].Uid, ShouldEqual, "abcdefghi")
})
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
Convey("Should not be able to edit or save dashboard", func() {
So(dash.Meta.CanEdit, ShouldBeFalse)
So(dash.Meta.CanSave, ShouldBeFalse)
dashfolders: use canadmin permission in settings menu
2017-06-22 17:34:19 -05:00
So(dash.Meta.CanAdmin, ShouldBeFalse)
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
})
})
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/db/child-dash", "/api/dashboards/db/:slug", role, func(sc *scenarioContext) {
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
CallDeleteDashboard(sc)
So(sc.resp.Code, ShouldEqual, 403)
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
Convey("Should lookup dashboard by slug", func() {
So(getDashboardQueries[0].Slug, ShouldEqual, "child-dash")
})
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
})
dashboards: new route for deleting dashboards by uid
2018-01-31 09:46:31 -06:00
loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/uid/abcdefghi", "/api/dashboards/uid/:uid", role, func(sc *scenarioContext) {
Make golint happier
2018-03-22 06:37:35 -05:00
CallDeleteDashboardByUID(sc)
dashboards: new route for deleting dashboards by uid
2018-01-31 09:46:31 -06:00
So(sc.resp.Code, ShouldEqual, 403)
Convey("Should lookup dashboard by uid", func() {
So(getDashboardQueries[0].Uid, ShouldEqual, "abcdefghi")
})
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
})
WIP: permission checking for dash version api methods
2017-06-13 17:28:34 -05:00
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/id/2/versions/1", "/api/dashboards/id/:dashboardId/versions/:id", role, func(sc *scenarioContext) {
CallGetDashboardVersion(sc)
So(sc.resp.Code, ShouldEqual, 403)
})
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/id/2/versions", "/api/dashboards/id/:dashboardId/versions", role, func(sc *scenarioContext) {
CallGetDashboardVersions(sc)
So(sc.resp.Code, ShouldEqual, 403)
})
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
})
Convey("When user is an Org Editor", func() {
dashboard acl fixes
2017-06-22 16:43:55 -05:00
role := m.ROLE_EDITOR
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/db/child-dash", "/api/dashboards/db/:slug", role, func(sc *scenarioContext) {
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
dash := GetDashboardShouldReturn200(sc)
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
Convey("Should lookup dashboard by slug", func() {
So(getDashboardQueries[0].Slug, ShouldEqual, "child-dash")
})
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
Convey("Should be able to edit or save dashboard", func() {
So(dash.Meta.CanEdit, ShouldBeTrue)
So(dash.Meta.CanSave, ShouldBeTrue)
dashfolders: use canadmin permission in settings menu
2017-06-22 17:34:19 -05:00
So(dash.Meta.CanAdmin, ShouldBeFalse)
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
})
})
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/uid/abcdefghi", "/api/dashboards/uid/:uid", role, func(sc *scenarioContext) {
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
dash := GetDashboardShouldReturn200(sc)
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
Convey("Should lookup dashboard by uid", func() {
So(getDashboardQueries[0].Uid, ShouldEqual, "abcdefghi")
})
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
Convey("Should be able to edit or save dashboard", func() {
So(dash.Meta.CanEdit, ShouldBeTrue)
So(dash.Meta.CanSave, ShouldBeTrue)
dashfolders: use canadmin permission in settings menu
2017-06-22 17:34:19 -05:00
So(dash.Meta.CanAdmin, ShouldBeFalse)
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
})
})
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/db/child-dash", "/api/dashboards/db/:slug", role, func(sc *scenarioContext) {
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
CallDeleteDashboard(sc)
So(sc.resp.Code, ShouldEqual, 200)
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
Convey("Should lookup dashboard by slug", func() {
So(getDashboardQueries[0].Slug, ShouldEqual, "child-dash")
})
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
})
dashboards: new route for deleting dashboards by uid
2018-01-31 09:46:31 -06:00
loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/uid/abcdefghi", "/api/dashboards/uid/:uid", role, func(sc *scenarioContext) {
Make golint happier
2018-03-22 06:37:35 -05:00
CallDeleteDashboardByUID(sc)
dashboards: new route for deleting dashboards by uid
2018-01-31 09:46:31 -06:00
So(sc.resp.Code, ShouldEqual, 200)
Convey("Should lookup dashboard by uid", func() {
So(getDashboardQueries[0].Uid, ShouldEqual, "abcdefghi")
})
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
})
WIP: permission checking for dash version api methods
2017-06-13 17:28:34 -05:00
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/id/2/versions/1", "/api/dashboards/id/:dashboardId/versions/:id", role, func(sc *scenarioContext) {
CallGetDashboardVersion(sc)
So(sc.resp.Code, ShouldEqual, 200)
})
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/id/2/versions", "/api/dashboards/id/:dashboardId/versions", role, func(sc *scenarioContext) {
CallGetDashboardVersions(sc)
So(sc.resp.Code, ShouldEqual, 200)
})
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
})
})
Convey("Given a dashboard with a parent folder which has an acl", t, func() {
dashboard acl fixes
2017-06-22 16:43:55 -05:00
fakeDash := m.NewDashboard("Child dash")
refactoring dashoard folder guardian
2017-06-17 17:24:38 -05:00
fakeDash.Id = 1
dashboard folder search fix
2017-06-23 15:00:26 -05:00
fakeDash.FolderId = 1
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
fakeDash.HasAcl = true
fix: viewers can edit now works correctly
2017-12-15 07:19:49 -06:00
setting.ViewersCanEdit = false
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
provisioning: simplify db query the GetProvisionedDashboardQuery wasent used for anything else than check if a dashboard is provisioned or not. So we simplified this query to make it more maintainable.
