2021-05-11 07:10:19 +02:00
|
|
|
package libraryelements
|
2021-03-01 15:33:17 +01:00
|
|
|
|
|
|
|
|
import (
|
2021-09-14 16:08:04 +02:00
|
|
|
"context"
|
|
|
|
|
|
2022-11-02 16:49:02 +01:00
|
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
2023-09-06 11:16:10 +02:00
|
|
|
"github.com/grafana/grafana/pkg/services/auth/identity"
|
2022-06-30 09:31:54 -04:00
|
|
|
"github.com/grafana/grafana/pkg/services/dashboards"
|
2021-03-01 15:33:17 +01:00
|
|
|
"github.com/grafana/grafana/pkg/services/guardian"
|
2023-02-01 17:32:05 +01:00
|
|
|
"github.com/grafana/grafana/pkg/services/libraryelements/model"
|
2022-08-10 11:56:48 +02:00
|
|
|
"github.com/grafana/grafana/pkg/services/org"
|
2021-03-01 15:33:17 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func isGeneralFolder(folderID int64) bool {
|
|
|
|
|
return folderID == 0
|
|
|
|
|
}
|
|
|
|
|
|
2022-11-02 16:49:02 +01:00
|
|
|
func isUIDGeneralFolder(folderUID string) bool {
|
|
|
|
|
return folderUID == accesscontrol.GeneralFolderUID
|
|
|
|
|
}
|
|
|
|
|
|
2021-05-11 07:10:19 +02:00
|
|
|
func (l *LibraryElementService) requireSupportedElementKind(kindAsInt int64) error {
|
2023-02-01 17:32:05 +01:00
|
|
|
kind := model.LibraryElementKind(kindAsInt)
|
2021-05-11 07:10:19 +02:00
|
|
|
switch kind {
|
2023-02-01 17:32:05 +01:00
|
|
|
case model.PanelElement:
|
2021-05-11 07:10:19 +02:00
|
|
|
return nil
|
2023-02-01 17:32:05 +01:00
|
|
|
case model.VariableElement:
|
2021-05-11 07:10:19 +02:00
|
|
|
return nil
|
|
|
|
|
default:
|
2023-02-01 17:32:05 +01:00
|
|
|
return model.ErrLibraryElementUnSupportedElementKind
|
2021-05-11 07:10:19 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-09-06 11:16:10 +02:00
|
|
|
func (l *LibraryElementService) requireEditPermissionsOnFolder(ctx context.Context, user identity.Requester, folderID int64) error {
|
2023-04-20 10:24:41 +01:00
|
|
|
// TODO remove these special cases and handle General folder case in access control guardian
|
2022-08-10 11:56:48 +02:00
|
|
|
if isGeneralFolder(folderID) && user.HasRole(org.RoleEditor) {
|
2021-03-01 15:33:17 +01:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-10 11:56:48 +02:00
|
|
|
if isGeneralFolder(folderID) && user.HasRole(org.RoleViewer) {
|
2022-06-30 09:31:54 -04:00
|
|
|
return dashboards.ErrFolderAccessDenied
|
2021-03-01 15:33:17 +01:00
|
|
|
}
|
2022-12-15 16:34:17 +02:00
|
|
|
|
2023-09-06 11:16:10 +02:00
|
|
|
g, err := guardian.New(ctx, folderID, user.GetOrgID(), user)
|
2021-03-01 15:33:17 +01:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
canEdit, err := g.CanEdit()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if !canEdit {
|
2022-06-30 09:31:54 -04:00
|
|
|
return dashboards.ErrFolderAccessDenied
|
2021-03-01 15:33:17 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2022-06-13 14:26:17 +01:00
|
|
|
|
2023-09-06 11:16:10 +02:00
|
|
|
func (l *LibraryElementService) requireViewPermissionsOnFolder(ctx context.Context, user identity.Requester, folderID int64) error {
|
2022-08-10 11:56:48 +02:00
|
|
|
if isGeneralFolder(folderID) && user.HasRole(org.RoleViewer) {
|
2022-06-13 14:26:17 +01:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2023-09-06 11:16:10 +02:00
|
|
|
g, err := guardian.New(ctx, folderID, user.GetOrgID(), user)
|
2022-06-13 14:26:17 +01:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
canView, err := g.CanView()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if !canView {
|
2022-06-30 09:31:54 -04:00
|
|
|
return dashboards.ErrFolderAccessDenied
|
2022-06-13 14:26:17 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
