IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-16 18:34:52 -06:00
Code Issues Packages Projects Releases Wiki Activity
84d034c688
grafana/pkg/services/guardian/guardian_test.go

712 lines
25 KiB
Go
Raw Normal View History

dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
package guardian
import (
"fmt"
"testing"
"github.com/grafana/grafana/pkg/bus"
m "github.com/grafana/grafana/pkg/models"
. "github.com/smartystreets/goconvey/convey"
)
func TestGuardian(t *testing.T) {
Convey("Guardian permission tests", t, func() {
orgRoleScenario("Given user has admin org role", m.ROLE_ADMIN, func(sc *scenarioContext) {
canAdmin, _ := sc.g.CanAdmin()
canEdit, _ := sc.g.CanEdit()
canSave, _ := sc.g.CanSave()
canView, _ := sc.g.CanView()
So(canAdmin, ShouldBeTrue)
So(canEdit, ShouldBeTrue)
So(canSave, ShouldBeTrue)
So(canView, ShouldBeTrue)
Convey("When trying to update permissions", func() {
permissions: fix validation of permissions before update Did a bad pointer comparison so extended the tests for duplicate permissions.
2018-02-28 01:48:28 -06:00
Convey("With duplicate user permissions should return error", func() {
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 1, UserId: 1, Permission: m.PERMISSION_VIEW},
{OrgId: 1, DashboardId: 1, UserId: 1, Permission: m.PERMISSION_ADMIN},
}
_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
dashboards: change dashboard/folder permission error messages
2018-02-27 09:03:11 -06:00
So(err, ShouldEqual, ErrGuardianPermissionExists)
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
})
permissions: fix validation of permissions before update Did a bad pointer comparison so extended the tests for duplicate permissions.
2018-02-28 01:48:28 -06:00
Convey("With duplicate team permissions should return error", func() {
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 1, TeamId: 1, Permission: m.PERMISSION_VIEW},
{OrgId: 1, DashboardId: 1, TeamId: 1, Permission: m.PERMISSION_ADMIN},
}
_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
dashboards: change dashboard/folder permission error messages
2018-02-27 09:03:11 -06:00
So(err, ShouldEqual, ErrGuardianPermissionExists)
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
})
permissions: fix validation of permissions before update Did a bad pointer comparison so extended the tests for duplicate permissions.
2018-02-28 01:48:28 -06:00
Convey("With duplicate everyone with editor role permission should return error", func() {
r := m.ROLE_EDITOR
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
p := []*m.DashboardAcl{
permissions: fix validation of permissions before update Did a bad pointer comparison so extended the tests for duplicate permissions.
2018-02-28 01:48:28 -06:00
{OrgId: 1, DashboardId: 1, Role: &r, Permission: m.PERMISSION_VIEW},
{OrgId: 1, DashboardId: 1, Role: &r, Permission: m.PERMISSION_ADMIN},
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
}
_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
dashboards: change dashboard/folder permission error messages
2018-02-27 09:03:11 -06:00
So(err, ShouldEqual, ErrGuardianPermissionExists)
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
})
permissions: fix validation of permissions before update Did a bad pointer comparison so extended the tests for duplicate permissions.