2018-04-10 05:30:37 -05:00
bus.AddHandler("test", func(query *m.IsDashboardProvisionedQuery) error {
query.Result = false
provisioning: fixes broken tests
2018-04-10 03:48:10 -05:00
return nil
})
dashboards: add validation to delete dashboard by slug Validates that there are only one folder/dashboard having that slug, otherwise returns 412 Precondition Failed
2018-01-31 09:51:06 -06:00
bus.AddHandler("test", func(query *m.GetDashboardsBySlugQuery) error {
dashboards := []*m.Dashboard{fakeDash}
query.Result = dashboards
return nil
})
dashboard acl fixes
2017-06-22 16:43:55 -05:00
aclMockResp := []*m.DashboardAclInfoDTO{
refactoring dashboard folder security checks
2017-06-19 14:22:42 -05:00
{
DashboardId: 1,
dashboard acl fixes
2017-06-22 16:43:55 -05:00
Permission: m.PERMISSION_EDIT,
refactoring dashboard folder security checks
2017-06-19 14:22:42 -05:00
UserId: 200,
},
}
dashboard acl fixes
2017-06-22 16:43:55 -05:00
bus.AddHandler("test", func(query *m.GetDashboardAclInfoListQuery) error {
refactoring dashboard folder security checks
2017-06-19 14:22:42 -05:00
query.Result = aclMockResp
return nil
})
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
var getDashboardQueries []*m.GetDashboardQuery
dashboard acl fixes
2017-06-22 16:43:55 -05:00
bus.AddHandler("test", func(query *m.GetDashboardQuery) error {
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
query.Result = fakeDash
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
getDashboardQueries = append(getDashboardQueries, query)
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
return nil
})
refactor: rename User Groups to Teams
2017-12-08 09:25:45 -06:00
bus.AddHandler("test", func(query *m.GetTeamsByUserQuery) error {
Refactor team pages to react & design change (#12574) * Rewriting team pages in react * teams to react progress * teams: getting team by id returns same DTO as search, needed for AvatarUrl * teams: progress on new team pages * fix: team test * listing team members and removing team members now works * teams: team member page now works * ux: fixed adding team member issue * refactoring TeamPicker to conform to react coding styles better * teams: very close to being done with team page rewrite * minor style tweak * ux: polish to team pages * feature: team pages in react & everything working * fix: removed flickering when changing tabs by always rendering PageHeader
2018-07-11 13:23:07 -05:00
query.Result = []*m.TeamDTO{}
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
return nil
})
dashfolders: adds comment for dashboard api tests
2018-01-30 07:09:30 -06:00
// This tests six scenarios:
// 1. user is an org viewer AND has no permissions for this dashboard
// 2. user is an org editor AND has no permissions for this dashboard
// 3. user is an org viewer AND has been granted edit permission for the dashboard
// 4. user is an org viewer AND all viewers have edit permission for this dashboard
// 5. user is an org viewer AND has been granted an admin permission
// 6. user is an org editor AND has been granted a view permission
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
Convey("When user is an Org Viewer and has no permissions for this dashboard", func() {
dashboard acl fixes
2017-06-22 16:43:55 -05:00
role := m.ROLE_VIEWER
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/db/child-dash", "/api/dashboards/db/:slug", role, func(sc *scenarioContext) {
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
sc.handlerFunc = GetDashboard
sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
Convey("Should lookup dashboard by slug", func() {
So(getDashboardQueries[0].Slug, ShouldEqual, "child-dash")
})
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
Convey("Should be denied access", func() {
So(sc.resp.Code, ShouldEqual, 403)
})
})
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/uid/abcdefghi", "/api/dashboards/uid/:uid", role, func(sc *scenarioContext) {
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
sc.handlerFunc = GetDashboard
sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
Convey("Should lookup dashboard by uid", func() {
So(getDashboardQueries[0].Uid, ShouldEqual, "abcdefghi")
})
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
Convey("Should be denied access", func() {
So(sc.resp.Code, ShouldEqual, 403)
})
})
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/db/child-dash", "/api/dashboards/db/:slug", role, func(sc *scenarioContext) {
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
CallDeleteDashboard(sc)
So(sc.resp.Code, ShouldEqual, 403)
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
Convey("Should lookup dashboard by slug", func() {
So(getDashboardQueries[0].Slug, ShouldEqual, "child-dash")
})
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
})
dashboards: new route for deleting dashboards by uid
2018-01-31 09:46:31 -06:00
loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/uid/abcdefghi", "/api/dashboards/uid/:uid", role, func(sc *scenarioContext) {
Make golint happier
2018-03-22 06:37:35 -05:00
CallDeleteDashboardByUID(sc)
dashboards: new route for deleting dashboards by uid
2018-01-31 09:46:31 -06:00
So(sc.resp.Code, ShouldEqual, 403)
Convey("Should lookup dashboard by uid", func() {
So(getDashboardQueries[0].Uid, ShouldEqual, "abcdefghi")
})
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
})
WIP: permission checking for dash version api methods
2017-06-13 17:28:34 -05:00
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/id/2/versions/1", "/api/dashboards/id/:dashboardId/versions/:id", role, func(sc *scenarioContext) {
CallGetDashboardVersion(sc)
So(sc.resp.Code, ShouldEqual, 403)
})
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/id/2/versions", "/api/dashboards/id/:dashboardId/versions", role, func(sc *scenarioContext) {
CallGetDashboardVersions(sc)
So(sc.resp.Code, ShouldEqual, 403)
})
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
})
Convey("When user is an Org Editor and has no permissions for this dashboard", func() {
dashboard acl fixes
2017-06-22 16:43:55 -05:00
role := m.ROLE_EDITOR
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/db/child-dash", "/api/dashboards/db/:slug", role, func(sc *scenarioContext) {
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
sc.handlerFunc = GetDashboard
sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
Convey("Should lookup dashboard by slug", func() {
So(getDashboardQueries[0].Slug, ShouldEqual, "child-dash")
})
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
Convey("Should be denied access", func() {
So(sc.resp.Code, ShouldEqual, 403)
})
})
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/uid/abcdefghi", "/api/dashboards/uid/:uid", role, func(sc *scenarioContext) {
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
sc.handlerFunc = GetDashboard
sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
Convey("Should lookup dashboard by uid", func() {
So(getDashboardQueries[0].Uid, ShouldEqual, "abcdefghi")
})
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
Convey("Should be denied access", func() {
So(sc.resp.Code, ShouldEqual, 403)
})
})
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/db/child-dash", "/api/dashboards/db/:slug", role, func(sc *scenarioContext) {
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
CallDeleteDashboard(sc)
So(sc.resp.Code, ShouldEqual, 403)
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
Convey("Should lookup dashboard by slug", func() {
So(getDashboardQueries[0].Slug, ShouldEqual, "child-dash")
})
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
})
dashboards: new route for deleting dashboards by uid
2018-01-31 09:46:31 -06:00
loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/uid/abcdefghi", "/api/dashboards/uid/:uid", role, func(sc *scenarioContext) {
Make golint happier
2018-03-22 06:37:35 -05:00
CallDeleteDashboardByUID(sc)
dashboards: new route for deleting dashboards by uid
