IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2024-11-29 20:24:18 -06:00
Code Issues Packages Projects Releases Wiki Activity
c104cc7020
grafana/pkg/services/guardian/guardian.go

481 lines
15 KiB
Go
Raw Normal View History

refactoring: Dashboard guardian
2017-06-16 20:25:24 -05:00
package guardian
import (
Chore: Propagate context for dashboard guardian (#39201) Require guardian.New to take context.Context as first argument. Migrates the GetDashboardAclInfoListQuery to be dispatched using context. Ref #36734 Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: sam boyer <sam.boyer@grafana.com>
2021-09-23 10:43:32 -05:00
"context"
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
"errors"
chore: remove sqlstore & mockstore dependencies from (most) packages (#57087) * chore: add alias for InitTestDB and Session Adds an alias for the sqlstore InitTestDB and Session, and updates tests using these to reduce dependencies on the sqlstore.Store. * next pass of removing sqlstore imports * last little bit * remove mockstore where possible
2022-10-19 08:02:15 -05:00
"github.com/grafana/grafana/pkg/infra/db"
move log package to /infra (#17023) ref #14679 Signed-off-by: zhulongcheng <zhulongcheng.me@gmail.com>
2019-05-13 01:45:54 -05:00
"github.com/grafana/grafana/pkg/infra/log"
chore: avoid aliasing imports in services (#22499)
2020-02-29 06:35:15 -06:00
"github.com/grafana/grafana/pkg/models"
sqlstore split: dashboard permissions (#49962) * backend/sqlstore split: remove unused GetDashboardPermissionsForUser from sqlstore * remove debugging line * backend/sqlstore: move dashboard permission related functions to dashboard service
2022-06-01 13:16:26 -05:00
"github.com/grafana/grafana/pkg/services/dashboards"
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 04:56:48 -05:00
"github.com/grafana/grafana/pkg/services/org"
Chore: Switch over to team.Service instead of sqlstore (#55497) * switch to using team service * trying to fix tests * more tests to fix * add missing teamtest package
2022-09-20 11:58:04 -05:00
"github.com/grafana/grafana/pkg/services/team"
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 04:56:48 -05:00
"github.com/grafana/grafana/pkg/services/user"
fix: viewers can edit now works correctly
2017-12-15 07:19:49 -06:00
"github.com/grafana/grafana/pkg/setting"
Guardian: Introduce additional constructors (#59577) * Guardian: Use dashboard UID instead of ID * Apply suggestions from code review Introduce several guardian constructors and each time use the most appropriate one.
2022-12-15 08:34:17 -06:00
"github.com/grafana/grafana/pkg/util/errutil"
refactoring: Dashboard guardian
2017-06-16 20:25:24 -05:00
)
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
var (
Guardian: Introduce additional constructors (#59577) * Guardian: Use dashboard UID instead of ID * Apply suggestions from code review Introduce several guardian constructors and each time use the most appropriate one.
2022-12-15 08:34:17 -06:00
ErrGuardianPermissionExists = errors.New("permission already exists")
ErrGuardianOverride = errors.New("you can only override a permission to be higher")
ErrGuardianGetDashboardFailure = errutil.NewBase(errutil.StatusInternal, "guardian.getDashboardFailure", errutil.WithPublicMessage("Failed to get dashboard"))
ErrGuardianDashboardNotFound = errutil.NewBase(errutil.StatusNotFound, "guardian.dashboardNotFound")
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
)
Shouldn't be able to overwrite a dashboard if you don't have permissions (#10900) * dashboards: new command for validating dashboard before update Removes validation logic from saveDashboard and later on use the new command for validating dashboard before saving a dashboard. This due to the fact that we need to validate permissions for overwriting other dashboards by uid and title. * dashboards: use the new command for validating dashboard before saving Had to refactor dashboard provisioning a bit to be able to sidetrack the permission validation in a somewhat reasonable way. Adds some initial tests of the dashboard repository, but needs to be extended later. At least now you can mock the dashboard guardian * dashboards: removes validation logic in the save dashboard api layer Use the dashboard repository solely for create/update dashboards and let it do all the validation. One exception regarding quota validation which still is in api layer since that logic is in a macaron middleware. Need to move out-commented api tests later. * dashboards: fix database tests for validate and saving dashboards * dashboards: rename dashboard repository to dashboard service Split the old dashboard repository interface in two new interfaces, IDashboardService and IDashboardProvisioningService. Makes it more explicit when using it from the provisioning package and there's no possibility of calling an incorrect method for saving a dashboard. * database: make the InitTestDB function available to use from other packages * dashboards: rename ValidateDashboardForUpdateCommand and some refactoring * dashboards: integration tests of dashboard service * dashboard: fix sqlstore test due to folder exist validation * dashboards: move dashboard service integration tests to sqlstore package Had to move it to the sqlstore package due to concurrency problems when running against mysql and postgres. Using InitTestDB from two packages added conflicts when clearing and running migrations on the test database * dashboards: refactor how to find id to be used for save permission check * dashboards: remove duplicated dashboard tests * dashboards: cleanup dashboard service integration tests * dashboards: handle save dashboard errors and return correct http status * fix: remove log statement * dashboards: import dashboard should use dashboard service Had to move alerting commands to models package due to problems with import cycles of packages. * dashboards: cleanup dashboard api tests and add some tests for post dashboard * dashboards: rename dashboard service interfaces * dashboards: rename dashboard guardian interface
2018-02-19 04:12:56 -06:00
// DashboardGuardian to be used for guard against operations without access on dashboard and acl
type DashboardGuardian interface {
CanSave() (bool, error)
CanEdit() (bool, error)
CanView() (bool, error)
CanAdmin() (bool, error)
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 08:05:47 -06:00
CanDelete() (bool, error)
CanCreate(folderID int64, isFolder bool) (bool, error)
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
CheckPermissionBeforeUpdate(permission models.PermissionType, updatePermissions []*models.DashboardACL) (bool, error)
Permissions: Fix inherited folder permissions can prevent new permissions being added to a dashboard (#33329) In the case permissions has been added on dashboard(s). Later permissions for the parent folder of the dashboard is edited in such a way that dashboard in that folder has a permission that is a duplicate of an inherited one. This PR changes so that duplicate permissions are now filtered out from /api/dashboards/id/<dashboard id>/permissions. Duplicate permission are not filtered out if the permission on dashboard is higher than on the inherited folder. Fixes #33296 Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2021-04-28 07:42:18 -05:00
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
// GetACL returns ACL.
GetACL() ([]*models.DashboardACLInfoDTO, error)
Permissions: Fix inherited folder permissions can prevent new permissions being added to a dashboard (#33329) In the case permissions has been added on dashboard(s). Later permissions for the parent folder of the dashboard is edited in such a way that dashboard in that folder has a permission that is a duplicate of an inherited one. This PR changes so that duplicate permissions are now filtered out from /api/dashboards/id/<dashboard id>/permissions. Duplicate permission are not filtered out if the permission on dashboard is higher than on the inherited folder. Fixes #33296 Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2021-04-28 07:42:18 -05:00
// GetACLWithoutDuplicates returns ACL and strips any permission
// that already has an inherited permission with higher or equal
// permission.