2018-02-28 01:48:28 -06:00
Convey("With duplicate everyone with viewer role permission should return error", func() {
r := m.ROLE_VIEWER
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 1, Role: &r, Permission: m.PERMISSION_VIEW},
{OrgId: 1, DashboardId: 1, Role: &r, Permission: m.PERMISSION_ADMIN},
}
_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
So(err, ShouldEqual, ErrGuardianPermissionExists)
})
Convey("With everyone with admin role permission should return error", func() {
r := m.ROLE_ADMIN
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 1, Role: &r, Permission: m.PERMISSION_ADMIN},
}
_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
So(err, ShouldEqual, ErrGuardianPermissionExists)
})
})
Convey("Given default permissions", func() {
editor := m.ROLE_EDITOR
viewer := m.ROLE_VIEWER
existingPermissions := []*m.DashboardAclInfoDTO{
{OrgId: 1, DashboardId: -1, Role: &editor, Permission: m.PERMISSION_EDIT},
{OrgId: 1, DashboardId: -1, Role: &viewer, Permission: m.PERMISSION_VIEW},
}
bus.AddHandler("test", func(query *m.GetDashboardAclInfoListQuery) error {
query.Result = existingPermissions
return nil
})
Convey("When trying to update dashboard permissions without everyone with role editor can edit should be allowed", func() {
r := m.ROLE_VIEWER
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 1, Role: &r, Permission: m.PERMISSION_VIEW},
}
ok, _ := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
So(ok, ShouldBeTrue)
})
Convey("When trying to update dashboard permissions without everyone with role viewer can view should be allowed", func() {
r := m.ROLE_EDITOR
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 1, Role: &r, Permission: m.PERMISSION_EDIT},
}
ok, _ := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
So(ok, ShouldBeTrue)
})
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
})
Convey("Given parent folder has user admin permission", func() {
existingPermissions := []*m.DashboardAclInfoDTO{
{OrgId: 1, DashboardId: 2, UserId: 1, Permission: m.PERMISSION_ADMIN},
}
bus.AddHandler("test", func(query *m.GetDashboardAclInfoListQuery) error {
query.Result = existingPermissions
return nil
})
Convey("When trying to update dashboard permissions with admin user permission should return error", func() {
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 3, UserId: 1, Permission: m.PERMISSION_ADMIN},
}
_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
dashboards: change dashboard/folder permission error messages
2018-02-27 09:03:11 -06:00
So(err, ShouldEqual, ErrGuardianOverride)
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
})
Convey("When trying to update dashboard permissions with edit user permission should return error", func() {
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 3, UserId: 1, Permission: m.PERMISSION_EDIT},
}
_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
dashboards: change dashboard/folder permission error messages
2018-02-27 09:03:11 -06:00
So(err, ShouldEqual, ErrGuardianOverride)
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
})
Convey("When trying to update dashboard permissions with view user permission should return error", func() {
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 3, UserId: 1, Permission: m.PERMISSION_VIEW},
}
_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
dashboards: change dashboard/folder permission error messages
2018-02-27 09:03:11 -06:00
So(err, ShouldEqual, ErrGuardianOverride)
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
})
})
Convey("Given parent folder has user edit permission", func() {
existingPermissions := []*m.DashboardAclInfoDTO{
{OrgId: 1, DashboardId: 2, UserId: 1, Permission: m.PERMISSION_EDIT},
}
bus.AddHandler("test", func(query *m.GetDashboardAclInfoListQuery) error {
query.Result = existingPermissions
return nil
})