2018-01-31 09:46:31 -06:00
So(sc.resp.Code, ShouldEqual, 403)
Convey("Should lookup dashboard by uid", func() {
So(getDashboardQueries[0].Uid, ShouldEqual, "abcdefghi")
})
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
})
WIP: permission checking for dash version api methods
2017-06-13 17:28:34 -05:00
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/id/2/versions/1", "/api/dashboards/id/:dashboardId/versions/:id", role, func(sc *scenarioContext) {
CallGetDashboardVersion(sc)
So(sc.resp.Code, ShouldEqual, 403)
})
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/id/2/versions", "/api/dashboards/id/:dashboardId/versions", role, func(sc *scenarioContext) {
CallGetDashboardVersions(sc)
So(sc.resp.Code, ShouldEqual, 403)
})
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
})
Convey("When user is an Org Viewer but has an edit permission", func() {
dashboard acl fixes
2017-06-22 16:43:55 -05:00
role := m.ROLE_VIEWER
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
dashboard acl fixes
2017-06-22 16:43:55 -05:00
mockResult := []*m.DashboardAclInfoDTO{
Dashboard acl query fixes (#10909) * initial fixes for dashboard permission acl list query, fixes #10864 * permissions: refactoring of acl api and query
2018-02-14 08:04:26 -06:00
{OrgId: 1, DashboardId: 2, UserId: 1, Permission: m.PERMISSION_EDIT},
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
}
dashboard acl fixes
2017-06-22 16:43:55 -05:00
bus.AddHandler("test", func(query *m.GetDashboardAclInfoListQuery) error {
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
query.Result = mockResult
return nil
})
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/db/child-dash", "/api/dashboards/db/:slug", role, func(sc *scenarioContext) {
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
dash := GetDashboardShouldReturn200(sc)
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
Convey("Should lookup dashboard by slug", func() {
So(getDashboardQueries[0].Slug, ShouldEqual, "child-dash")
})
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
Convey("Should be able to get dashboard with edit rights", func() {
So(dash.Meta.CanEdit, ShouldBeTrue)
So(dash.Meta.CanSave, ShouldBeTrue)
dashfolders: use canadmin permission in settings menu
2017-06-22 17:34:19 -05:00
So(dash.Meta.CanAdmin, ShouldBeFalse)
})
})
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/uid/abcdefghi", "/api/dashboards/uid/:uid", role, func(sc *scenarioContext) {
dash := GetDashboardShouldReturn200(sc)
Convey("Should lookup dashboard by uid", func() {
So(getDashboardQueries[0].Uid, ShouldEqual, "abcdefghi")
})
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
Convey("Should be able to get dashboard with edit rights", func() {
So(dash.Meta.CanEdit, ShouldBeTrue)
So(dash.Meta.CanSave, ShouldBeTrue)
dashfolders: use canadmin permission in settings menu
2017-06-22 17:34:19 -05:00
So(dash.Meta.CanAdmin, ShouldBeFalse)
})
})
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/db/child-dash", "/api/dashboards/db/:slug", role, func(sc *scenarioContext) {
dashfolders: use canadmin permission in settings menu
2017-06-22 17:34:19 -05:00
CallDeleteDashboard(sc)
So(sc.resp.Code, ShouldEqual, 200)
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
Convey("Should lookup dashboard by slug", func() {
So(getDashboardQueries[0].Slug, ShouldEqual, "child-dash")
})
dashfolders: use canadmin permission in settings menu
2017-06-22 17:34:19 -05:00
})
dashboards: new route for deleting dashboards by uid
2018-01-31 09:46:31 -06:00
loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/uid/abcdefghi", "/api/dashboards/uid/:uid", role, func(sc *scenarioContext) {
Make golint happier
2018-03-22 06:37:35 -05:00
CallDeleteDashboardByUID(sc)
dashboards: new route for deleting dashboards by uid
2018-01-31 09:46:31 -06:00
So(sc.resp.Code, ShouldEqual, 200)
Convey("Should lookup dashboard by uid", func() {
So(getDashboardQueries[0].Uid, ShouldEqual, "abcdefghi")
})
dashfolders: use canadmin permission in settings menu
2017-06-22 17:34:19 -05:00
})
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/id/2/versions/1", "/api/dashboards/id/:dashboardId/versions/:id", role, func(sc *scenarioContext) {
CallGetDashboardVersion(sc)
So(sc.resp.Code, ShouldEqual, 200)
})
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/id/2/versions", "/api/dashboards/id/:dashboardId/versions", role, func(sc *scenarioContext) {
CallGetDashboardVersions(sc)
So(sc.resp.Code, ShouldEqual, 200)
})
})
fix: viewers can edit now works correctly
2017-12-15 07:19:49 -06:00
Convey("When user is an Org Viewer and viewers can edit", func() {
role := m.ROLE_VIEWER
setting.ViewersCanEdit = true
mockResult := []*m.DashboardAclInfoDTO{
Dashboard acl query fixes (#10909) * initial fixes for dashboard permission acl list query, fixes #10864 * permissions: refactoring of acl api and query
2018-02-14 08:04:26 -06:00
{OrgId: 1, DashboardId: 2, UserId: 1, Permission: m.PERMISSION_VIEW},
fix: viewers can edit now works correctly
2017-12-15 07:19:49 -06:00
}
bus.AddHandler("test", func(query *m.GetDashboardAclInfoListQuery) error {
query.Result = mockResult
return nil
})
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/db/child-dash", "/api/dashboards/db/:slug", role, func(sc *scenarioContext) {
fix: viewers can edit now works correctly
2017-12-15 07:19:49 -06:00
dash := GetDashboardShouldReturn200(sc)
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
Convey("Should lookup dashboard by slug", func() {
So(getDashboardQueries[0].Slug, ShouldEqual, "child-dash")
})
fix: viewers can edit now works correctly
2017-12-15 07:19:49 -06:00
Convey("Should be able to get dashboard with edit rights but can save should be false", func() {
So(dash.Meta.CanEdit, ShouldBeTrue)
So(dash.Meta.CanSave, ShouldBeFalse)
So(dash.Meta.CanAdmin, ShouldBeFalse)
})
})
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/uid/abcdefghi", "/api/dashboards/uid/:uid", role, func(sc *scenarioContext) {
fix: viewers can edit now works correctly
2017-12-15 07:19:49 -06:00
dash := GetDashboardShouldReturn200(sc)
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
Convey("Should lookup dashboard by uid", func() {
So(getDashboardQueries[0].Uid, ShouldEqual, "abcdefghi")
})
fix: viewers can edit now works correctly
2017-12-15 07:19:49 -06:00
Convey("Should be able to get dashboard with edit rights but can save should be false", func() {
So(dash.Meta.CanEdit, ShouldBeTrue)
So(dash.Meta.CanSave, ShouldBeFalse)
So(dash.Meta.CanAdmin, ShouldBeFalse)
})
})
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/db/child-dash", "/api/dashboards/db/:slug", role, func(sc *scenarioContext) {
fix: viewers can edit now works correctly
2017-12-15 07:19:49 -06:00
CallDeleteDashboard(sc)
So(sc.resp.Code, ShouldEqual, 403)
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
Convey("Should lookup dashboard by slug", func() {
So(getDashboardQueries[0].Slug, ShouldEqual, "child-dash")
})
fix: viewers can edit now works correctly
2017-12-15 07:19:49 -06:00
})
dashboards: new route for deleting dashboards by uid
2018-01-31 09:46:31 -06:00
loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/uid/abcdefghi", "/api/dashboards/uid/:uid", role, func(sc *scenarioContext) {
Make golint happier
2018-03-22 06:37:35 -05:00
CallDeleteDashboardByUID(sc)
dashboards: new route for deleting dashboards by uid
2018-01-31 09:46:31 -06:00
So(sc.resp.Code, ShouldEqual, 403)
Convey("Should lookup dashboard by uid", func() {
So(getDashboardQueries[0].Uid, ShouldEqual, "abcdefghi")
})
fix: viewers can edit now works correctly
2017-12-15 07:19:49 -06:00
})
})
dashfolders: use canadmin permission in settings menu
2017-06-22 17:34:19 -05:00
Convey("When user is an Org Viewer but has an admin permission", func() {
role := m.ROLE_VIEWER
mockResult := []*m.DashboardAclInfoDTO{