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
GetACLWithoutDuplicates() ([]*models.DashboardACLInfoDTO, error)
GetHiddenACL(*setting.Cfg) ([]*models.DashboardACL, error)
Shouldn't be able to overwrite a dashboard if you don't have permissions (#10900) * dashboards: new command for validating dashboard before update Removes validation logic from saveDashboard and later on use the new command for validating dashboard before saving a dashboard. This due to the fact that we need to validate permissions for overwriting other dashboards by uid and title. * dashboards: use the new command for validating dashboard before saving Had to refactor dashboard provisioning a bit to be able to sidetrack the permission validation in a somewhat reasonable way. Adds some initial tests of the dashboard repository, but needs to be extended later. At least now you can mock the dashboard guardian * dashboards: removes validation logic in the save dashboard api layer Use the dashboard repository solely for create/update dashboards and let it do all the validation. One exception regarding quota validation which still is in api layer since that logic is in a macaron middleware. Need to move out-commented api tests later. * dashboards: fix database tests for validate and saving dashboards * dashboards: rename dashboard repository to dashboard service Split the old dashboard repository interface in two new interfaces, IDashboardService and IDashboardProvisioningService. Makes it more explicit when using it from the provisioning package and there's no possibility of calling an incorrect method for saving a dashboard. * database: make the InitTestDB function available to use from other packages * dashboards: rename ValidateDashboardForUpdateCommand and some refactoring * dashboards: integration tests of dashboard service * dashboard: fix sqlstore test due to folder exist validation * dashboards: move dashboard service integration tests to sqlstore package Had to move it to the sqlstore package due to concurrency problems when running against mysql and postgres. Using InitTestDB from two packages added conflicts when clearing and running migrations on the test database * dashboards: refactor how to find id to be used for save permission check * dashboards: remove duplicated dashboard tests * dashboards: cleanup dashboard service integration tests * dashboards: handle save dashboard errors and return correct http status * fix: remove log statement * dashboards: import dashboard should use dashboard service Had to move alerting commands to models package due to problems with import cycles of packages. * dashboards: cleanup dashboard api tests and add some tests for post dashboard * dashboards: rename dashboard service interfaces * dashboards: rename dashboard guardian interface
2018-02-19 04:12:56 -06:00
}
type dashboardGuardianImpl struct {
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 04:56:48 -05:00
user *user.SignedInUser
sqlstore split: dashboard permissions (#49962) * backend/sqlstore split: remove unused GetDashboardPermissionsForUser from sqlstore * remove debugging line * backend/sqlstore: move dashboard permission related functions to dashboard service
2022-06-01 13:16:26 -05:00
dashId int64
orgId int64
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
acl []*models.DashboardACLInfoDTO
Chore: Move team models to models pkg (#61262) * Chore: Move team models to models pkg * Fix ACL tests * More ACL tests * Change Id to ID in conflict user command test * Remove team from models * Fix ac test lint
2023-01-11 07:20:09 -06:00
teams []*team.TeamDTO
sqlstore split: dashboard permissions (#49962) * backend/sqlstore split: remove unused GetDashboardPermissionsForUser from sqlstore * remove debugging line * backend/sqlstore: move dashboard permission related functions to dashboard service
2022-06-01 13:16:26 -05:00
log log.Logger
ctx context.Context
chore: replace sqlstore.Store with db.DB (#57010) * chore: replace sqlstore.SQLStore with db.DB * more post-sqlstore.SQLStore cleanup
2022-10-14 14:33:06 -05:00
store db.DB
sqlstore split: dashboard permissions (#49962) * backend/sqlstore split: remove unused GetDashboardPermissionsForUser from sqlstore * remove debugging line * backend/sqlstore: move dashboard permission related functions to dashboard service
2022-06-01 13:16:26 -05:00
dashboardService dashboards.DashboardService
Chore: Switch over to team.Service instead of sqlstore (#55497) * switch to using team service * trying to fix tests * more tests to fix * add missing teamtest package
2022-09-20 11:58:04 -05:00
teamService team.Service
refactoring: Dashboard guardian
2017-06-16 20:25:24 -05:00
}
Shouldn't be able to overwrite a dashboard if you don't have permissions (#10900) * dashboards: new command for validating dashboard before update Removes validation logic from saveDashboard and later on use the new command for validating dashboard before saving a dashboard. This due to the fact that we need to validate permissions for overwriting other dashboards by uid and title. * dashboards: use the new command for validating dashboard before saving Had to refactor dashboard provisioning a bit to be able to sidetrack the permission validation in a somewhat reasonable way. Adds some initial tests of the dashboard repository, but needs to be extended later. At least now you can mock the dashboard guardian * dashboards: removes validation logic in the save dashboard api layer Use the dashboard repository solely for create/update dashboards and let it do all the validation. One exception regarding quota validation which still is in api layer since that logic is in a macaron middleware. Need to move out-commented api tests later. * dashboards: fix database tests for validate and saving dashboards * dashboards: rename dashboard repository to dashboard service Split the old dashboard repository interface in two new interfaces, IDashboardService and IDashboardProvisioningService. Makes it more explicit when using it from the provisioning package and there's no possibility of calling an incorrect method for saving a dashboard. * database: make the InitTestDB function available to use from other packages * dashboards: rename ValidateDashboardForUpdateCommand and some refactoring * dashboards: integration tests of dashboard service * dashboard: fix sqlstore test due to folder exist validation * dashboards: move dashboard service integration tests to sqlstore package Had to move it to the sqlstore package due to concurrency problems when running against mysql and postgres. Using InitTestDB from two packages added conflicts when clearing and running migrations on the test database * dashboards: refactor how to find id to be used for save permission check * dashboards: remove duplicated dashboard tests * dashboards: cleanup dashboard service integration tests * dashboards: handle save dashboard errors and return correct http status * fix: remove log statement * dashboards: import dashboard should use dashboard service Had to move alerting commands to models package due to problems with import cycles of packages. * dashboards: cleanup dashboard api tests and add some tests for post dashboard * dashboards: rename dashboard service interfaces * dashboards: rename dashboard guardian interface
2018-02-19 04:12:56 -06:00
// New factory for creating a new dashboard guardian instance
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 08:05:47 -06:00
// When using access control this function is replaced on startup and the AccessControlDashboardGuardian is returned
Guardian: Introduce additional constructors (#59577) * Guardian: Use dashboard UID instead of ID * Apply suggestions from code review Introduce several guardian constructors and each time use the most appropriate one.
2022-12-15 08:34:17 -06:00
var New = func(ctx context.Context, dashId int64, orgId int64, user *user.SignedInUser) (DashboardGuardian, error) {
Chore: Remove bus.Dispatch from guardian package (#46711) * replace bus in guardian with sqlstore * fix a couple of tests * replace bus in the rest of the tests * allow init guardian from other packages * make linter happy * init guardian in library elements * fix another test in libraryelements * fix more tests * move guardian mock one level deeper * fix more tests * rename init functions
2022-03-21 04:49:49 -05:00
panic("no guardian factory implementation provided")
}
Guardian: Introduce additional constructors (#59577) * Guardian: Use dashboard UID instead of ID * Apply suggestions from code review Introduce several guardian constructors and each time use the most appropriate one.
2022-12-15 08:34:17 -06:00
// NewByUID factory for creating a new dashboard guardian instance
// When using access control this function is replaced on startup and the AccessControlDashboardGuardian is returned
var NewByUID = func(ctx context.Context, dashUID string, orgId int64, user *user.SignedInUser) (DashboardGuardian, error) {
panic("no guardian factory implementation provided")
}
// NewByDashboard factory for creating a new dashboard guardian instance
// When using access control this function is replaced on startup and the AccessControlDashboardGuardian is returned
Chore: Move dashboard models to dashboard pkg (#61458) * Copy dashboard models to dashboard pkg * Use some models from current pkg instead of models * Adjust api pkg * Adjust pkg services * Fix lint
2023-01-16 09:33:55 -06:00
var NewByDashboard = func(ctx context.Context, dash *dashboards.Dashboard, orgId int64, user *user.SignedInUser) (DashboardGuardian, error) {
Guardian: Introduce additional constructors (#59577) * Guardian: Use dashboard UID instead of ID * Apply suggestions from code review Introduce several guardian constructors and each time use the most appropriate one.