Convey("When trying to update dashboard permissions with admin user permission should be allowed", func() {
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 3, UserId: 1, Permission: m.PERMISSION_ADMIN},
}
ok, _ := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
So(ok, ShouldBeTrue)
})
Convey("When trying to update dashboard permissions with edit user permission should return error", func() {
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 3, UserId: 1, Permission: m.PERMISSION_EDIT},
}
_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
dashboards: change dashboard/folder permission error messages
2018-02-27 09:03:11 -06:00
So(err, ShouldEqual, ErrGuardianOverride)
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
})
Convey("When trying to update dashboard permissions with view user permission should return error", func() {
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 3, UserId: 1, Permission: m.PERMISSION_VIEW},
}
_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
dashboards: change dashboard/folder permission error messages
2018-02-27 09:03:11 -06:00
So(err, ShouldEqual, ErrGuardianOverride)
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
})
})
Convey("Given parent folder has user view permission", func() {
existingPermissions := []*m.DashboardAclInfoDTO{
{OrgId: 1, DashboardId: 2, UserId: 1, Permission: m.PERMISSION_VIEW},
}
bus.AddHandler("test", func(query *m.GetDashboardAclInfoListQuery) error {
query.Result = existingPermissions
return nil
})
Convey("When trying to update dashboard permissions with admin user permission should be allowed", func() {
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 3, UserId: 1, Permission: m.PERMISSION_ADMIN},
}
ok, _ := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
So(ok, ShouldBeTrue)
})
Convey("When trying to update dashboard permissions with edit user permission should be allowed", func() {
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 3, UserId: 1, Permission: m.PERMISSION_EDIT},
}
ok, _ := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
So(ok, ShouldBeTrue)
})
Convey("When trying to update dashboard permissions with view user permission should return error", func() {
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 3, UserId: 1, Permission: m.PERMISSION_VIEW},
}
_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
dashboards: change dashboard/folder permission error messages
2018-02-27 09:03:11 -06:00
So(err, ShouldEqual, ErrGuardianOverride)
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
})
})
Convey("Given parent folder has team admin permission", func() {
existingPermissions := []*m.DashboardAclInfoDTO{
{OrgId: 1, DashboardId: 2, TeamId: 1, Permission: m.PERMISSION_ADMIN},
}
bus.AddHandler("test", func(query *m.GetDashboardAclInfoListQuery) error {
query.Result = existingPermissions
return nil
})
Convey("When trying to update dashboard permissions with admin team permission should return error", func() {
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 3, TeamId: 1, Permission: m.PERMISSION_ADMIN},
}
_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
dashboards: change dashboard/folder permission error messages
2018-02-27 09:03:11 -06:00
So(err, ShouldEqual, ErrGuardianOverride)
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
})
Convey("When trying to update dashboard permissions with edit team permission should return error", func() {
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 3, TeamId: 1, Permission: m.PERMISSION_EDIT},
}
_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
dashboards: change dashboard/folder permission error messages
2018-02-27 09:03:11 -06:00
So(err, ShouldEqual, ErrGuardianOverride)
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
})
Convey("When trying to update dashboard permissions with view team permission should return error", func() {
