grafana/pkg/services/guardian/guardian.go

package guardian

import (
	"github.com/grafana/grafana/pkg/bus"
	"github.com/grafana/grafana/pkg/log"
	m "github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/setting"
)

type DashboardGuardian struct {
	user   *m.SignedInUser
	dashId int64
	orgId  int64
	acl    []*m.DashboardAclInfoDTO
	groups []*m.Team
	log    log.Logger
}

func NewDashboardGuardian(dashId int64, orgId int64, user *m.SignedInUser) *DashboardGuardian {
	return &DashboardGuardian{
		user:   user,
		dashId: dashId,
		orgId:  orgId,
		log:    log.New("guardians.dashboard"),
	}
}

func (g *DashboardGuardian) CanSave() (bool, error) {
	return g.HasPermission(m.PERMISSION_EDIT)
}

func (g *DashboardGuardian) CanEdit() (bool, error) {
	if setting.ViewersCanEdit {
		return g.HasPermission(m.PERMISSION_VIEW)
	}

	return g.HasPermission(m.PERMISSION_EDIT)
}

func (g *DashboardGuardian) CanView() (bool, error) {
	return g.HasPermission(m.PERMISSION_VIEW)
}

func (g *DashboardGuardian) CanAdmin() (bool, error) {
	return g.HasPermission(m.PERMISSION_ADMIN)
}

func (g *DashboardGuardian) HasPermission(permission m.PermissionType) (bool, error) {
	if g.user.OrgRole == m.ROLE_ADMIN {
		return true, nil
	}

	acl, err := g.GetAcl()
	if err != nil {
		return false, err
	}

	return g.checkAcl(permission, acl)
}

func (g *DashboardGuardian) checkAcl(permission m.PermissionType, acl []*m.DashboardAclInfoDTO) (bool, error) {
	orgRole := g.user.OrgRole
	teamAclItems := []*m.DashboardAclInfoDTO{}

	for _, p := range acl {
		// user match
		if !g.user.IsAnonymous {
			if p.UserId == g.user.UserId && p.Permission >= permission {
				return true, nil
			}
		}

		// role match
		if p.Role != nil {
			if *p.Role == orgRole && p.Permission >= permission {
				return true, nil
			}
		}

		// remember this rule for later
		if p.TeamId > 0 {
			teamAclItems = append(teamAclItems, p)
		}
	}

	// do we have team rules?
	if len(teamAclItems) == 0 {
		return false, nil
	}

	// load teams
	teams, err := g.getTeams()
	if err != nil {
		return false, err
	}

	// evalute team rules
	for _, p := range acl {
		for _, ug := range teams {
			if ug.Id == p.TeamId && p.Permission >= permission {
				return true, nil
			}
		}
	}

	return false, nil
}

func (g *DashboardGuardian) CheckPermissionBeforeRemove(permission m.PermissionType, aclIdToRemove int64) (bool, error) {
	if g.user.OrgRole == m.ROLE_ADMIN {
		return true, nil
	}

	acl, err := g.GetAcl()
	if err != nil {
		return false, err
	}

	for i, p := range acl {
		if p.Id == aclIdToRemove {
			acl = append(acl[:i], acl[i+1:]...)
			break
		}
	}

	return g.checkAcl(permission, acl)
}

func (g *DashboardGuardian) CheckPermissionBeforeUpdate(permission m.PermissionType, updatePermissions []*m.DashboardAcl) (bool, error) {
	if g.user.OrgRole == m.ROLE_ADMIN {
		return true, nil
	}

	acl := []*m.DashboardAclInfoDTO{}

	for _, p := range updatePermissions {
		acl = append(acl, &m.DashboardAclInfoDTO{UserId: p.UserId, TeamId: p.TeamId, Role: p.Role, Permission: p.Permission})
	}

	return g.checkAcl(permission, acl)
}

// GetAcl returns dashboard acl
func (g *DashboardGuardian) GetAcl() ([]*m.DashboardAclInfoDTO, error) {
	if g.acl != nil {
		return g.acl, nil
	}

	query := m.GetDashboardAclInfoListQuery{DashboardId: g.dashId, OrgId: g.orgId}
	if err := bus.Dispatch(&query); err != nil {
		return nil, err
	}

	g.acl = query.Result
	return g.acl, nil
}

func (g *DashboardGuardian) getTeams() ([]*m.Team, error) {
	if g.groups != nil {
		return g.groups, nil
	}

	query := m.GetTeamsByUserQuery{OrgId: g.orgId, UserId: g.user.UserId}
	err := bus.Dispatch(&query)

	g.groups = query.Result
	return query.Result, err
}
refactoring: Dashboard guardian 2017-06-16 20:25:24 -05:00			`package guardian`

			`import (`
			`"github.com/grafana/grafana/pkg/bus"`
dashboard guardian refactoring starting to work 2017-06-19 12:47:44 -05:00			`"github.com/grafana/grafana/pkg/log"`
refactoring: Dashboard guardian 2017-06-16 20:25:24 -05:00			`m "github.com/grafana/grafana/pkg/models"`
fix: viewers can edit now works correctly 2017-12-15 07:19:49 -06:00			`"github.com/grafana/grafana/pkg/setting"`
refactoring: Dashboard guardian 2017-06-16 20:25:24 -05:00			`)`