2022-12-15 08:34:17 -06:00
panic("no guardian factory implementation provided")
}
// newDashboardGuardian creates a dashboard guardian by the provided dashId.
func newDashboardGuardian(ctx context.Context, dashId int64, orgId int64, user *user.SignedInUser, store db.DB, dashSvc dashboards.DashboardService, teamSvc team.Service) (*dashboardGuardianImpl, error) {
if dashId != 0 {
Chore: Move dashboard models to dashboard pkg (#61458) * Copy dashboard models to dashboard pkg * Use some models from current pkg instead of models * Adjust api pkg * Adjust pkg services * Fix lint
2023-01-16 09:33:55 -06:00
q := &dashboards.GetDashboardQuery{
ID: dashId,
OrgID: orgId,
Guardian: Introduce additional constructors (#59577) * Guardian: Use dashboard UID instead of ID * Apply suggestions from code review Introduce several guardian constructors and each time use the most appropriate one.
2022-12-15 08:34:17 -06:00
}
if err := dashSvc.GetDashboard(ctx, q); err != nil {
if errors.Is(err, dashboards.ErrDashboardNotFound) {
return nil, ErrGuardianDashboardNotFound.Errorf("failed to get dashboard by UID: %w", err)
}
return nil, ErrGuardianGetDashboardFailure.Errorf("failed to get dashboard by UID: %w", err)
}
}
Shouldn't be able to overwrite a dashboard if you don't have permissions (#10900) * dashboards: new command for validating dashboard before update Removes validation logic from saveDashboard and later on use the new command for validating dashboard before saving a dashboard. This due to the fact that we need to validate permissions for overwriting other dashboards by uid and title. * dashboards: use the new command for validating dashboard before saving Had to refactor dashboard provisioning a bit to be able to sidetrack the permission validation in a somewhat reasonable way. Adds some initial tests of the dashboard repository, but needs to be extended later. At least now you can mock the dashboard guardian * dashboards: removes validation logic in the save dashboard api layer Use the dashboard repository solely for create/update dashboards and let it do all the validation. One exception regarding quota validation which still is in api layer since that logic is in a macaron middleware. Need to move out-commented api tests later. * dashboards: fix database tests for validate and saving dashboards * dashboards: rename dashboard repository to dashboard service Split the old dashboard repository interface in two new interfaces, IDashboardService and IDashboardProvisioningService. Makes it more explicit when using it from the provisioning package and there's no possibility of calling an incorrect method for saving a dashboard. * database: make the InitTestDB function available to use from other packages * dashboards: rename ValidateDashboardForUpdateCommand and some refactoring * dashboards: integration tests of dashboard service * dashboard: fix sqlstore test due to folder exist validation * dashboards: move dashboard service integration tests to sqlstore package Had to move it to the sqlstore package due to concurrency problems when running against mysql and postgres. Using InitTestDB from two packages added conflicts when clearing and running migrations on the test database * dashboards: refactor how to find id to be used for save permission check * dashboards: remove duplicated dashboard tests * dashboards: cleanup dashboard service integration tests * dashboards: handle save dashboard errors and return correct http status * fix: remove log statement * dashboards: import dashboard should use dashboard service Had to move alerting commands to models package due to problems with import cycles of packages. * dashboards: cleanup dashboard api tests and add some tests for post dashboard * dashboards: rename dashboard service interfaces * dashboards: rename dashboard guardian interface
2018-02-19 04:12:56 -06:00
return &dashboardGuardianImpl{
sqlstore split: dashboard permissions (#49962) * backend/sqlstore split: remove unused GetDashboardPermissionsForUser from sqlstore * remove debugging line * backend/sqlstore: move dashboard permission related functions to dashboard service
2022-06-01 13:16:26 -05:00
user: user,
dashId: dashId,
orgId: orgId,
log: log.New("dashboard.permissions"),
ctx: ctx,
store: store,
dashboardService: dashSvc,
Chore: Switch over to team.Service instead of sqlstore (#55497) * switch to using team service * trying to fix tests * more tests to fix * add missing teamtest package
2022-09-20 11:58:04 -05:00
teamService: teamSvc,
Guardian: Introduce additional constructors (#59577) * Guardian: Use dashboard UID instead of ID * Apply suggestions from code review Introduce several guardian constructors and each time use the most appropriate one.
2022-12-15 08:34:17 -06:00
}, nil
}
// newDashboardGuardianByUID creates a dashboard guardian by the provided dashUID.
func newDashboardGuardianByUID(ctx context.Context, dashUID string, orgId int64, user *user.SignedInUser, store db.DB, dashSvc dashboards.DashboardService, teamSvc team.Service) (*dashboardGuardianImpl, error) {
dashID := int64(0)
if dashUID != "" {
Chore: Move dashboard models to dashboard pkg (#61458) * Copy dashboard models to dashboard pkg * Use some models from current pkg instead of models * Adjust api pkg * Adjust pkg services * Fix lint
2023-01-16 09:33:55 -06:00
q := &dashboards.GetDashboardQuery{
UID: dashUID,
OrgID: orgId,
Guardian: Introduce additional constructors (#59577) * Guardian: Use dashboard UID instead of ID * Apply suggestions from code review Introduce several guardian constructors and each time use the most appropriate one.
2022-12-15 08:34:17 -06:00
}
if err := dashSvc.GetDashboard(ctx, q); err != nil {
if errors.Is(err, dashboards.ErrDashboardNotFound) {
return nil, ErrGuardianDashboardNotFound.Errorf("failed to get dashboard by UID: %w", err)
}
return nil, ErrGuardianGetDashboardFailure.Errorf("failed to get dashboard by UID: %w", err)
}
Chore: Move dashboard models to dashboard pkg (#61458) * Copy dashboard models to dashboard pkg * Use some models from current pkg instead of models * Adjust api pkg * Adjust pkg services * Fix lint
2023-01-16 09:33:55 -06:00
dashID = q.Result.ID
refactoring: Dashboard guardian
2017-06-16 20:25:24 -05:00
}
Guardian: Introduce additional constructors (#59577) * Guardian: Use dashboard UID instead of ID * Apply suggestions from code review Introduce several guardian constructors and each time use the most appropriate one.
2022-12-15 08:34:17 -06:00
return &dashboardGuardianImpl{
user: user,
dashId: dashID,
orgId: orgId,
log: log.New("dashboard.permissions"),
ctx: ctx,
store: store,
dashboardService: dashSvc,
teamService: teamSvc,
}, nil
}
// newDashboardGuardianByDashboard creates a dashboard guardian by the provided dashboard.
// This constructor should be preferred over the other two if the dashboard in available
// since it avoids querying the database for fetching the dashboard.
Chore: Move dashboard models to dashboard pkg (#61458) * Copy dashboard models to dashboard pkg * Use some models from current pkg instead of models * Adjust api pkg * Adjust pkg services * Fix lint
2023-01-16 09:33:55 -06:00
func newDashboardGuardianByDashboard(ctx context.Context, dash *dashboards.Dashboard, orgId int64, user *user.SignedInUser, store db.DB, dashSvc dashboards.DashboardService, teamSvc team.Service) (*dashboardGuardianImpl, error) {
Guardian: Introduce additional constructors (#59577) * Guardian: Use dashboard UID instead of ID * Apply suggestions from code review Introduce several guardian constructors and each time use the most appropriate one.
2022-12-15 08:34:17 -06:00
return &dashboardGuardianImpl{
user: user,
Chore: Move dashboard models to dashboard pkg (#61458) * Copy dashboard models to dashboard pkg * Use some models from current pkg instead of models * Adjust api pkg * Adjust pkg services * Fix lint
2023-01-16 09:33:55 -06:00
dashId: dash.ID,
Guardian: Introduce additional constructors (#59577) * Guardian: Use dashboard UID instead of ID * Apply suggestions from code review Introduce several guardian constructors and each time use the most appropriate one.