Dashboard acl query fixes (#10909) * initial fixes for dashboard permission acl list query, fixes #10864 * permissions: refactoring of acl api and query
2018-02-14 08:04:26 -06:00
{OrgId: 1, DashboardId: 2, UserId: 1, Permission: m.PERMISSION_ADMIN},
dashfolders: use canadmin permission in settings menu
2017-06-22 17:34:19 -05:00
}
bus.AddHandler("test", func(query *m.GetDashboardAclInfoListQuery) error {
query.Result = mockResult
return nil
})
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/db/child-dash", "/api/dashboards/db/:slug", role, func(sc *scenarioContext) {
dashfolders: use canadmin permission in settings menu
2017-06-22 17:34:19 -05:00
dash := GetDashboardShouldReturn200(sc)
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
Convey("Should lookup dashboard by slug", func() {
So(getDashboardQueries[0].Slug, ShouldEqual, "child-dash")
})
dashfolders: use canadmin permission in settings menu
2017-06-22 17:34:19 -05:00
Convey("Should be able to get dashboard with edit rights", func() {
So(dash.Meta.CanEdit, ShouldBeTrue)
So(dash.Meta.CanSave, ShouldBeTrue)
So(dash.Meta.CanAdmin, ShouldBeTrue)
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
})
})
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/uid/abcdefghi", "/api/dashboards/uid/:uid", role, func(sc *scenarioContext) {
dashfolders: use canadmin permission in settings menu
2017-06-22 17:34:19 -05:00
dash := GetDashboardShouldReturn200(sc)
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
Convey("Should lookup dashboard by uid", func() {
So(getDashboardQueries[0].Uid, ShouldEqual, "abcdefghi")
})
dashfolders: use canadmin permission in settings menu
2017-06-22 17:34:19 -05:00
Convey("Should be able to get dashboard with edit rights", func() {
So(dash.Meta.CanEdit, ShouldBeTrue)
So(dash.Meta.CanSave, ShouldBeTrue)
So(dash.Meta.CanAdmin, ShouldBeTrue)
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
})
})
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/db/child-dash", "/api/dashboards/db/:slug", role, func(sc *scenarioContext) {
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
CallDeleteDashboard(sc)
So(sc.resp.Code, ShouldEqual, 200)
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
Convey("Should lookup dashboard by slug", func() {
So(getDashboardQueries[0].Slug, ShouldEqual, "child-dash")
})
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
})
dashboards: new route for deleting dashboards by uid
2018-01-31 09:46:31 -06:00
loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/uid/abcdefghi", "/api/dashboards/uid/:uid", role, func(sc *scenarioContext) {
Make golint happier
2018-03-22 06:37:35 -05:00
CallDeleteDashboardByUID(sc)
dashboards: new route for deleting dashboards by uid
2018-01-31 09:46:31 -06:00
So(sc.resp.Code, ShouldEqual, 200)
Convey("Should lookup dashboard by uid", func() {
So(getDashboardQueries[0].Uid, ShouldEqual, "abcdefghi")
})
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
})
WIP: permission checking for dash version api methods
2017-06-13 17:28:34 -05:00
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/id/2/versions/1", "/api/dashboards/id/:dashboardId/versions/:id", role, func(sc *scenarioContext) {
CallGetDashboardVersion(sc)
So(sc.resp.Code, ShouldEqual, 200)
})
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/id/2/versions", "/api/dashboards/id/:dashboardId/versions", role, func(sc *scenarioContext) {
CallGetDashboardVersions(sc)
So(sc.resp.Code, ShouldEqual, 200)
})
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
})
Convey("When user is an Org Editor but has a view permission", func() {
dashboard acl fixes
2017-06-22 16:43:55 -05:00
role := m.ROLE_EDITOR
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
dashboard acl fixes
2017-06-22 16:43:55 -05:00
mockResult := []*m.DashboardAclInfoDTO{
Dashboard acl query fixes (#10909) * initial fixes for dashboard permission acl list query, fixes #10864 * permissions: refactoring of acl api and query
2018-02-14 08:04:26 -06:00
{OrgId: 1, DashboardId: 2, UserId: 1, Permission: m.PERMISSION_VIEW},
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
}
dashboard acl fixes
2017-06-22 16:43:55 -05:00
bus.AddHandler("test", func(query *m.GetDashboardAclInfoListQuery) error {
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
query.Result = mockResult
return nil
})
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/db/child-dash", "/api/dashboards/db/:slug", role, func(sc *scenarioContext) {
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
dash := GetDashboardShouldReturn200(sc)
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
Convey("Should lookup dashboard by slug", func() {
So(getDashboardQueries[0].Slug, ShouldEqual, "child-dash")
})
Convey("Should not be able to edit or save dashboard", func() {
So(dash.Meta.CanEdit, ShouldBeFalse)
So(dash.Meta.CanSave, ShouldBeFalse)
})
})
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/uid/abcdefghi", "/api/dashboards/uid/:uid", role, func(sc *scenarioContext) {
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
dash := GetDashboardShouldReturn200(sc)
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
Convey("Should lookup dashboard by uid", func() {
So(getDashboardQueries[0].Uid, ShouldEqual, "abcdefghi")
})
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
Convey("Should not be able to edit or save dashboard", func() {
So(dash.Meta.CanEdit, ShouldBeFalse)
So(dash.Meta.CanSave, ShouldBeFalse)
})
})
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/db/child-dash", "/api/dashboards/db/:slug", role, func(sc *scenarioContext) {
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
CallDeleteDashboard(sc)
So(sc.resp.Code, ShouldEqual, 403)
dashboards: add support for retrieving a dashboard by uid Introduces new url in api /dashboards/<uid> for fetching dashboard by unique id Leave the old dashboard by slug url /dashboards/db/<slug> for backward compatibility and for supporting fallback WIP for #7883
2018-01-29 14:23:07 -06:00
Convey("Should lookup dashboard by slug", func() {
So(getDashboardQueries[0].Slug, ShouldEqual, "child-dash")
})
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
})
dashboards: new route for deleting dashboards by uid
2018-01-31 09:46:31 -06:00
loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/uid/abcdefghi", "/api/dashboards/uid/:uid", role, func(sc *scenarioContext) {
Make golint happier
2018-03-22 06:37:35 -05:00
CallDeleteDashboardByUID(sc)
dashboards: new route for deleting dashboards by uid
2018-01-31 09:46:31 -06:00
So(sc.resp.Code, ShouldEqual, 403)
Convey("Should lookup dashboard by uid", func() {
So(getDashboardQueries[0].Uid, ShouldEqual, "abcdefghi")
})
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
})
WIP: permission checking for dash version api methods
2017-06-13 17:28:34 -05:00
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/id/2/versions/1", "/api/dashboards/id/:dashboardId/versions/:id", role, func(sc *scenarioContext) {
CallGetDashboardVersion(sc)
So(sc.resp.Code, ShouldEqual, 403)
})
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/id/2/versions", "/api/dashboards/id/:dashboardId/versions", role, func(sc *scenarioContext) {
CallGetDashboardVersions(sc)
So(sc.resp.Code, ShouldEqual, 403)
})
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
})
})
dashboards: add validation to delete dashboard by slug Validates that there are only one folder/dashboard having that slug, otherwise returns 412 Precondition Failed
2018-01-31 09:51:06 -06:00
Convey("Given two dashboards with the same title in different folders", t, func() {
dashOne := m.NewDashboard("dash")
dashOne.Id = 2
dashOne.FolderId = 1
dashOne.HasAcl = false
dashTwo := m.NewDashboard("dash")
dashTwo.Id = 4
dashTwo.FolderId = 3
dashTwo.HasAcl = false
provisioning: simplify db query the GetProvisionedDashboardQuery wasent used for anything else than check if a dashboard is provisioned or not. So we simplified this query to make it more maintainable.