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 3, TeamId: 1, Permission: m.PERMISSION_VIEW},
}
_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
dashboards: change dashboard/folder permission error messages
2018-02-27 09:03:11 -06:00
So(err, ShouldEqual, ErrGuardianOverride)
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
})
})
Convey("Given parent folder has team edit permission", func() {
existingPermissions := []*m.DashboardAclInfoDTO{
{OrgId: 1, DashboardId: 2, TeamId: 1, Permission: m.PERMISSION_EDIT},
}
bus.AddHandler("test", func(query *m.GetDashboardAclInfoListQuery) error {
query.Result = existingPermissions
return nil
})
Convey("When trying to update dashboard permissions with admin team permission should be allowed", func() {
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 3, TeamId: 1, Permission: m.PERMISSION_ADMIN},
}
ok, _ := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
So(ok, ShouldBeTrue)
})
Convey("When trying to update dashboard permissions with edit team permission should return error", func() {
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 3, TeamId: 1, Permission: m.PERMISSION_EDIT},
}
_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
dashboards: change dashboard/folder permission error messages
2018-02-27 09:03:11 -06:00
So(err, ShouldEqual, ErrGuardianOverride)
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
})
Convey("When trying to update dashboard permissions with view team permission should return error", func() {
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 3, TeamId: 1, Permission: m.PERMISSION_VIEW},
}
_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
dashboards: change dashboard/folder permission error messages
2018-02-27 09:03:11 -06:00
So(err, ShouldEqual, ErrGuardianOverride)
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
})
})
Convey("Given parent folder has team view permission", func() {
existingPermissions := []*m.DashboardAclInfoDTO{
{OrgId: 1, DashboardId: 2, TeamId: 1, Permission: m.PERMISSION_VIEW},
}
bus.AddHandler("test", func(query *m.GetDashboardAclInfoListQuery) error {
query.Result = existingPermissions
return nil
})
Convey("When trying to update dashboard permissions with admin team permission should be allowed", func() {
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 3, TeamId: 1, Permission: m.PERMISSION_ADMIN},
}
ok, _ := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
So(ok, ShouldBeTrue)
})
Convey("When trying to update dashboard permissions with edit team permission should be allowed", func() {
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 3, TeamId: 1, Permission: m.PERMISSION_EDIT},
}
ok, _ := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
So(ok, ShouldBeTrue)
})
Convey("When trying to update dashboard permissions with view team permission should return error", func() {
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 3, TeamId: 1, Permission: m.PERMISSION_VIEW},
}
_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
dashboards: change dashboard/folder permission error messages
2018-02-27 09:03:11 -06:00
So(err, ShouldEqual, ErrGuardianOverride)
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
})
})
Convey("Given parent folder has editor role with edit permission", func() {
r := m.ROLE_EDITOR
existingPermissions := []*m.DashboardAclInfoDTO{
{OrgId: 1, DashboardId: 2, Role: &r, Permission: m.PERMISSION_EDIT},
}
bus.AddHandler("test", func(query *m.GetDashboardAclInfoListQuery) error {
query.Result = existingPermissions
return nil
})
Convey("When trying to update dashboard permissions with everyone with editor role can admin permission should be allowed", func() {
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 3, Role: &r, Permission: m.PERMISSION_ADMIN},
}
ok, _ := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
So(ok, ShouldBeTrue)
})