2022-12-15 08:34:17 -06:00
orgId: orgId,
log: log.New("dashboard.permissions"),
ctx: ctx,
store: store,
dashboardService: dashSvc,
teamService: teamSvc,
}, nil
refactoring: Dashboard guardian
2017-06-16 20:25:24 -05:00
}
Shouldn't be able to overwrite a dashboard if you don't have permissions (#10900) * dashboards: new command for validating dashboard before update Removes validation logic from saveDashboard and later on use the new command for validating dashboard before saving a dashboard. This due to the fact that we need to validate permissions for overwriting other dashboards by uid and title. * dashboards: use the new command for validating dashboard before saving Had to refactor dashboard provisioning a bit to be able to sidetrack the permission validation in a somewhat reasonable way. Adds some initial tests of the dashboard repository, but needs to be extended later. At least now you can mock the dashboard guardian * dashboards: removes validation logic in the save dashboard api layer Use the dashboard repository solely for create/update dashboards and let it do all the validation. One exception regarding quota validation which still is in api layer since that logic is in a macaron middleware. Need to move out-commented api tests later. * dashboards: fix database tests for validate and saving dashboards * dashboards: rename dashboard repository to dashboard service Split the old dashboard repository interface in two new interfaces, IDashboardService and IDashboardProvisioningService. Makes it more explicit when using it from the provisioning package and there's no possibility of calling an incorrect method for saving a dashboard. * database: make the InitTestDB function available to use from other packages * dashboards: rename ValidateDashboardForUpdateCommand and some refactoring * dashboards: integration tests of dashboard service * dashboard: fix sqlstore test due to folder exist validation * dashboards: move dashboard service integration tests to sqlstore package Had to move it to the sqlstore package due to concurrency problems when running against mysql and postgres. Using InitTestDB from two packages added conflicts when clearing and running migrations on the test database * dashboards: refactor how to find id to be used for save permission check * dashboards: remove duplicated dashboard tests * dashboards: cleanup dashboard service integration tests * dashboards: handle save dashboard errors and return correct http status * fix: remove log statement * dashboards: import dashboard should use dashboard service Had to move alerting commands to models package due to problems with import cycles of packages. * dashboards: cleanup dashboard api tests and add some tests for post dashboard * dashboards: rename dashboard service interfaces * dashboards: rename dashboard guardian interface
2018-02-19 04:12:56 -06:00
func (g *dashboardGuardianImpl) CanSave() (bool, error) {
chore: avoid aliasing imports in services (#22499)
2020-02-29 06:35:15 -06:00
return g.HasPermission(models.PERMISSION_EDIT)
refactoring: Dashboard guardian
2017-06-16 20:25:24 -05:00
}
Shouldn't be able to overwrite a dashboard if you don't have permissions (#10900) * dashboards: new command for validating dashboard before update Removes validation logic from saveDashboard and later on use the new command for validating dashboard before saving a dashboard. This due to the fact that we need to validate permissions for overwriting other dashboards by uid and title. * dashboards: use the new command for validating dashboard before saving Had to refactor dashboard provisioning a bit to be able to sidetrack the permission validation in a somewhat reasonable way. Adds some initial tests of the dashboard repository, but needs to be extended later. At least now you can mock the dashboard guardian * dashboards: removes validation logic in the save dashboard api layer Use the dashboard repository solely for create/update dashboards and let it do all the validation. One exception regarding quota validation which still is in api layer since that logic is in a macaron middleware. Need to move out-commented api tests later. * dashboards: fix database tests for validate and saving dashboards * dashboards: rename dashboard repository to dashboard service Split the old dashboard repository interface in two new interfaces, IDashboardService and IDashboardProvisioningService. Makes it more explicit when using it from the provisioning package and there's no possibility of calling an incorrect method for saving a dashboard. * database: make the InitTestDB function available to use from other packages * dashboards: rename ValidateDashboardForUpdateCommand and some refactoring * dashboards: integration tests of dashboard service * dashboard: fix sqlstore test due to folder exist validation * dashboards: move dashboard service integration tests to sqlstore package Had to move it to the sqlstore package due to concurrency problems when running against mysql and postgres. Using InitTestDB from two packages added conflicts when clearing and running migrations on the test database * dashboards: refactor how to find id to be used for save permission check * dashboards: remove duplicated dashboard tests * dashboards: cleanup dashboard service integration tests * dashboards: handle save dashboard errors and return correct http status * fix: remove log statement * dashboards: import dashboard should use dashboard service Had to move alerting commands to models package due to problems with import cycles of packages. * dashboards: cleanup dashboard api tests and add some tests for post dashboard * dashboards: rename dashboard service interfaces * dashboards: rename dashboard guardian interface
2018-02-19 04:12:56 -06:00
func (g *dashboardGuardianImpl) CanEdit() (bool, error) {
fix: viewers can edit now works correctly
2017-12-15 07:19:49 -06:00
if setting.ViewersCanEdit {
chore: avoid aliasing imports in services (#22499)
2020-02-29 06:35:15 -06:00
return g.HasPermission(models.PERMISSION_VIEW)
fix: viewers can edit now works correctly
2017-12-15 07:19:49 -06:00
}
chore: avoid aliasing imports in services (#22499)
2020-02-29 06:35:15 -06:00
return g.HasPermission(models.PERMISSION_EDIT)
refactoring: Dashboard guardian
2017-06-16 20:25:24 -05:00
}
Shouldn't be able to overwrite a dashboard if you don't have permissions (#10900) * dashboards: new command for validating dashboard before update Removes validation logic from saveDashboard and later on use the new command for validating dashboard before saving a dashboard. This due to the fact that we need to validate permissions for overwriting other dashboards by uid and title. * dashboards: use the new command for validating dashboard before saving Had to refactor dashboard provisioning a bit to be able to sidetrack the permission validation in a somewhat reasonable way. Adds some initial tests of the dashboard repository, but needs to be extended later. At least now you can mock the dashboard guardian * dashboards: removes validation logic in the save dashboard api layer Use the dashboard repository solely for create/update dashboards and let it do all the validation. One exception regarding quota validation which still is in api layer since that logic is in a macaron middleware. Need to move out-commented api tests later. * dashboards: fix database tests for validate and saving dashboards * dashboards: rename dashboard repository to dashboard service Split the old dashboard repository interface in two new interfaces, IDashboardService and IDashboardProvisioningService. Makes it more explicit when using it from the provisioning package and there's no possibility of calling an incorrect method for saving a dashboard. * database: make the InitTestDB function available to use from other packages * dashboards: rename ValidateDashboardForUpdateCommand and some refactoring * dashboards: integration tests of dashboard service * dashboard: fix sqlstore test due to folder exist validation * dashboards: move dashboard service integration tests to sqlstore package Had to move it to the sqlstore package due to concurrency problems when running against mysql and postgres. Using InitTestDB from two packages added conflicts when clearing and running migrations on the test database * dashboards: refactor how to find id to be used for save permission check * dashboards: remove duplicated dashboard tests * dashboards: cleanup dashboard service integration tests * dashboards: handle save dashboard errors and return correct http status * fix: remove log statement * dashboards: import dashboard should use dashboard service Had to move alerting commands to models package due to problems with import cycles of packages. * dashboards: cleanup dashboard api tests and add some tests for post dashboard * dashboards: rename dashboard service interfaces * dashboards: rename dashboard guardian interface