2018-04-10 05:30:37 -05:00
bus.AddHandler("test", func(query *m.IsDashboardProvisionedQuery) error {
query.Result = false
provisioning: fixes broken tests
2018-04-10 03:48:10 -05:00
return nil
})
dashboards: add validation to delete dashboard by slug Validates that there are only one folder/dashboard having that slug, otherwise returns 412 Precondition Failed
2018-01-31 09:51:06 -06:00
bus.AddHandler("test", func(query *m.GetDashboardsBySlugQuery) error {
dashboards := []*m.Dashboard{dashOne, dashTwo}
query.Result = dashboards
return nil
})
role := m.ROLE_EDITOR
loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/db/dash", "/api/dashboards/db/:slug", role, func(sc *scenarioContext) {
CallDeleteDashboard(sc)
Convey("Should result in 412 Precondition failed", func() {
So(sc.resp.Code, ShouldEqual, 412)
Make golint happier
2018-03-22 16:13:46 -05:00
result := sc.ToJSON()
dashboards: add validation to delete dashboard by slug Validates that there are only one folder/dashboard having that slug, otherwise returns 412 Precondition Failed
2018-01-31 09:51:06 -06:00
So(result.Get("status").MustString(), ShouldEqual, "multiple-slugs-exists")
So(result.Get("message").MustString(), ShouldEqual, m.ErrDashboardsWithSameSlugExists.Error())
})
})
})
Shouldn't be able to overwrite a dashboard if you don't have permissions (#10900) * dashboards: new command for validating dashboard before update Removes validation logic from saveDashboard and later on use the new command for validating dashboard before saving a dashboard. This due to the fact that we need to validate permissions for overwriting other dashboards by uid and title. * dashboards: use the new command for validating dashboard before saving Had to refactor dashboard provisioning a bit to be able to sidetrack the permission validation in a somewhat reasonable way. Adds some initial tests of the dashboard repository, but needs to be extended later. At least now you can mock the dashboard guardian * dashboards: removes validation logic in the save dashboard api layer Use the dashboard repository solely for create/update dashboards and let it do all the validation. One exception regarding quota validation which still is in api layer since that logic is in a macaron middleware. Need to move out-commented api tests later. * dashboards: fix database tests for validate and saving dashboards * dashboards: rename dashboard repository to dashboard service Split the old dashboard repository interface in two new interfaces, IDashboardService and IDashboardProvisioningService. Makes it more explicit when using it from the provisioning package and there's no possibility of calling an incorrect method for saving a dashboard. * database: make the InitTestDB function available to use from other packages * dashboards: rename ValidateDashboardForUpdateCommand and some refactoring * dashboards: integration tests of dashboard service * dashboard: fix sqlstore test due to folder exist validation * dashboards: move dashboard service integration tests to sqlstore package Had to move it to the sqlstore package due to concurrency problems when running against mysql and postgres. Using InitTestDB from two packages added conflicts when clearing and running migrations on the test database * dashboards: refactor how to find id to be used for save permission check * dashboards: remove duplicated dashboard tests * dashboards: cleanup dashboard service integration tests * dashboards: handle save dashboard errors and return correct http status * fix: remove log statement * dashboards: import dashboard should use dashboard service Had to move alerting commands to models package due to problems with import cycles of packages. * dashboards: cleanup dashboard api tests and add some tests for post dashboard * dashboards: rename dashboard service interfaces * dashboards: rename dashboard guardian interface
2018-02-19 04:12:56 -06:00
Convey("Post dashboard response tests", t, func() {
// This tests that a valid request returns correct response
Convey("Given a correct request for creating a dashboard", func() {
cmd := m.SaveDashboardCommand{
OrgId: 1,
UserId: 5,
Dashboard: simplejson.NewFromAny(map[string]interface{}{
"title": "Dash",
}),
Overwrite: true,
FolderId: 3,
IsFolder: false,
Message: "msg",
}
mock := &dashboards.FakeDashboardService{
SaveDashboardResult: &m.Dashboard{
Id: 2,
Uid: "uid",
Title: "Dash",
Slug: "dash",
Version: 2,
},
}
postDashboardScenario("When calling POST on", "/api/dashboards", "/api/dashboards", mock, cmd, func(sc *scenarioContext) {
CallPostDashboardShouldReturnSuccess(sc)
Convey("It should call dashboard service with correct data", func() {
dto := mock.SavedDashboards[0]
So(dto.OrgId, ShouldEqual, cmd.OrgId)
So(dto.User.UserId, ShouldEqual, cmd.UserId)
So(dto.Dashboard.FolderId, ShouldEqual, 3)
So(dto.Dashboard.Title, ShouldEqual, "Dash")
So(dto.Overwrite, ShouldBeTrue)
So(dto.Message, ShouldEqual, "msg")
})
Convey("It should return correct response data", func() {
Make golint happier
2018-03-22 16:13:46 -05:00
result := sc.ToJSON()
Shouldn't be able to overwrite a dashboard if you don't have permissions (#10900) * dashboards: new command for validating dashboard before update Removes validation logic from saveDashboard and later on use the new command for validating dashboard before saving a dashboard. This due to the fact that we need to validate permissions for overwriting other dashboards by uid and title. * dashboards: use the new command for validating dashboard before saving Had to refactor dashboard provisioning a bit to be able to sidetrack the permission validation in a somewhat reasonable way. Adds some initial tests of the dashboard repository, but needs to be extended later. At least now you can mock the dashboard guardian * dashboards: removes validation logic in the save dashboard api layer Use the dashboard repository solely for create/update dashboards and let it do all the validation. One exception regarding quota validation which still is in api layer since that logic is in a macaron middleware. Need to move out-commented api tests later. * dashboards: fix database tests for validate and saving dashboards * dashboards: rename dashboard repository to dashboard service Split the old dashboard repository interface in two new interfaces, IDashboardService and IDashboardProvisioningService. Makes it more explicit when using it from the provisioning package and there's no possibility of calling an incorrect method for saving a dashboard. * database: make the InitTestDB function available to use from other packages * dashboards: rename ValidateDashboardForUpdateCommand and some refactoring * dashboards: integration tests of dashboard service * dashboard: fix sqlstore test due to folder exist validation * dashboards: move dashboard service integration tests to sqlstore package Had to move it to the sqlstore package due to concurrency problems when running against mysql and postgres. Using InitTestDB from two packages added conflicts when clearing and running migrations on the test database * dashboards: refactor how to find id to be used for save permission check * dashboards: remove duplicated dashboard tests * dashboards: cleanup dashboard service integration tests * dashboards: handle save dashboard errors and return correct http status * fix: remove log statement * dashboards: import dashboard should use dashboard service Had to move alerting commands to models package due to problems with import cycles of packages. * dashboards: cleanup dashboard api tests and add some tests for post dashboard * dashboards: rename dashboard service interfaces * dashboards: rename dashboard guardian interface
2018-02-19 04:12:56 -06:00
So(result.Get("status").MustString(), ShouldEqual, "success")
So(result.Get("id").MustInt64(), ShouldEqual, 2)
So(result.Get("uid").MustString(), ShouldEqual, "uid")
So(result.Get("slug").MustString(), ShouldEqual, "dash")
So(result.Get("url").MustString(), ShouldEqual, "/d/uid/dash")
})
})
})