Convey("When trying to update dashboard permissions with everyone with editor role can edit permission should return error", func() {
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 3, Role: &r, Permission: m.PERMISSION_EDIT},
}
_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
dashboards: change dashboard/folder permission error messages
2018-02-27 09:03:11 -06:00
So(err, ShouldEqual, ErrGuardianOverride)
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
})
Convey("When trying to update dashboard permissions with everyone with editor role can view permission should return error", func() {
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 3, Role: &r, Permission: m.PERMISSION_VIEW},
}
_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
dashboards: change dashboard/folder permission error messages
2018-02-27 09:03:11 -06:00
So(err, ShouldEqual, ErrGuardianOverride)
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
})
})
Convey("Given parent folder has editor role with view permission", func() {
r := m.ROLE_EDITOR
existingPermissions := []*m.DashboardAclInfoDTO{
{OrgId: 1, DashboardId: 2, Role: &r, Permission: m.PERMISSION_VIEW},
}
bus.AddHandler("test", func(query *m.GetDashboardAclInfoListQuery) error {
query.Result = existingPermissions
return nil
})
Convey("When trying to update dashboard permissions with everyone with viewer role can admin permission should be allowed", func() {
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 3, Role: &r, Permission: m.PERMISSION_ADMIN},
}
ok, _ := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
So(ok, ShouldBeTrue)
})
Convey("When trying to update dashboard permissions with everyone with viewer role can edit permission should be allowed", func() {
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 3, Role: &r, Permission: m.PERMISSION_EDIT},
}
ok, _ := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
So(ok, ShouldBeTrue)
})
Convey("When trying to update dashboard permissions with everyone with viewer role can view permission should return error", func() {
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 3, Role: &r, Permission: m.PERMISSION_VIEW},
}
_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
dashboards: change dashboard/folder permission error messages
2018-02-27 09:03:11 -06:00
So(err, ShouldEqual, ErrGuardianOverride)
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
})
})
})
orgRoleScenario("Given user has editor org role", m.ROLE_EDITOR, func(sc *scenarioContext) {
everyoneWithRoleScenario(m.ROLE_EDITOR, m.PERMISSION_ADMIN, sc, func(sc *scenarioContext) {
canAdmin, _ := sc.g.CanAdmin()
canEdit, _ := sc.g.CanEdit()
canSave, _ := sc.g.CanSave()
canView, _ := sc.g.CanView()
So(canAdmin, ShouldBeTrue)
So(canEdit, ShouldBeTrue)
So(canSave, ShouldBeTrue)
So(canView, ShouldBeTrue)
})
everyoneWithRoleScenario(m.ROLE_EDITOR, m.PERMISSION_EDIT, sc, func(sc *scenarioContext) {
canAdmin, _ := sc.g.CanAdmin()
canEdit, _ := sc.g.CanEdit()
canSave, _ := sc.g.CanSave()
canView, _ := sc.g.CanView()
So(canAdmin, ShouldBeFalse)
So(canEdit, ShouldBeTrue)
So(canSave, ShouldBeTrue)
So(canView, ShouldBeTrue)
})
everyoneWithRoleScenario(m.ROLE_EDITOR, m.PERMISSION_VIEW, sc, func(sc *scenarioContext) {
canAdmin, _ := sc.g.CanAdmin()
canEdit, _ := sc.g.CanEdit()
canSave, _ := sc.g.CanSave()
canView, _ := sc.g.CanView()
So(canAdmin, ShouldBeFalse)
So(canEdit, ShouldBeFalse)
So(canSave, ShouldBeFalse)
So(canView, ShouldBeTrue)
})
everyoneWithRoleScenario(m.ROLE_VIEWER, m.PERMISSION_ADMIN, sc, func(sc *scenarioContext) {
canAdmin, _ := sc.g.CanAdmin()
canEdit, _ := sc.g.CanEdit()
canSave, _ := sc.g.CanSave()
canView, _ := sc.g.CanView()
So(canAdmin, ShouldBeFalse)
So(canEdit, ShouldBeFalse)
So(canSave, ShouldBeFalse)
So(canView, ShouldBeFalse)
})
everyoneWithRoleScenario(m.ROLE_VIEWER, m.PERMISSION_EDIT, sc, func(sc *scenarioContext) {
