2017-04-27 15:36:27 -05:00
|
|
|
package guardian
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"github.com/grafana/grafana/pkg/bus"
|
|
|
|
|
m "github.com/grafana/grafana/pkg/models"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// RemoveRestrictedDashboards filters out dashboards from the list that the user does have access to
|
|
|
|
|
func RemoveRestrictedDashboards(dashList []int64, orgId int64, userId int64) ([]int64, error) {
|
|
|
|
|
user, err := getUser(userId)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if user.IsGrafanaAdmin || user.OrgRole == m.ROLE_ADMIN {
|
|
|
|
|
return dashList, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
filteredList, err := getAllowedDashboards(dashList, orgId, userId)
|
|
|
|
|
|
|
|
|
|
return filteredList, err
|
|
|
|
|
}
|
|
|
|
|
|
2017-05-08 08:35:34 -05:00
|
|
|
// CanViewAcl determines if a user has permission to view a dashboard's ACL
|
|
|
|
|
func CanViewAcl(dashboardId int64, role m.RoleType, isGrafanaAdmin bool, orgId int64, userId int64) (bool, error) {
|
|
|
|
|
if role == m.ROLE_ADMIN || isGrafanaAdmin {
|
|
|
|
|
return true, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
filteredList, err := getAllowedDashboards([]int64{dashboardId}, orgId, userId)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return false, err
|
|
|
|
|
}
|
|
|
|
|
|
2017-05-22 03:36:47 -05:00
|
|
|
if len(filteredList) > 0 && filteredList[0] == dashboardId {
|
2017-05-08 08:35:34 -05:00
|
|
|
return true, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false, nil
|
|
|
|
|
}
|
|
|
|
|
|
2017-05-22 03:36:47 -05:00
|
|
|
// CanDeleteFromAcl determines if a user has permission to delete from a dashboard's ACL
|
|
|
|
|
func CanDeleteFromAcl(dashboardId int64, role m.RoleType, isGrafanaAdmin bool, orgId int64, userId int64) (bool, error) {
|
|
|
|
|
if role == m.ROLE_ADMIN || isGrafanaAdmin {
|
|
|
|
|
return true, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
permissions, err := getDashboardPermissions(dashboardId)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return false, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if len(permissions) == 0 {
|
|
|
|
|
return true, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
userGroups, err := getUserGroupsByUser(userId)
|
|
|
|
|
|
|
|
|
|
for _, p := range permissions {
|
2017-06-08 03:39:17 -05:00
|
|
|
if p.UserId == userId && p.PermissionType == m.PERMISSION_EDIT {
|
2017-05-22 03:36:47 -05:00
|
|
|
return true, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, ug := range userGroups {
|
2017-06-08 03:39:17 -05:00
|
|
|
if ug.Id == p.UserGroupId && p.PermissionType == m.PERMISSION_EDIT {
|
2017-05-22 03:36:47 -05:00
|
|
|
return true, nil
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false, nil
|
|
|
|
|
}
|
|
|
|
|
|
2017-04-27 15:36:27 -05:00
|
|
|
func getUser(userId int64) (*m.SignedInUser, error) {
|
|
|
|
|
query := m.GetSignedInUserQuery{UserId: userId}
|
|
|
|
|
err := bus.Dispatch(&query)
|
|
|
|
|
|
|
|
|
|
return query.Result, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func getAllowedDashboards(dashList []int64, orgId int64, userId int64) ([]int64, error) {
|
|
|
|
|
query := m.GetAllowedDashboardsQuery{UserId: userId, OrgId: orgId, DashList: dashList}
|
|
|
|
|
err := bus.Dispatch(&query)
|
|
|
|
|
|
|
|
|
|
return query.Result, err
|
|
|
|
|
}
|
2017-05-22 03:36:47 -05:00
|
|
|
|
|
|
|
|
func getDashboardPermissions(dashboardId int64) ([]*m.DashboardAclInfoDTO, error) {
|
|
|
|
|
query := m.GetDashboardPermissionsQuery{DashboardId: dashboardId}
|
|
|
|
|
err := bus.Dispatch(&query)
|
|
|
|
|
|
|
|
|
|
return query.Result, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func getUserGroupsByUser(userId int64) ([]*m.UserGroup, error) {
|
|
|
|
|
query := m.GetUserGroupsByUserQuery{UserId: userId}
|
|
|
|
|
err := bus.Dispatch(&query)
|
|
|
|
|
|
|
|
|
|
return query.Result, err
|
|
|
|
|
}
|