			`type DashboardGuardian struct {`
refactoring dashboad folder acl checks 2017-06-19 10:54:37 -05:00			`user *m.SignedInUser`
			`dashId int64`
			`orgId int64`
acl fixes 2017-06-22 16:10:43 -05:00			`acl []*m.DashboardAclInfoDTO`
refactor: rename User Groups to Teams 2017-12-08 09:25:45 -06:00			`groups []*m.Team`
dashboard guardian refactoring starting to work 2017-06-19 12:47:44 -05:00			`log log.Logger`
refactoring: Dashboard guardian 2017-06-16 20:25:24 -05:00			`}`

refactoring dashboad folder acl checks 2017-06-19 10:54:37 -05:00			`func NewDashboardGuardian(dashId int64, orgId int64, user m.SignedInUser) DashboardGuardian {`
refactoring: Dashboard guardian 2017-06-16 20:25:24 -05:00			`return &DashboardGuardian{`
refactoring dashboad folder acl checks 2017-06-19 10:54:37 -05:00			`user: user,`
			`dashId: dashId,`
			`orgId: orgId,`
dashboard guardian refactoring starting to work 2017-06-19 12:47:44 -05:00			`log: log.New("guardians.dashboard"),`
refactoring: Dashboard guardian 2017-06-16 20:25:24 -05:00			`}`
			`}`

			`func (g *DashboardGuardian) CanSave() (bool, error) {`
dashboard acl stuff 2017-06-21 18:23:24 -05:00			`return g.HasPermission(m.PERMISSION_EDIT)`
refactoring: Dashboard guardian 2017-06-16 20:25:24 -05:00			`}`

			`func (g *DashboardGuardian) CanEdit() (bool, error) {`
fix: viewers can edit now works correctly 2017-12-15 07:19:49 -06:00			`if setting.ViewersCanEdit {`
			`return g.HasPermission(m.PERMISSION_VIEW)`
			`}`

dashboard acl stuff 2017-06-21 18:23:24 -05:00			`return g.HasPermission(m.PERMISSION_EDIT)`
refactoring: Dashboard guardian 2017-06-16 20:25:24 -05:00			`}`

			`func (g *DashboardGuardian) CanView() (bool, error) {`
dashboard acl stuff 2017-06-21 18:23:24 -05:00			`return g.HasPermission(m.PERMISSION_VIEW)`
refactoring: Dashboard guardian 2017-06-16 20:25:24 -05:00			`}`

dashfolders: new admin permission needed to view/change acl 2017-06-22 16:01:04 -05:00			`func (g *DashboardGuardian) CanAdmin() (bool, error) {`
			`return g.HasPermission(m.PERMISSION_ADMIN)`
			`}`

dashboard acl stuff 2017-06-21 18:23:24 -05:00			`func (g *DashboardGuardian) HasPermission(permission m.PermissionType) (bool, error) {`
dashboard guardian refactoring starting to work 2017-06-19 12:47:44 -05:00			`if g.user.OrgRole == m.ROLE_ADMIN {`
			`return true, nil`
			`}`

acl fixes 2017-06-22 16:10:43 -05:00			`acl, err := g.GetAcl()`
refactoring: Dashboard guardian 2017-06-16 20:25:24 -05:00			`if err != nil {`
			`return false, err`
			`}`

dashfolders: stop user locking themselves out of a folder 2018-01-18 07:30:04 -06:00			`return g.checkAcl(permission, acl)`
			`}`

			`func (g DashboardGuardian) checkAcl(permission m.PermissionType, acl []m.DashboardAclInfoDTO) (bool, error) {`
dashboard acl fixes 2017-06-22 16:43:55 -05:00			`orgRole := g.user.OrgRole`
refactor: rename User Groups to Teams 2017-12-08 09:25:45 -06:00			`teamAclItems := []*m.DashboardAclInfoDTO{}`
dashboard acl fixes 2017-06-22 16:43:55 -05:00
refactoring: Dashboard guardian 2017-06-16 20:25:24 -05:00			`for _, p := range acl {`
dashboard acl fixes 2017-06-22 16:43:55 -05:00			`// user match`
fix: viewers can edit now works correctly 2017-12-15 07:19:49 -06:00			`if !g.user.IsAnonymous {`
			`if p.UserId == g.user.UserId && p.Permission >= permission {`
			`return true, nil`
			`}`
refactoring: Dashboard guardian 2017-06-16 20:25:24 -05:00			`}`

dashboard acl fixes 2017-06-22 16:43:55 -05:00			`// role match`
			`if p.Role != nil {`
			`if *p.Role == orgRole && p.Permission >= permission {`
refactoring: Dashboard guardian 2017-06-16 20:25:24 -05:00			`return true, nil`
			`}`
			`}`
dashboard acl stuff 2017-06-21 18:23:24 -05:00
dashboard acl fixes 2017-06-22 16:43:55 -05:00			`// remember this rule for later`
refactor: rename User Groups to Teams 2017-12-08 09:25:45 -06:00			`if p.TeamId > 0 {`
			`teamAclItems = append(teamAclItems, p)`
dashboard acl fixes 2017-06-22 16:43:55 -05:00			`}`
			`}`