canAdmin, _ := sc.g.CanAdmin()
canEdit, _ := sc.g.CanEdit()
canSave, _ := sc.g.CanSave()
canView, _ := sc.g.CanView()
So(canAdmin, ShouldBeFalse)
So(canEdit, ShouldBeFalse)
So(canSave, ShouldBeFalse)
So(canView, ShouldBeFalse)
})
everyoneWithRoleScenario(m.ROLE_VIEWER, m.PERMISSION_VIEW, sc, func(sc *scenarioContext) {
canAdmin, _ := sc.g.CanAdmin()
canEdit, _ := sc.g.CanEdit()
canSave, _ := sc.g.CanSave()
canView, _ := sc.g.CanView()
So(canAdmin, ShouldBeFalse)
So(canEdit, ShouldBeFalse)
So(canSave, ShouldBeFalse)
So(canView, ShouldBeFalse)
})
userWithPermissionScenario(m.PERMISSION_ADMIN, sc, func(sc *scenarioContext) {
canAdmin, _ := sc.g.CanAdmin()
canEdit, _ := sc.g.CanEdit()
canSave, _ := sc.g.CanSave()
canView, _ := sc.g.CanView()
So(canAdmin, ShouldBeTrue)
So(canEdit, ShouldBeTrue)
So(canSave, ShouldBeTrue)
So(canView, ShouldBeTrue)
})
userWithPermissionScenario(m.PERMISSION_EDIT, sc, func(sc *scenarioContext) {
canAdmin, _ := sc.g.CanAdmin()
canEdit, _ := sc.g.CanEdit()
canSave, _ := sc.g.CanSave()
canView, _ := sc.g.CanView()
So(canAdmin, ShouldBeFalse)
So(canEdit, ShouldBeTrue)
So(canSave, ShouldBeTrue)
So(canView, ShouldBeTrue)
})
userWithPermissionScenario(m.PERMISSION_VIEW, sc, func(sc *scenarioContext) {
canAdmin, _ := sc.g.CanAdmin()
canEdit, _ := sc.g.CanEdit()
canSave, _ := sc.g.CanSave()
canView, _ := sc.g.CanView()
So(canAdmin, ShouldBeFalse)
So(canEdit, ShouldBeFalse)
So(canSave, ShouldBeFalse)
So(canView, ShouldBeTrue)
})
teamWithPermissionScenario(m.PERMISSION_ADMIN, sc, func(sc *scenarioContext) {
canAdmin, _ := sc.g.CanAdmin()
canEdit, _ := sc.g.CanEdit()
canSave, _ := sc.g.CanSave()
canView, _ := sc.g.CanView()
So(canAdmin, ShouldBeTrue)
So(canEdit, ShouldBeTrue)
So(canSave, ShouldBeTrue)
So(canView, ShouldBeTrue)
})
teamWithPermissionScenario(m.PERMISSION_EDIT, sc, func(sc *scenarioContext) {
canAdmin, _ := sc.g.CanAdmin()
canEdit, _ := sc.g.CanEdit()
canSave, _ := sc.g.CanSave()
canView, _ := sc.g.CanView()
So(canAdmin, ShouldBeFalse)
So(canEdit, ShouldBeTrue)
So(canSave, ShouldBeTrue)
So(canView, ShouldBeTrue)
})
teamWithPermissionScenario(m.PERMISSION_VIEW, sc, func(sc *scenarioContext) {
canAdmin, _ := sc.g.CanAdmin()
canEdit, _ := sc.g.CanEdit()
canSave, _ := sc.g.CanSave()
canView, _ := sc.g.CanView()
So(canAdmin, ShouldBeFalse)
So(canEdit, ShouldBeFalse)
So(canSave, ShouldBeFalse)
So(canView, ShouldBeTrue)
})
Convey("When trying to update permissions should return false", func() {
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 1, UserId: 1, Permission: m.PERMISSION_VIEW},
{OrgId: 1, DashboardId: 1, UserId: 1, Permission: m.PERMISSION_ADMIN},
}
ok, _ := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
So(ok, ShouldBeFalse)
})
})
orgRoleScenario("Given user has viewer org role", m.ROLE_VIEWER, func(sc *scenarioContext) {
everyoneWithRoleScenario(m.ROLE_EDITOR, m.PERMISSION_ADMIN, sc, func(sc *scenarioContext) {
canAdmin, _ := sc.g.CanAdmin()
canEdit, _ := sc.g.CanEdit()
canSave, _ := sc.g.CanSave()
canView, _ := sc.g.CanView()
So(canAdmin, ShouldBeFalse)
So(canEdit, ShouldBeFalse)
So(canSave, ShouldBeFalse)
So(canView, ShouldBeFalse)
})
everyoneWithRoleScenario(m.ROLE_EDITOR, m.PERMISSION_EDIT, sc, func(sc *scenarioContext) {
canAdmin, _ := sc.g.CanAdmin()
canEdit, _ := sc.g.CanEdit()
canSave, _ := sc.g.CanSave()
canView, _ := sc.g.CanView()
So(canAdmin, ShouldBeFalse)
So(canEdit, ShouldBeFalse)
So(canSave, ShouldBeFalse)
So(canView, ShouldBeFalse)
})
everyoneWithRoleScenario(m.ROLE_EDITOR, m.PERMISSION_VIEW, sc, func(sc *scenarioContext) {
canAdmin, _ := sc.g.CanAdmin()
canEdit, _ := sc.g.CanEdit()
canSave, _ := sc.g.CanSave()
canView, _ := sc.g.CanView()
So(canAdmin, ShouldBeFalse)
So(canEdit, ShouldBeFalse)
So(canSave, ShouldBeFalse)
So(canView, ShouldBeFalse)
})
everyoneWithRoleScenario(m.ROLE_VIEWER, m.PERMISSION_ADMIN, sc, func(sc *scenarioContext) {
canAdmin, _ := sc.g.CanAdmin()