2018-02-19 04:12:56 -06:00
func (g *dashboardGuardianImpl) CanView() (bool, error) {
chore: avoid aliasing imports in services (#22499)
2020-02-29 06:35:15 -06:00
return g.HasPermission(models.PERMISSION_VIEW)
refactoring: Dashboard guardian
2017-06-16 20:25:24 -05:00
}
Shouldn't be able to overwrite a dashboard if you don't have permissions (#10900) * dashboards: new command for validating dashboard before update Removes validation logic from saveDashboard and later on use the new command for validating dashboard before saving a dashboard. This due to the fact that we need to validate permissions for overwriting other dashboards by uid and title. * dashboards: use the new command for validating dashboard before saving Had to refactor dashboard provisioning a bit to be able to sidetrack the permission validation in a somewhat reasonable way. Adds some initial tests of the dashboard repository, but needs to be extended later. At least now you can mock the dashboard guardian * dashboards: removes validation logic in the save dashboard api layer Use the dashboard repository solely for create/update dashboards and let it do all the validation. One exception regarding quota validation which still is in api layer since that logic is in a macaron middleware. Need to move out-commented api tests later. * dashboards: fix database tests for validate and saving dashboards * dashboards: rename dashboard repository to dashboard service Split the old dashboard repository interface in two new interfaces, IDashboardService and IDashboardProvisioningService. Makes it more explicit when using it from the provisioning package and there's no possibility of calling an incorrect method for saving a dashboard. * database: make the InitTestDB function available to use from other packages * dashboards: rename ValidateDashboardForUpdateCommand and some refactoring * dashboards: integration tests of dashboard service * dashboard: fix sqlstore test due to folder exist validation * dashboards: move dashboard service integration tests to sqlstore package Had to move it to the sqlstore package due to concurrency problems when running against mysql and postgres. Using InitTestDB from two packages added conflicts when clearing and running migrations on the test database * dashboards: refactor how to find id to be used for save permission check * dashboards: remove duplicated dashboard tests * dashboards: cleanup dashboard service integration tests * dashboards: handle save dashboard errors and return correct http status * fix: remove log statement * dashboards: import dashboard should use dashboard service Had to move alerting commands to models package due to problems with import cycles of packages. * dashboards: cleanup dashboard api tests and add some tests for post dashboard * dashboards: rename dashboard service interfaces * dashboards: rename dashboard guardian interface
2018-02-19 04:12:56 -06:00
func (g *dashboardGuardianImpl) CanAdmin() (bool, error) {
chore: avoid aliasing imports in services (#22499)
2020-02-29 06:35:15 -06:00
return g.HasPermission(models.PERMISSION_ADMIN)
dashfolders: new admin permission needed to view/change acl
2017-06-22 16:01:04 -05:00
}
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 08:05:47 -06:00
func (g *dashboardGuardianImpl) CanDelete() (bool, error) {
// when using dashboard guardian without access control a user can delete a dashboard if they can save it
return g.CanSave()
}
func (g *dashboardGuardianImpl) CanCreate(_ int64, _ bool) (bool, error) {
// when using dashboard guardian without access control a user can create a dashboard if they can save it
return g.CanSave()
}
chore: avoid aliasing imports in services (#22499)
2020-02-29 06:35:15 -06:00
func (g *dashboardGuardianImpl) HasPermission(permission models.PermissionType) (bool, error) {
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 04:56:48 -05:00
if g.user.OrgRole == org.RoleAdmin {
add debug logging of folder/dashbord permission checks
2018-10-22 03:39:25 -05:00
return g.logHasPermissionResult(permission, true, nil)
dashboard guardian refactoring starting to work
2017-06-19 12:47:44 -05:00
}
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
acl, err := g.GetACL()
refactoring: Dashboard guardian
2017-06-16 20:25:24 -05:00
if err != nil {
add debug logging of folder/dashbord permission checks
2018-10-22 03:39:25 -05:00
return g.logHasPermissionResult(permission, false, err)
refactoring: Dashboard guardian
2017-06-16 20:25:24 -05:00
}
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
result, err := g.checkACL(permission, acl)
add debug logging of folder/dashbord permission checks
2018-10-22 03:39:25 -05:00
return g.logHasPermissionResult(permission, result, err)
}
chore: avoid aliasing imports in services (#22499)
2020-02-29 06:35:15 -06:00
func (g *dashboardGuardianImpl) logHasPermissionResult(permission models.PermissionType, hasPermission bool, err error) (bool, error) {
add debug logging of folder/dashbord permission checks
2018-10-22 03:39:25 -05:00
if err != nil {
return hasPermission, err
}
if hasPermission {
Chore: Add user service method SetUsingOrg and GetSignedInUserWithCacheCtx (#53343) * Chore: Add user service method SetUsingOrg * Chore: Add user service method GetSignedInUserWithCacheCtx * Use method GetSignedInUserWithCacheCtx from user service * Fix lint after rebase * Fix lint * Fix lint error * roll back some changes * Roll back changes in api and middleware * Add xorm tags to SignedInUser ID fields
2022-08-11 06:28:55 -05:00
g.log.Debug("User granted access to execute action", "userId", g.user.UserID, "orgId", g.orgId, "uname", g.user.Login, "dashId", g.dashId, "action", permission)
add debug logging of folder/dashbord permission checks
2018-10-22 03:39:25 -05:00
} else {
Chore: Add user service method SetUsingOrg and GetSignedInUserWithCacheCtx (#53343) * Chore: Add user service method SetUsingOrg * Chore: Add user service method GetSignedInUserWithCacheCtx * Use method GetSignedInUserWithCacheCtx from user service * Fix lint after rebase * Fix lint * Fix lint error * roll back some changes * Roll back changes in api and middleware * Add xorm tags to SignedInUser ID fields
2022-08-11 06:28:55 -05:00
g.log.Debug("User denied access to execute action", "userId", g.user.UserID, "orgId", g.orgId, "uname", g.user.Login, "dashId", g.dashId, "action", permission)
add debug logging of folder/dashbord permission checks
2018-10-22 03:39:25 -05:00
}
return hasPermission, err
dashfolders: stop user locking themselves out of a folder
2018-01-18 07:30:04 -06:00
}
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
func (g *dashboardGuardianImpl) checkACL(permission models.PermissionType, acl []*models.DashboardACLInfoDTO) (bool, error) {
dashboard acl fixes
2017-06-22 16:43:55 -05:00
orgRole := g.user.OrgRole
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
teamACLItems := []*models.DashboardACLInfoDTO{}
dashboard acl fixes
2017-06-22 16:43:55 -05:00
refactoring: Dashboard guardian
2017-06-16 20:25:24 -05:00
for _, p := range acl {
dashboard acl fixes
2017-06-22 16:43:55 -05:00
// user match
fix: fixed permission issue with api key with viewer role in dashboards with default permissions
2018-06-19 04:10:17 -05:00
if !g.user.IsAnonymous && p.UserId > 0 {
Chore: Add user service method SetUsingOrg and GetSignedInUserWithCacheCtx (#53343) * Chore: Add user service method SetUsingOrg * Chore: Add user service method GetSignedInUserWithCacheCtx * Use method GetSignedInUserWithCacheCtx from user service * Fix lint after rebase * Fix lint * Fix lint error * roll back some changes * Roll back changes in api and middleware * Add xorm tags to SignedInUser ID fields
2022-08-11 06:28:55 -05:00
if p.UserId == g.user.UserID && p.Permission >= permission {
fix: viewers can edit now works correctly
2017-12-15 07:19:49 -06:00
return true, nil
}
refactoring: Dashboard guardian
2017-06-16 20:25:24 -05:00
}
dashboard acl fixes
2017-06-22 16:43:55 -05:00
// role match
if p.Role != nil {
if *p.Role == orgRole && p.Permission >= permission {
refactoring: Dashboard guardian
2017-06-16 20:25:24 -05:00
return true, nil
}
}
dashboard acl stuff
2017-06-21 18:23:24 -05:00
dashboard acl fixes
2017-06-22 16:43:55 -05:00
// remember this rule for later
refactor: rename User Groups to Teams
2017-12-08 09:25:45 -06:00
if p.TeamId > 0 {
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
teamACLItems = append(teamACLItems, p)
dashboard acl fixes
2017-06-22 16:43:55 -05:00
}
}
dashfolders: select with description for permissions The dropdown for selecting permission is a new component built on react-select that includes a description for the permission for every option in the select.