// This tests that invalid requests returns expected error responses
Convey("Given incorrect requests for creating a dashboard", func() {
testCases := []struct {
SaveError error
ExpectedStatusCode int
}{
{SaveError: m.ErrDashboardNotFound, ExpectedStatusCode: 404},
{SaveError: m.ErrFolderNotFound, ExpectedStatusCode: 400},
{SaveError: m.ErrDashboardWithSameUIDExists, ExpectedStatusCode: 400},
{SaveError: m.ErrDashboardWithSameNameInFolderExists, ExpectedStatusCode: 412},
{SaveError: m.ErrDashboardVersionMismatch, ExpectedStatusCode: 412},
{SaveError: m.ErrDashboardTitleEmpty, ExpectedStatusCode: 400},
{SaveError: m.ErrDashboardFolderCannotHaveParent, ExpectedStatusCode: 400},
alerting: propagate alert validation issues to the user instead of just 'invalid alert data' message
2018-10-13 00:53:28 -05:00
{SaveError: alerting.ValidationError{Reason: "Mu"}, ExpectedStatusCode: 422},
Shouldn't be able to overwrite a dashboard if you don't have permissions (#10900) * dashboards: new command for validating dashboard before update Removes validation logic from saveDashboard and later on use the new command for validating dashboard before saving a dashboard. This due to the fact that we need to validate permissions for overwriting other dashboards by uid and title. * dashboards: use the new command for validating dashboard before saving Had to refactor dashboard provisioning a bit to be able to sidetrack the permission validation in a somewhat reasonable way. Adds some initial tests of the dashboard repository, but needs to be extended later. At least now you can mock the dashboard guardian * dashboards: removes validation logic in the save dashboard api layer Use the dashboard repository solely for create/update dashboards and let it do all the validation. One exception regarding quota validation which still is in api layer since that logic is in a macaron middleware. Need to move out-commented api tests later. * dashboards: fix database tests for validate and saving dashboards * dashboards: rename dashboard repository to dashboard service Split the old dashboard repository interface in two new interfaces, IDashboardService and IDashboardProvisioningService. Makes it more explicit when using it from the provisioning package and there's no possibility of calling an incorrect method for saving a dashboard. * database: make the InitTestDB function available to use from other packages * dashboards: rename ValidateDashboardForUpdateCommand and some refactoring * dashboards: integration tests of dashboard service * dashboard: fix sqlstore test due to folder exist validation * dashboards: move dashboard service integration tests to sqlstore package Had to move it to the sqlstore package due to concurrency problems when running against mysql and postgres. Using InitTestDB from two packages added conflicts when clearing and running migrations on the test database * dashboards: refactor how to find id to be used for save permission check * dashboards: remove duplicated dashboard tests * dashboards: cleanup dashboard service integration tests * dashboards: handle save dashboard errors and return correct http status * fix: remove log statement * dashboards: import dashboard should use dashboard service Had to move alerting commands to models package due to problems with import cycles of packages. * dashboards: cleanup dashboard api tests and add some tests for post dashboard * dashboards: rename dashboard service interfaces * dashboards: rename dashboard guardian interface
2018-02-19 04:12:56 -06:00
{SaveError: m.ErrDashboardFailedGenerateUniqueUid, ExpectedStatusCode: 500},
{SaveError: m.ErrDashboardTypeMismatch, ExpectedStatusCode: 400},
{SaveError: m.ErrDashboardFolderWithSameNameAsDashboard, ExpectedStatusCode: 400},
{SaveError: m.ErrDashboardWithSameNameAsFolder, ExpectedStatusCode: 400},
{SaveError: m.ErrDashboardFolderNameExists, ExpectedStatusCode: 400},
{SaveError: m.ErrDashboardUpdateAccessDenied, ExpectedStatusCode: 403},
{SaveError: m.ErrDashboardInvalidUid, ExpectedStatusCode: 400},
{SaveError: m.ErrDashboardUidToLong, ExpectedStatusCode: 400},
dashboards: reject updates of provisioned dashboards
2018-03-27 08:12:47 -05:00
{SaveError: m.ErrDashboardCannotSaveProvisionedDashboard, ExpectedStatusCode: 400},
Shouldn't be able to overwrite a dashboard if you don't have permissions (#10900) * dashboards: new command for validating dashboard before update Removes validation logic from saveDashboard and later on use the new command for validating dashboard before saving a dashboard. This due to the fact that we need to validate permissions for overwriting other dashboards by uid and title. * dashboards: use the new command for validating dashboard before saving Had to refactor dashboard provisioning a bit to be able to sidetrack the permission validation in a somewhat reasonable way. Adds some initial tests of the dashboard repository, but needs to be extended later. At least now you can mock the dashboard guardian * dashboards: removes validation logic in the save dashboard api layer Use the dashboard repository solely for create/update dashboards and let it do all the validation. One exception regarding quota validation which still is in api layer since that logic is in a macaron middleware. Need to move out-commented api tests later. * dashboards: fix database tests for validate and saving dashboards * dashboards: rename dashboard repository to dashboard service Split the old dashboard repository interface in two new interfaces, IDashboardService and IDashboardProvisioningService. Makes it more explicit when using it from the provisioning package and there's no possibility of calling an incorrect method for saving a dashboard. * database: make the InitTestDB function available to use from other packages * dashboards: rename ValidateDashboardForUpdateCommand and some refactoring * dashboards: integration tests of dashboard service * dashboard: fix sqlstore test due to folder exist validation * dashboards: move dashboard service integration tests to sqlstore package Had to move it to the sqlstore package due to concurrency problems when running against mysql and postgres. Using InitTestDB from two packages added conflicts when clearing and running migrations on the test database * dashboards: refactor how to find id to be used for save permission check * dashboards: remove duplicated dashboard tests * dashboards: cleanup dashboard service integration tests * dashboards: handle save dashboard errors and return correct http status * fix: remove log statement * dashboards: import dashboard should use dashboard service Had to move alerting commands to models package due to problems with import cycles of packages. * dashboards: cleanup dashboard api tests and add some tests for post dashboard * dashboards: rename dashboard service interfaces * dashboards: rename dashboard guardian interface
2018-02-19 04:12:56 -06:00
{SaveError: m.UpdatePluginDashboardError{PluginId: "plug"}, ExpectedStatusCode: 412},
}
cmd := m.SaveDashboardCommand{
OrgId: 1,
Dashboard: simplejson.NewFromAny(map[string]interface{}{
"title": "",
}),
}
for _, tc := range testCases {
mock := &dashboards.FakeDashboardService{
SaveDashboardError: tc.SaveError,
}
postDashboardScenario(fmt.Sprintf("Expect '%s' error when calling POST on", tc.SaveError.Error()), "/api/dashboards", "/api/dashboards", mock, cmd, func(sc *scenarioContext) {
CallPostDashboard(sc)
So(sc.resp.Code, ShouldEqual, tc.ExpectedStatusCode)
})
}
})
})
dashboard: add permission check for diff api route ref #10770
2018-02-27 10:53:30 -06:00
Convey("Given two dashboards being compared", t, func() {
mockResult := []*m.DashboardAclInfoDTO{}
bus.AddHandler("test", func(query *m.GetDashboardAclInfoListQuery) error {
query.Result = mockResult
return nil
})
provisioning: simplify db query the GetProvisionedDashboardQuery wasent used for anything else than check if a dashboard is provisioned or not. So we simplified this query to make it more maintainable.