canEdit, _ := sc.g.CanEdit()
canSave, _ := sc.g.CanSave()
canView, _ := sc.g.CanView()
So(canAdmin, ShouldBeTrue)
So(canEdit, ShouldBeTrue)
So(canSave, ShouldBeTrue)
So(canView, ShouldBeTrue)
})
everyoneWithRoleScenario(m.ROLE_VIEWER, m.PERMISSION_EDIT, sc, func(sc *scenarioContext) {
canAdmin, _ := sc.g.CanAdmin()
canEdit, _ := sc.g.CanEdit()
canSave, _ := sc.g.CanSave()
canView, _ := sc.g.CanView()
So(canAdmin, ShouldBeFalse)
So(canEdit, ShouldBeTrue)
So(canSave, ShouldBeTrue)
So(canView, ShouldBeTrue)
})
everyoneWithRoleScenario(m.ROLE_VIEWER, m.PERMISSION_VIEW, sc, func(sc *scenarioContext) {
canAdmin, _ := sc.g.CanAdmin()
canEdit, _ := sc.g.CanEdit()
canSave, _ := sc.g.CanSave()
canView, _ := sc.g.CanView()
So(canAdmin, ShouldBeFalse)
So(canEdit, ShouldBeFalse)
So(canSave, ShouldBeFalse)
So(canView, ShouldBeTrue)
})
userWithPermissionScenario(m.PERMISSION_ADMIN, sc, func(sc *scenarioContext) {
canAdmin, _ := sc.g.CanAdmin()
canEdit, _ := sc.g.CanEdit()
canSave, _ := sc.g.CanSave()
canView, _ := sc.g.CanView()
So(canAdmin, ShouldBeTrue)
So(canEdit, ShouldBeTrue)
So(canSave, ShouldBeTrue)
So(canView, ShouldBeTrue)
})
userWithPermissionScenario(m.PERMISSION_EDIT, sc, func(sc *scenarioContext) {
canAdmin, _ := sc.g.CanAdmin()
canEdit, _ := sc.g.CanEdit()
canSave, _ := sc.g.CanSave()
canView, _ := sc.g.CanView()
So(canAdmin, ShouldBeFalse)
So(canEdit, ShouldBeTrue)
So(canSave, ShouldBeTrue)
So(canView, ShouldBeTrue)
})
userWithPermissionScenario(m.PERMISSION_VIEW, sc, func(sc *scenarioContext) {
canAdmin, _ := sc.g.CanAdmin()
canEdit, _ := sc.g.CanEdit()
canSave, _ := sc.g.CanSave()
canView, _ := sc.g.CanView()
So(canAdmin, ShouldBeFalse)
So(canEdit, ShouldBeFalse)
So(canSave, ShouldBeFalse)
So(canView, ShouldBeTrue)
})
Convey("When trying to update permissions should return false", func() {
p := []*m.DashboardAcl{
{OrgId: 1, DashboardId: 1, UserId: 1, Permission: m.PERMISSION_VIEW},
{OrgId: 1, DashboardId: 1, UserId: 1, Permission: m.PERMISSION_ADMIN},
}
ok, _ := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
So(ok, ShouldBeFalse)
})
})
})
}
type scenarioContext struct {
g DashboardGuardian
}
type scenarioFunc func(c *scenarioContext)
func orgRoleScenario(desc string, role m.RoleType, fn scenarioFunc) {
user := &m.SignedInUser{
UserId: 1,
OrgId: 1,
OrgRole: role,
}
guard := New(1, 1, user)
sc := &scenarioContext{
g: guard,
}
Convey(desc, func() {
fn(sc)
})
}
func permissionScenario(desc string, sc *scenarioContext, permissions []*m.DashboardAclInfoDTO, fn scenarioFunc) {
bus.ClearBusHandlers()
bus.AddHandler("test", func(query *m.GetDashboardAclInfoListQuery) error {
query.Result = permissions
return nil
})
teams := []*m.Team{}
for _, p := range permissions {
if p.TeamId > 0 {
teams = append(teams, &m.Team{Id: p.TeamId})
}
}
bus.AddHandler("test", func(query *m.GetTeamsByUserQuery) error {
query.Result = teams
return nil
})
Convey(desc, func() {
fn(sc)
})
}
func userWithPermissionScenario(permission m.PermissionType, sc *scenarioContext, fn scenarioFunc) {
p := []*m.DashboardAclInfoDTO{
{OrgId: 1, DashboardId: 1, UserId: 1, Permission: permission},
}
permissionScenario(fmt.Sprintf("and user has permission to %s item", permission), sc, p, fn)
}
func teamWithPermissionScenario(permission m.PermissionType, sc *scenarioContext, fn scenarioFunc) {
p := []*m.DashboardAclInfoDTO{
{OrgId: 1, DashboardId: 1, TeamId: 1, Permission: permission},
}
permissionScenario(fmt.Sprintf("and team has permission to %s item", permission), sc, p, fn)
}
func everyoneWithRoleScenario(role m.RoleType, permission m.PermissionType, sc *scenarioContext, fn scenarioFunc) {
p := []*m.DashboardAclInfoDTO{
{OrgId: 1, DashboardId: 1, UserId: -1, Role: &role, Permission: permission},
}
permissionScenario(fmt.Sprintf("and everyone with %s role can %s item", role, permission), sc, p, fn)
}
Reference in New Issue Copy Permalink