2018-01-29 06:56:12 -06:00
// do we have team rules?
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
if len(teamACLItems) == 0 {
dashboard acl fixes
2017-06-22 16:43:55 -05:00
return false, nil
}
dashfolders: select with description for permissions The dropdown for selecting permission is a new component built on react-select that includes a description for the permission for every option in the select.
2018-01-29 06:56:12 -06:00
// load teams
Chore: Remove bus.Dispatch from guardian package (#46711) * replace bus in guardian with sqlstore * fix a couple of tests * replace bus in the rest of the tests * allow init guardian from other packages * make linter happy * init guardian in library elements * fix another test in libraryelements * fix more tests * move guardian mock one level deeper * fix more tests * rename init functions
2022-03-21 04:49:49 -05:00
teams, err := g.getTeams()
dashboard acl fixes
2017-06-22 16:43:55 -05:00
if err != nil {
return false, err
}
pkg: fix codespell issues
2018-04-13 11:40:14 -05:00
// evaluate team rules
dashboard acl fixes
2017-06-22 16:43:55 -05:00
for _, p := range acl {
refactor: rename User Groups to Teams
2017-12-08 09:25:45 -06:00
for _, ug := range teams {
Chore: Move team models to models pkg (#61262) * Chore: Move team models to models pkg * Fix ACL tests * More ACL tests * Change Id to ID in conflict user command test * Remove team from models * Fix ac test lint
2023-01-11 07:20:09 -06:00
if ug.ID == p.TeamId && p.Permission >= permission {
dashboard acl stuff
2017-06-21 18:23:24 -05:00
return true, nil
}
}
refactoring: Dashboard guardian
2017-06-16 20:25:24 -05:00
}
return false, nil
}
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
func (g *dashboardGuardianImpl) CheckPermissionBeforeUpdate(permission models.PermissionType, updatePermissions []*models.DashboardACL) (bool, error) {
acl := []*models.DashboardACLInfoDTO{}
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 04:56:48 -05:00
adminRole := org.RoleAdmin
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
everyoneWithAdminRole := &models.DashboardACLInfoDTO{DashboardId: g.dashId, UserId: 0, TeamId: 0, Role: &adminRole, Permission: models.PERMISSION_ADMIN}
dashfolders: stop user locking themselves out of a folder
2018-01-18 07:30:04 -06:00
permissions: fix validation of permissions before update Did a bad pointer comparison so extended the tests for duplicate permissions.
2018-02-28 01:48:28 -06:00
// validate that duplicate permissions don't exists
dashfolders: stop user locking themselves out of a folder
2018-01-18 07:30:04 -06:00
for _, p := range updatePermissions {
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
aclItem := &models.DashboardACLInfoDTO{DashboardId: p.DashboardID, UserId: p.UserID, TeamId: p.TeamID, Role: p.Role, Permission: p.Permission}
permissions: fix validation of permissions before update Did a bad pointer comparison so extended the tests for duplicate permissions.
2018-02-28 01:48:28 -06:00
if aclItem.IsDuplicateOf(everyoneWithAdminRole) {
return false, ErrGuardianPermissionExists
}
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
for _, a := range acl {
permissions: fix validation of permissions before update Did a bad pointer comparison so extended the tests for duplicate permissions.
2018-02-28 01:48:28 -06:00
if a.IsDuplicateOf(aclItem) {
dashboards: change dashboard/folder permission error messages
2018-02-27 09:03:11 -06:00
return false, ErrGuardianPermissionExists
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
}
}
permissions: fix validation of permissions before update Did a bad pointer comparison so extended the tests for duplicate permissions.
2018-02-28 01:48:28 -06:00
acl = append(acl, aclItem)
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
}
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
existingPermissions, err := g.GetACL()
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
if err != nil {
return false, err
}
permissions: fix validation of permissions before update Did a bad pointer comparison so extended the tests for duplicate permissions.
2018-02-28 01:48:28 -06:00
// validate overridden permissions to be higher
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
for _, a := range acl {
for _, existingPerm := range existingPermissions {
return inherited property for permissions
2018-04-23 02:23:14 -05:00
if !existingPerm.Inherited {
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
continue
}
permissions: fix validation of permissions before update Did a bad pointer comparison so extended the tests for duplicate permissions.
2018-02-28 01:48:28 -06:00
if a.IsDuplicateOf(existingPerm) && a.Permission <= existingPerm.Permission {
dashboards: change dashboard/folder permission error messages
2018-02-27 09:03:11 -06:00
return false, ErrGuardianOverride
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
}
}
}
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 04:56:48 -05:00
if g.user.OrgRole == org.RoleAdmin {
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
return true, nil
dashfolders: stop user locking themselves out of a folder
2018-01-18 07:30:04 -06:00
}
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
return g.checkACL(permission, existingPermissions)
dashfolders: stop user locking themselves out of a folder
2018-01-18 07:30:04 -06:00
}
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
// GetACL returns dashboard acl
func (g *dashboardGuardianImpl) GetACL() ([]*models.DashboardACLInfoDTO, error) {
refactoring: Dashboard guardian
2017-06-16 20:25:24 -05:00
if g.acl != nil {
return g.acl, nil
}
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
query := models.GetDashboardACLInfoListQuery{DashboardID: g.dashId, OrgID: g.orgId}
if err := g.dashboardService.GetDashboardACLInfoList(g.ctx, &query); err != nil {
refactoring: Dashboard guardian
2017-06-16 20:25:24 -05:00
return nil, err
}
g.acl = query.Result
return g.acl, nil
}
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
func (g *dashboardGuardianImpl) GetACLWithoutDuplicates() ([]*models.DashboardACLInfoDTO, error) {
acl, err := g.GetACL()
Permissions: Fix inherited folder permissions can prevent new permissions being added to a dashboard (#33329) In the case permissions has been added on dashboard(s). Later permissions for the parent folder of the dashboard is edited in such a way that dashboard in that folder has a permission that is a duplicate of an inherited one. This PR changes so that duplicate permissions are now filtered out from /api/dashboards/id/<dashboard id>/permissions. Duplicate permission are not filtered out if the permission on dashboard is higher than on the inherited folder. Fixes #33296 Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2021-04-28 07:42:18 -05:00
if err != nil {
return nil, err
}
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
nonInherited := []*models.DashboardACLInfoDTO{}
inherited := []*models.DashboardACLInfoDTO{}
Permissions: Fix inherited folder permissions can prevent new permissions being added to a dashboard (#33329) In the case permissions has been added on dashboard(s). Later permissions for the parent folder of the dashboard is edited in such a way that dashboard in that folder has a permission that is a duplicate of an inherited one. This PR changes so that duplicate permissions are now filtered out from /api/dashboards/id/<dashboard id>/permissions. Duplicate permission are not filtered out if the permission on dashboard is higher than on the inherited folder. Fixes #33296 Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2021-04-28 07:42:18 -05:00
for _, aclItem := range acl {
if aclItem.Inherited {
inherited = append(inherited, aclItem)
} else {
nonInherited = append(nonInherited, aclItem)
}
}
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
result := []*models.DashboardACLInfoDTO{}
for _, nonInheritedACLItem := range nonInherited {
Permissions: Fix inherited folder permissions can prevent new permissions being added to a dashboard (#33329) In the case permissions has been added on dashboard(s). Later permissions for the parent folder of the dashboard is edited in such a way that dashboard in that folder has a permission that is a duplicate of an inherited one. This PR changes so that duplicate permissions are now filtered out from /api/dashboards/id/<dashboard id>/permissions. Duplicate permission are not filtered out if the permission on dashboard is higher than on the inherited folder. Fixes #33296 Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2021-04-28 07:42:18 -05:00
duplicate := false
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
for _, inheritedACLItem := range inherited {
if nonInheritedACLItem.IsDuplicateOf(inheritedACLItem) && nonInheritedACLItem.Permission <= inheritedACLItem.Permission {
Permissions: Fix inherited folder permissions can prevent new permissions being added to a dashboard (#33329) In the case permissions has been added on dashboard(s). Later permissions for the parent folder of the dashboard is edited in such a way that dashboard in that folder has a permission that is a duplicate of an inherited one. This PR changes so that duplicate permissions are now filtered out from /api/dashboards/id/<dashboard id>/permissions. Duplicate permission are not filtered out if the permission on dashboard is higher than on the inherited folder. Fixes #33296 Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2021-04-28 07:42:18 -05:00
duplicate = true
break
}
}
if !duplicate {
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
result = append(result, nonInheritedACLItem)
Permissions: Fix inherited folder permissions can prevent new permissions being added to a dashboard (#33329) In the case permissions has been added on dashboard(s). Later permissions for the parent folder of the dashboard is edited in such a way that dashboard in that folder has a permission that is a duplicate of an inherited one. This PR changes so that duplicate permissions are now filtered out from /api/dashboards/id/<dashboard id>/permissions. Duplicate permission are not filtered out if the permission on dashboard is higher than on the inherited folder. Fixes #33296 Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2021-04-28 07:42:18 -05:00
}
}
result = append(inherited, result...)