2018-04-10 05:30:37 -05:00
bus.AddHandler("test", func(query *m.IsDashboardProvisionedQuery) error {
query.Result = false
provisioning: fixes broken tests
2018-04-10 03:48:10 -05:00
return nil
})
dashboard: add permission check for diff api route ref #10770
2018-02-27 10:53:30 -06:00
bus.AddHandler("test", func(query *m.GetDashboardVersionQuery) error {
query.Result = &m.DashboardVersion{
Data: simplejson.NewFromAny(map[string]interface{}{
"title": "Dash" + string(query.DashboardId),
}),
}
return nil
})
cmd := dtos.CalculateDiffOptions{
Base: dtos.CalculateDiffTarget{
DashboardId: 1,
Version: 1,
},
New: dtos.CalculateDiffTarget{
DashboardId: 2,
Version: 2,
},
DiffType: "basic",
}
Convey("when user does not have permission", func() {
role := m.ROLE_VIEWER
postDiffScenario("When calling POST on", "/api/dashboards/calculate-diff", "/api/dashboards/calculate-diff", cmd, role, func(sc *scenarioContext) {
CallPostDashboard(sc)
So(sc.resp.Code, ShouldEqual, 403)
})
})
Convey("when user does have permission", func() {
role := m.ROLE_ADMIN
postDiffScenario("When calling POST on", "/api/dashboards/calculate-diff", "/api/dashboards/calculate-diff", cmd, role, func(sc *scenarioContext) {
CallPostDashboard(sc)
So(sc.resp.Code, ShouldEqual, 200)
})
})
})
WIP: add permission check for GetDashboard
2017-06-12 08:48:55 -05:00
}
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
func GetDashboardShouldReturn200(sc *scenarioContext) dtos.DashboardFullWithMeta {
WIP: folder api. #10630
2018-01-29 06:51:01 -06:00
CallGetDashboard(sc)
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
So(sc.resp.Code, ShouldEqual, 200)
dash := dtos.DashboardFullWithMeta{}
err := json.NewDecoder(sc.resp.Body).Decode(&dash)
So(err, ShouldBeNil)
return dash
}
WIP: folder api. #10630
2018-01-29 06:51:01 -06:00
func CallGetDashboard(sc *scenarioContext) {
sc.handlerFunc = GetDashboard
sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()
}
WIP: permission checking for dash version api methods
2017-06-13 17:28:34 -05:00
func CallGetDashboardVersion(sc *scenarioContext) {
dashboard acl fixes
2017-06-22 16:43:55 -05:00
bus.AddHandler("test", func(query *m.GetDashboardVersionQuery) error {
query.Result = &m.DashboardVersion{}
WIP: permission checking for dash version api methods
2017-06-13 17:28:34 -05:00
return nil
})
sc.handlerFunc = GetDashboardVersion
sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()
}
func CallGetDashboardVersions(sc *scenarioContext) {
dashboard acl fixes
2017-06-22 16:43:55 -05:00
bus.AddHandler("test", func(query *m.GetDashboardVersionsQuery) error {
query.Result = []*m.DashboardVersionDTO{}
WIP: permission checking for dash version api methods
2017-06-13 17:28:34 -05:00
return nil
})
sc.handlerFunc = GetDashboardVersions
sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()
}
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
func CallDeleteDashboard(sc *scenarioContext) {
dashboard acl fixes
2017-06-22 16:43:55 -05:00
bus.AddHandler("test", func(cmd *m.DeleteDashboardCommand) error {
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
return nil
})
sc.handlerFunc = DeleteDashboard
sc.fakeReqWithParams("DELETE", sc.url, map[string]string{}).exec()
}
Make golint happier
2018-03-22 06:37:35 -05:00
func CallDeleteDashboardByUID(sc *scenarioContext) {
dashboards: new route for deleting dashboards by uid
2018-01-31 09:46:31 -06:00
bus.AddHandler("test", func(cmd *m.DeleteDashboardCommand) error {
return nil
})
Make golint happier
2018-03-22 06:37:35 -05:00
sc.handlerFunc = DeleteDashboardByUID
dashboards: new route for deleting dashboards by uid
2018-01-31 09:46:31 -06:00
sc.fakeReqWithParams("DELETE", sc.url, map[string]string{}).exec()
}
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
func CallPostDashboard(sc *scenarioContext) {
sc.fakeReqWithParams("POST", sc.url, map[string]string{}).exec()
}
dashboards: return url in response to save dashboard. #7883
2018-01-30 16:37:54 -06:00
func CallPostDashboardShouldReturnSuccess(sc *scenarioContext) {
CallPostDashboard(sc)
So(sc.resp.Code, ShouldEqual, 200)
}
Shouldn't be able to overwrite a dashboard if you don't have permissions (#10900) * dashboards: new command for validating dashboard before update Removes validation logic from saveDashboard and later on use the new command for validating dashboard before saving a dashboard. This due to the fact that we need to validate permissions for overwriting other dashboards by uid and title. * dashboards: use the new command for validating dashboard before saving Had to refactor dashboard provisioning a bit to be able to sidetrack the permission validation in a somewhat reasonable way. Adds some initial tests of the dashboard repository, but needs to be extended later. At least now you can mock the dashboard guardian * dashboards: removes validation logic in the save dashboard api layer Use the dashboard repository solely for create/update dashboards and let it do all the validation. One exception regarding quota validation which still is in api layer since that logic is in a macaron middleware. Need to move out-commented api tests later. * dashboards: fix database tests for validate and saving dashboards * dashboards: rename dashboard repository to dashboard service Split the old dashboard repository interface in two new interfaces, IDashboardService and IDashboardProvisioningService. Makes it more explicit when using it from the provisioning package and there's no possibility of calling an incorrect method for saving a dashboard. * database: make the InitTestDB function available to use from other packages * dashboards: rename ValidateDashboardForUpdateCommand and some refactoring * dashboards: integration tests of dashboard service * dashboard: fix sqlstore test due to folder exist validation * dashboards: move dashboard service integration tests to sqlstore package Had to move it to the sqlstore package due to concurrency problems when running against mysql and postgres. Using InitTestDB from two packages added conflicts when clearing and running migrations on the test database * dashboards: refactor how to find id to be used for save permission check * dashboards: remove duplicated dashboard tests * dashboards: cleanup dashboard service integration tests * dashboards: handle save dashboard errors and return correct http status * fix: remove log statement * dashboards: import dashboard should use dashboard service Had to move alerting commands to models package due to problems with import cycles of packages. * dashboards: cleanup dashboard api tests and add some tests for post dashboard * dashboards: rename dashboard service interfaces * dashboards: rename dashboard guardian interface
2018-02-19 04:12:56 -06:00
func postDashboardScenario(desc string, url string, routePattern string, mock *dashboards.FakeDashboardService, cmd m.SaveDashboardCommand, fn scenarioFunc) {
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
Convey(desc+" "+url, func() {
defer bus.ClearBusHandlers()
api: extract api test code to common_test.go
2018-01-30 06:17:48 -06:00
sc := setupScenarioContext(url)
test: fixed usage of wrap in tests.
