NavTree: Refactor out the navtree building from api/index.go and into it's own service (#55552)

2025-02-25 18:55:37 -06:00 · 2022-09-22 22:04:48 +02:00
parent 8863c4c140
commit 09f4068849
20 changed files with 1045 additions and 939 deletions
--- a/pkg/services/accesscontrol/models.go
+++ b/pkg/services/accesscontrol/models.go
@@ -306,6 +306,15 @@ const (
 	ActionUsersQuotasUpdate      = "users.quotas:write"

 	// Org actions
+	ActionOrgsRead             = "orgs:read"
+	ActionOrgsPreferencesRead  = "orgs.preferences:read"
+	ActionOrgsQuotasRead       = "orgs.quotas:read"
+	ActionOrgsWrite            = "orgs:write"
+	ActionOrgsPreferencesWrite = "orgs.preferences:write"
+	ActionOrgsQuotasWrite      = "orgs.quotas:write"
+	ActionOrgsDelete           = "orgs:delete"
+	ActionOrgsCreate           = "orgs:create"
+
 	ActionOrgUsersRead   = "org.users:read"
 	ActionOrgUsersAdd    = "org.users:add"
 	ActionOrgUsersRemove = "org.users:remove"
@@ -418,3 +427,53 @@ func BuiltInRolesWithParents(builtInRoles []string) map[string]struct{} {

 	return res
 }
+
+// Evaluators
+
+// TeamsAccessEvaluator is used to protect the "Configuration > Teams" page access
+// grants access to a user when they can either create teams or can read and update a team
+var TeamsAccessEvaluator = EvalAny(
+	EvalPermission(ActionTeamsCreate),
+	EvalAll(
+		EvalPermission(ActionTeamsRead),
+		EvalAny(
+			EvalPermission(ActionTeamsWrite),
+			EvalPermission(ActionTeamsPermissionsWrite),
+		),
+	),
+)
+
+// TeamsEditAccessEvaluator is used to protect the "Configuration > Teams > edit" page access
+var TeamsEditAccessEvaluator = EvalAll(
+	EvalPermission(ActionTeamsRead),
+	EvalAny(
+		EvalPermission(ActionTeamsCreate),
+		EvalPermission(ActionTeamsWrite),
+		EvalPermission(ActionTeamsPermissionsWrite),
+	),
+)
+
+// OrgPreferencesAccessEvaluator is used to protect the "Configure > Preferences" page access
+var OrgPreferencesAccessEvaluator = EvalAny(
+	EvalAll(
+		EvalPermission(ActionOrgsRead),
+		EvalPermission(ActionOrgsWrite),
+	),
+	EvalAll(
+		EvalPermission(ActionOrgsPreferencesRead),
+		EvalPermission(ActionOrgsPreferencesWrite),
+	),
+)
+
+// OrgsAccessEvaluator is used to protect the "Server Admin > Orgs" page access
+// (you need to have read access to update or delete orgs; read is the minimum)
+var OrgsAccessEvaluator = EvalPermission(ActionOrgsRead)
+
+// OrgsCreateAccessEvaluator is used to protect the "Server Admin > Orgs > New Org" page access
+var OrgsCreateAccessEvaluator = EvalAll(
+	EvalPermission(ActionOrgsRead),
+	EvalPermission(ActionOrgsCreate),
+)
+
+// ApiKeyAccessEvaluator is used to protect the "Configuration > API keys" page access
+var ApiKeyAccessEvaluator = EvalPermission(ActionAPIKeyRead)