return result, nil
}
Chore: Move team models to models pkg (#61262) * Chore: Move team models to models pkg * Fix ACL tests * More ACL tests * Change Id to ID in conflict user command test * Remove team from models * Fix ac test lint
2023-01-11 07:20:09 -06:00
func (g *dashboardGuardianImpl) getTeams() ([]*team.TeamDTO, error) {
Refactor team pages to react & design change (#12574) * Rewriting team pages in react * teams to react progress * teams: getting team by id returns same DTO as search, needed for AvatarUrl * teams: progress on new team pages * fix: team test * listing team members and removing team members now works * teams: team member page now works * ux: fixed adding team member issue * refactoring TeamPicker to conform to react coding styles better * teams: very close to being done with team page rewrite * minor style tweak * ux: polish to team pages * feature: team pages in react & everything working * fix: removed flickering when changing tabs by always rendering PageHeader
2018-07-11 13:23:07 -05:00
if g.teams != nil {
return g.teams, nil
refactoring: Dashboard guardian
2017-06-16 20:25:24 -05:00
}
Chore: Move team models to models pkg (#61262) * Chore: Move team models to models pkg * Fix ACL tests * More ACL tests * Change Id to ID in conflict user command test * Remove team from models * Fix ac test lint
2023-01-11 07:20:09 -06:00
query := team.GetTeamsByUserQuery{OrgID: g.orgId, UserID: g.user.UserID, SignedInUser: g.user}
queryResult, err := g.teamService.GetTeamsByUser(g.ctx, &query)
refactoring: Dashboard guardian
2017-06-16 20:25:24 -05:00
Chore: Move team models to models pkg (#61262) * Chore: Move team models to models pkg * Fix ACL tests * More ACL tests * Change Id to ID in conflict user command test * Remove team from models * Fix ac test lint
2023-01-11 07:20:09 -06:00
g.teams = queryResult
return queryResult, err
refactoring: Dashboard guardian
2017-06-16 20:25:24 -05:00
}
dashboards: make fake dashboard guardian available to other packages
2018-02-20 11:08:19 -06:00
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
func (g *dashboardGuardianImpl) GetHiddenACL(cfg *setting.Cfg) ([]*models.DashboardACL, error) {
hiddenACL := make([]*models.DashboardACL, 0)
Add an option to hide certain users in the UI (#28942) * Add an option to hide certain users in the UI * revert changes for admin users routes * fix sqlstore function name * Improve slice management Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Hidden users: convert slice to map * filter with user logins instead of IDs * put HiddenUsers in Cfg struct * hide hidden users from dashboards/folders permissions list * Update conf/defaults.ini Co-authored-by: Torkel Ödegaard <torkel@grafana.com> * fix params order * fix tests * fix dashboard/folder update with hidden user * add team tests * add dashboard and folder permissions tests * fixes after merge * fix tests * API: add test for org users endpoints * update hidden users management for dashboard / folder permissions * improve dashboard / folder permissions tests * fixes after merge * Guardian: add hidden acl tests * API: add team members tests * fix team sql syntax for postgres * api tests update * fix linter error * fix tests errors after merge Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Torkel Ödegaard <torkel@grafana.com> Co-authored-by: Leonard Gram <leo@xlson.com>
2020-11-24 05:10:32 -06:00
if g.user.IsGrafanaAdmin {
return hiddenACL, nil
}
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
existingPermissions, err := g.GetACL()
Add an option to hide certain users in the UI (#28942) * Add an option to hide certain users in the UI * revert changes for admin users routes * fix sqlstore function name * Improve slice management Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Hidden users: convert slice to map * filter with user logins instead of IDs * put HiddenUsers in Cfg struct * hide hidden users from dashboards/folders permissions list * Update conf/defaults.ini Co-authored-by: Torkel Ödegaard <torkel@grafana.com> * fix params order * fix tests * fix dashboard/folder update with hidden user * add team tests * add dashboard and folder permissions tests * fixes after merge * fix tests * API: add test for org users endpoints * update hidden users management for dashboard / folder permissions * improve dashboard / folder permissions tests * fixes after merge * Guardian: add hidden acl tests * API: add team members tests * fix team sql syntax for postgres * api tests update * fix linter error * fix tests errors after merge Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Torkel Ödegaard <torkel@grafana.com> Co-authored-by: Leonard Gram <leo@xlson.com>
2020-11-24 05:10:32 -06:00
if err != nil {
return hiddenACL, err
}
for _, item := range existingPermissions {
if item.Inherited || item.UserLogin == g.user.Login {
continue
}
if _, hidden := cfg.HiddenUsers[item.UserLogin]; hidden {
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
hiddenACL = append(hiddenACL, &models.DashboardACL{
Add an option to hide certain users in the UI (#28942) * Add an option to hide certain users in the UI * revert changes for admin users routes * fix sqlstore function name * Improve slice management Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Hidden users: convert slice to map * filter with user logins instead of IDs * put HiddenUsers in Cfg struct * hide hidden users from dashboards/folders permissions list * Update conf/defaults.ini Co-authored-by: Torkel Ödegaard <torkel@grafana.com> * fix params order * fix tests * fix dashboard/folder update with hidden user * add team tests * add dashboard and folder permissions tests * fixes after merge * fix tests * API: add test for org users endpoints * update hidden users management for dashboard / folder permissions * improve dashboard / folder permissions tests * fixes after merge * Guardian: add hidden acl tests * API: add team members tests * fix team sql syntax for postgres * api tests update * fix linter error * fix tests errors after merge Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Torkel Ödegaard <torkel@grafana.com> Co-authored-by: Leonard Gram <leo@xlson.com>
2020-11-24 05:10:32 -06:00
OrgID: item.OrgId,
DashboardID: item.DashboardId,
UserID: item.UserId,
TeamID: item.TeamId,
Role: item.Role,
Permission: item.Permission,
Created: item.Created,
Updated: item.Updated,
})
}
}
return hiddenACL, nil
}
Chore: Remove unused Go code (#28852) * Chore: Remove more unused Go code Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
2020-11-17 04:51:31 -06:00
// nolint:unused
dashboards: make fake dashboard guardian available to other packages
2018-02-20 11:08:19 -06:00
type FakeDashboardGuardian struct {
Guardian: Introduce additional constructors (#59577) * Guardian: Use dashboard UID instead of ID * Apply suggestions from code review Introduce several guardian constructors and each time use the most appropriate one.