2018-07-02 10:13:59 -05:00
sc.defaultHandler = Wrap(func(c *m.ReqContext) Response {
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
sc.context = c
Shouldn't be able to overwrite a dashboard if you don't have permissions (#10900) * dashboards: new command for validating dashboard before update Removes validation logic from saveDashboard and later on use the new command for validating dashboard before saving a dashboard. This due to the fact that we need to validate permissions for overwriting other dashboards by uid and title. * dashboards: use the new command for validating dashboard before saving Had to refactor dashboard provisioning a bit to be able to sidetrack the permission validation in a somewhat reasonable way. Adds some initial tests of the dashboard repository, but needs to be extended later. At least now you can mock the dashboard guardian * dashboards: removes validation logic in the save dashboard api layer Use the dashboard repository solely for create/update dashboards and let it do all the validation. One exception regarding quota validation which still is in api layer since that logic is in a macaron middleware. Need to move out-commented api tests later. * dashboards: fix database tests for validate and saving dashboards * dashboards: rename dashboard repository to dashboard service Split the old dashboard repository interface in two new interfaces, IDashboardService and IDashboardProvisioningService. Makes it more explicit when using it from the provisioning package and there's no possibility of calling an incorrect method for saving a dashboard. * database: make the InitTestDB function available to use from other packages * dashboards: rename ValidateDashboardForUpdateCommand and some refactoring * dashboards: integration tests of dashboard service * dashboard: fix sqlstore test due to folder exist validation * dashboards: move dashboard service integration tests to sqlstore package Had to move it to the sqlstore package due to concurrency problems when running against mysql and postgres. Using InitTestDB from two packages added conflicts when clearing and running migrations on the test database * dashboards: refactor how to find id to be used for save permission check * dashboards: remove duplicated dashboard tests * dashboards: cleanup dashboard service integration tests * dashboards: handle save dashboard errors and return correct http status * fix: remove log statement * dashboards: import dashboard should use dashboard service Had to move alerting commands to models package due to problems with import cycles of packages. * dashboards: cleanup dashboard api tests and add some tests for post dashboard * dashboards: rename dashboard service interfaces * dashboards: rename dashboard guardian interface
2018-02-19 04:12:56 -06:00
sc.context.SignedInUser = &m.SignedInUser{OrgId: cmd.OrgId, UserId: cmd.UserId}
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
return PostDashboard(c, cmd)
})
Shouldn't be able to overwrite a dashboard if you don't have permissions (#10900) * dashboards: new command for validating dashboard before update Removes validation logic from saveDashboard and later on use the new command for validating dashboard before saving a dashboard. This due to the fact that we need to validate permissions for overwriting other dashboards by uid and title. * dashboards: use the new command for validating dashboard before saving Had to refactor dashboard provisioning a bit to be able to sidetrack the permission validation in a somewhat reasonable way. Adds some initial tests of the dashboard repository, but needs to be extended later. At least now you can mock the dashboard guardian * dashboards: removes validation logic in the save dashboard api layer Use the dashboard repository solely for create/update dashboards and let it do all the validation. One exception regarding quota validation which still is in api layer since that logic is in a macaron middleware. Need to move out-commented api tests later. * dashboards: fix database tests for validate and saving dashboards * dashboards: rename dashboard repository to dashboard service Split the old dashboard repository interface in two new interfaces, IDashboardService and IDashboardProvisioningService. Makes it more explicit when using it from the provisioning package and there's no possibility of calling an incorrect method for saving a dashboard. * database: make the InitTestDB function available to use from other packages * dashboards: rename ValidateDashboardForUpdateCommand and some refactoring * dashboards: integration tests of dashboard service * dashboard: fix sqlstore test due to folder exist validation * dashboards: move dashboard service integration tests to sqlstore package Had to move it to the sqlstore package due to concurrency problems when running against mysql and postgres. Using InitTestDB from two packages added conflicts when clearing and running migrations on the test database * dashboards: refactor how to find id to be used for save permission check * dashboards: remove duplicated dashboard tests * dashboards: cleanup dashboard service integration tests * dashboards: handle save dashboard errors and return correct http status * fix: remove log statement * dashboards: import dashboard should use dashboard service Had to move alerting commands to models package due to problems with import cycles of packages. * dashboards: cleanup dashboard api tests and add some tests for post dashboard * dashboards: rename dashboard service interfaces * dashboards: rename dashboard guardian interface
2018-02-19 04:12:56 -06:00
origNewDashboardService := dashboards.NewService
dashboards.MockDashboardService(mock)
fix: fixed dashboard api tests
2017-12-12 09:15:24 -06:00
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
sc.m.Post(routePattern, sc.defaultHandler)
Shouldn't be able to overwrite a dashboard if you don't have permissions (#10900) * dashboards: new command for validating dashboard before update Removes validation logic from saveDashboard and later on use the new command for validating dashboard before saving a dashboard. This due to the fact that we need to validate permissions for overwriting other dashboards by uid and title. * dashboards: use the new command for validating dashboard before saving Had to refactor dashboard provisioning a bit to be able to sidetrack the permission validation in a somewhat reasonable way. Adds some initial tests of the dashboard repository, but needs to be extended later. At least now you can mock the dashboard guardian * dashboards: removes validation logic in the save dashboard api layer Use the dashboard repository solely for create/update dashboards and let it do all the validation. One exception regarding quota validation which still is in api layer since that logic is in a macaron middleware. Need to move out-commented api tests later. * dashboards: fix database tests for validate and saving dashboards * dashboards: rename dashboard repository to dashboard service Split the old dashboard repository interface in two new interfaces, IDashboardService and IDashboardProvisioningService. Makes it more explicit when using it from the provisioning package and there's no possibility of calling an incorrect method for saving a dashboard. * database: make the InitTestDB function available to use from other packages * dashboards: rename ValidateDashboardForUpdateCommand and some refactoring * dashboards: integration tests of dashboard service * dashboard: fix sqlstore test due to folder exist validation * dashboards: move dashboard service integration tests to sqlstore package Had to move it to the sqlstore package due to concurrency problems when running against mysql and postgres. Using InitTestDB from two packages added conflicts when clearing and running migrations on the test database * dashboards: refactor how to find id to be used for save permission check * dashboards: remove duplicated dashboard tests * dashboards: cleanup dashboard service integration tests * dashboards: handle save dashboard errors and return correct http status * fix: remove log statement * dashboards: import dashboard should use dashboard service Had to move alerting commands to models package due to problems with import cycles of packages. * dashboards: cleanup dashboard api tests and add some tests for post dashboard * dashboards: rename dashboard service interfaces * dashboards: rename dashboard guardian interface
2018-02-19 04:12:56 -06:00
defer func() {
dashboards.NewService = origNewDashboardService
}()
WIP: check permissions for delete/post dashboard
2017-06-12 16:05:32 -05:00
fn(sc)
})
}
dashboards: return uid in response to creating/updating a dashboard. #7883
2018-01-29 12:27:53 -06:00
dashboard: add permission check for diff api route ref #10770
2018-02-27 10:53:30 -06:00
func postDiffScenario(desc string, url string, routePattern string, cmd dtos.CalculateDiffOptions, role m.RoleType, fn scenarioFunc) {
Convey(desc+" "+url, func() {
defer bus.ClearBusHandlers()
sc := setupScenarioContext(url)
test: fixed usage of wrap in tests.
2018-07-02 10:13:59 -05:00
sc.defaultHandler = Wrap(func(c *m.ReqContext) Response {
dashboard: add permission check for diff api route ref #10770
2018-02-27 10:53:30 -06:00
sc.context = c
sc.context.SignedInUser = &m.SignedInUser{
OrgId: TestOrgID,
UserId: TestUserID,
}
sc.context.OrgRole = role
return CalculateDashboardDiff(c, cmd)
})
sc.m.Post(routePattern, sc.defaultHandler)
fn(sc)
})
}
Make golint happier
2018-03-22 16:13:46 -05:00
func (sc *scenarioContext) ToJSON() *simplejson.Json {
dashboards: return uid in response to creating/updating a dashboard. #7883
2018-01-29 12:27:53 -06:00
var result *simplejson.Json
err := json.NewDecoder(sc.resp.Body).Decode(&result)
So(err, ShouldBeNil)
return result
}
Reference in New Issue Copy Permalink