dashfolders: select with description for permissions The dropdown for selecting permission is a new component built on react-select that includes a description for the permission for every option in the select. 2018-01-29 06:56:12 -06:00			`// do we have team rules?`
refactor: rename User Groups to Teams 2017-12-08 09:25:45 -06:00			`if len(teamAclItems) == 0 {`
dashboard acl fixes 2017-06-22 16:43:55 -05:00			`return false, nil`
			`}`

dashfolders: select with description for permissions The dropdown for selecting permission is a new component built on react-select that includes a description for the permission for every option in the select. 2018-01-29 06:56:12 -06:00			`// load teams`
refactor: rename User Groups to Teams 2017-12-08 09:25:45 -06:00			`teams, err := g.getTeams()`
dashboard acl fixes 2017-06-22 16:43:55 -05:00			`if err != nil {`
			`return false, err`
			`}`

dashfolders: select with description for permissions The dropdown for selecting permission is a new component built on react-select that includes a description for the permission for every option in the select. 2018-01-29 06:56:12 -06:00			`// evalute team rules`
dashboard acl fixes 2017-06-22 16:43:55 -05:00			`for _, p := range acl {`
refactor: rename User Groups to Teams 2017-12-08 09:25:45 -06:00			`for _, ug := range teams {`
			`if ug.Id == p.TeamId && p.Permission >= permission {`
dashboard acl stuff 2017-06-21 18:23:24 -05:00			`return true, nil`
			`}`
			`}`
refactoring: Dashboard guardian 2017-06-16 20:25:24 -05:00			`}`

			`return false, nil`
			`}`

dashfolders: stop user locking themselves out of a folder 2018-01-18 07:30:04 -06:00			`func (g *DashboardGuardian) CheckPermissionBeforeRemove(permission m.PermissionType, aclIdToRemove int64) (bool, error) {`
			`if g.user.OrgRole == m.ROLE_ADMIN {`
			`return true, nil`
			`}`

			`acl, err := g.GetAcl()`
			`if err != nil {`
			`return false, err`
			`}`

			`for i, p := range acl {`
			`if p.Id == aclIdToRemove {`
			`acl = append(acl[:i], acl[i+1:]...)`
			`break`
			`}`
			`}`

			`return g.checkAcl(permission, acl)`
			`}`

			`func (g DashboardGuardian) CheckPermissionBeforeUpdate(permission m.PermissionType, updatePermissions []m.DashboardAcl) (bool, error) {`
			`if g.user.OrgRole == m.ROLE_ADMIN {`
			`return true, nil`
			`}`

			`acl := []*m.DashboardAclInfoDTO{}`

			`for _, p := range updatePermissions {`
			`acl = append(acl, &m.DashboardAclInfoDTO{UserId: p.UserId, TeamId: p.TeamId, Role: p.Role, Permission: p.Permission})`
			`}`

			`return g.checkAcl(permission, acl)`
			`}`

dashfolders: select with description for permissions The dropdown for selecting permission is a new component built on react-select that includes a description for the permission for every option in the select. 2018-01-29 06:56:12 -06:00			`// GetAcl returns dashboard acl`
acl fixes 2017-06-22 16:10:43 -05:00			`func (g DashboardGuardian) GetAcl() ([]m.DashboardAclInfoDTO, error) {`
refactoring: Dashboard guardian 2017-06-16 20:25:24 -05:00			`if g.acl != nil {`
			`return g.acl, nil`
			`}`

acl fixes 2017-06-22 16:10:43 -05:00			`query := m.GetDashboardAclInfoListQuery{DashboardId: g.dashId, OrgId: g.orgId}`
refactoring: Dashboard guardian 2017-06-16 20:25:24 -05:00			`if err := bus.Dispatch(&query); err != nil {`
			`return nil, err`
			`}`

			`g.acl = query.Result`
			`return g.acl, nil`
			`}`

refactor: rename User Groups to Teams 2017-12-08 09:25:45 -06:00			`func (g DashboardGuardian) getTeams() ([]m.Team, error) {`
refactoring dashboard folder security checks 2017-06-19 14:22:42 -05:00			`if g.groups != nil {`
refactoring: Dashboard guardian 2017-06-16 20:25:24 -05:00			`return g.groups, nil`
			`}`

teams: use orgId in all team and team member operations (#10862) Also fixes issue in org users tests for postgres 2018-02-09 10:26:15 -06:00			`query := m.GetTeamsByUserQuery{OrgId: g.orgId, UserId: g.user.UserId}`
refactoring: Dashboard guardian 2017-06-16 20:25:24 -05:00			`err := bus.Dispatch(&query)`

			`g.groups = query.Result`
			`return query.Result, err`
			`}`