2022-12-15 08:34:17 -06:00
DashID int64
DashUID string
dashboards: make fake dashboard guardian available to other packages
2018-02-20 11:08:19 -06:00
OrgId int64
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 04:56:48 -05:00
User *user.SignedInUser
dashboards: make fake dashboard guardian available to other packages
2018-02-20 11:08:19 -06:00
CanSaveValue bool
CanEditValue bool
CanViewValue bool
CanAdminValue bool
HasPermissionValue bool
CheckPermissionBeforeUpdateValue bool
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
CheckPermissionBeforeUpdateError error
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
GetACLValue []*models.DashboardACLInfoDTO
GetHiddenACLValue []*models.DashboardACL
dashboards: make fake dashboard guardian available to other packages
2018-02-20 11:08:19 -06:00
}
func (g *FakeDashboardGuardian) CanSave() (bool, error) {
return g.CanSaveValue, nil
}
func (g *FakeDashboardGuardian) CanEdit() (bool, error) {
return g.CanEditValue, nil
}
func (g *FakeDashboardGuardian) CanView() (bool, error) {
return g.CanViewValue, nil
}
func (g *FakeDashboardGuardian) CanAdmin() (bool, error) {
return g.CanAdminValue, nil
}
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 08:05:47 -06:00
func (g *FakeDashboardGuardian) CanDelete() (bool, error) {
return g.CanSaveValue, nil
}
func (g *FakeDashboardGuardian) CanCreate(_ int64, _ bool) (bool, error) {
return g.CanSaveValue, nil
}
chore: avoid aliasing imports in services (#22499)
2020-02-29 06:35:15 -06:00
func (g *FakeDashboardGuardian) HasPermission(permission models.PermissionType) (bool, error) {
dashboards: make fake dashboard guardian available to other packages
2018-02-20 11:08:19 -06:00
return g.HasPermissionValue, nil
}
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
func (g *FakeDashboardGuardian) CheckPermissionBeforeUpdate(permission models.PermissionType, updatePermissions []*models.DashboardACL) (bool, error) {
dashboards: don't allow override of permissions with a lower precedence If a dashboard inherits permissions from a folder, don't allow same permission to be added to the dashboard with a lower permission. Add backend validation so that you cannot add same permission to folder/dashboard, for example same user/team with different permissions
2018-02-26 12:12:01 -06:00
return g.CheckPermissionBeforeUpdateValue, g.CheckPermissionBeforeUpdateError
dashboards: make fake dashboard guardian available to other packages
2018-02-20 11:08:19 -06:00
}
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
func (g *FakeDashboardGuardian) GetACL() ([]*models.DashboardACLInfoDTO, error) {
return g.GetACLValue, nil
dashboards: make fake dashboard guardian available to other packages
2018-02-20 11:08:19 -06:00
}
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
func (g *FakeDashboardGuardian) GetACLWithoutDuplicates() ([]*models.DashboardACLInfoDTO, error) {
return g.GetACL()
Permissions: Fix inherited folder permissions can prevent new permissions being added to a dashboard (#33329) In the case permissions has been added on dashboard(s). Later permissions for the parent folder of the dashboard is edited in such a way that dashboard in that folder has a permission that is a duplicate of an inherited one. This PR changes so that duplicate permissions are now filtered out from /api/dashboards/id/<dashboard id>/permissions. Duplicate permission are not filtered out if the permission on dashboard is higher than on the inherited folder. Fixes #33296 Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2021-04-28 07:42:18 -05:00
}
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 08:14:58 -05:00
func (g *FakeDashboardGuardian) GetHiddenACL(cfg *setting.Cfg) ([]*models.DashboardACL, error) {
return g.GetHiddenACLValue, nil
Add an option to hide certain users in the UI (#28942) * Add an option to hide certain users in the UI * revert changes for admin users routes * fix sqlstore function name * Improve slice management Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Hidden users: convert slice to map * filter with user logins instead of IDs * put HiddenUsers in Cfg struct * hide hidden users from dashboards/folders permissions list * Update conf/defaults.ini Co-authored-by: Torkel Ödegaard <torkel@grafana.com> * fix params order * fix tests * fix dashboard/folder update with hidden user * add team tests * add dashboard and folder permissions tests * fixes after merge * fix tests * API: add test for org users endpoints * update hidden users management for dashboard / folder permissions * improve dashboard / folder permissions tests * fixes after merge * Guardian: add hidden acl tests * API: add team members tests * fix team sql syntax for postgres * api tests update * fix linter error * fix tests errors after merge Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Torkel Ödegaard <torkel@grafana.com> Co-authored-by: Leonard Gram <leo@xlson.com>
2020-11-24 05:10:32 -06:00
}
Chore: Remove unused Go code (#28852) * Chore: Remove more unused Go code Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
2020-11-17 04:51:31 -06:00
// nolint:unused
dashboards: make fake dashboard guardian available to other packages
2018-02-20 11:08:19 -06:00
func MockDashboardGuardian(mock *FakeDashboardGuardian) {
Guardian: Introduce additional constructors (#59577) * Guardian: Use dashboard UID instead of ID * Apply suggestions from code review Introduce several guardian constructors and each time use the most appropriate one.
2022-12-15 08:34:17 -06:00
New = func(_ context.Context, dashID int64, orgId int64, user *user.SignedInUser) (DashboardGuardian, error) {
mock.OrgId = orgId
mock.DashID = dashID
mock.User = user
return mock, nil
}
NewByUID = func(_ context.Context, dashUID string, orgId int64, user *user.SignedInUser) (DashboardGuardian, error) {
mock.OrgId = orgId
mock.DashUID = dashUID
mock.User = user
return mock, nil
}
Chore: Move dashboard models to dashboard pkg (#61458) * Copy dashboard models to dashboard pkg * Use some models from current pkg instead of models * Adjust api pkg * Adjust pkg services * Fix lint
2023-01-16 09:33:55 -06:00
NewByDashboard = func(_ context.Context, dash *dashboards.Dashboard, orgId int64, user *user.SignedInUser) (DashboardGuardian, error) {
dashboards: make fake dashboard guardian available to other packages
2018-02-20 11:08:19 -06:00
mock.OrgId = orgId
Chore: Move dashboard models to dashboard pkg (#61458) * Copy dashboard models to dashboard pkg * Use some models from current pkg instead of models * Adjust api pkg * Adjust pkg services * Fix lint
2023-01-16 09:33:55 -06:00
mock.DashUID = dash.UID
mock.DashID = dash.ID
dashboards: make fake dashboard guardian available to other packages
2018-02-20 11:08:19 -06:00
mock.User = user
Guardian: Introduce additional constructors (#59577) * Guardian: Use dashboard UID instead of ID * Apply suggestions from code review Introduce several guardian constructors and each time use the most appropriate one.
2022-12-15 08:34:17 -06:00
return mock, nil
dashboards: make fake dashboard guardian available to other packages
2018-02-20 11:08:19 -06:00
}
}
Reference in New Issue Copy Permalink