Authz: Remove use of SignedInUser copy for permission evaluation (#78448)

* remove use of SignedInUserCopies

* add extra safety to not cross assign permissions

unwind circular dependency

dashboardacl->dashboardaccess

fix missing import

* correctly set teams for permissions

* fix missing inits

* nit: check err

* exit early for api keys

pkg/services/sqlstore/migrations/accesscontrol/dashboard_permissions.go

@@ -10,19 +10,20 @@ import (
 
 	ac "github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/services/dashboards"
+	"github.com/grafana/grafana/pkg/services/dashboards/dashboardaccess"
 	"github.com/grafana/grafana/pkg/services/sqlstore/migrator"
 )
 
-var dashboardPermissionTranslation = map[dashboards.PermissionType][]string{
-	dashboards.PERMISSION_VIEW: {
+var dashboardPermissionTranslation = map[dashboardaccess.PermissionType][]string{
+	dashboardaccess.PERMISSION_VIEW: {
 		dashboards.ActionDashboardsRead,
 	},
-	dashboards.PERMISSION_EDIT: {
+	dashboardaccess.PERMISSION_EDIT: {
 		dashboards.ActionDashboardsRead,
 		dashboards.ActionDashboardsWrite,
 		dashboards.ActionDashboardsDelete,
 	},
-	dashboards.PERMISSION_ADMIN: {
+	dashboardaccess.PERMISSION_ADMIN: {
 		dashboards.ActionDashboardsRead,
 		dashboards.ActionDashboardsWrite,
 		dashboards.ActionDashboardsCreate,
@@ -32,17 +33,17 @@ var dashboardPermissionTranslation = map[dashboards.PermissionType][]string{
 	},
 }
 
-var folderPermissionTranslation = map[dashboards.PermissionType][]string{
-	dashboards.PERMISSION_VIEW: append(dashboardPermissionTranslation[dashboards.PERMISSION_VIEW], []string{
+var folderPermissionTranslation = map[dashboardaccess.PermissionType][]string{
+	dashboardaccess.PERMISSION_VIEW: append(dashboardPermissionTranslation[dashboardaccess.PERMISSION_VIEW], []string{
 		dashboards.ActionFoldersRead,
 	}...),
-	dashboards.PERMISSION_EDIT: append(dashboardPermissionTranslation[dashboards.PERMISSION_EDIT], []string{
+	dashboardaccess.PERMISSION_EDIT: append(dashboardPermissionTranslation[dashboardaccess.PERMISSION_EDIT], []string{
 		dashboards.ActionDashboardsCreate,
 		dashboards.ActionFoldersRead,
 		dashboards.ActionFoldersWrite,
 		dashboards.ActionFoldersDelete,
 	}...),
-	dashboards.PERMISSION_ADMIN: append(dashboardPermissionTranslation[dashboards.PERMISSION_ADMIN], []string{
+	dashboardaccess.PERMISSION_ADMIN: append(dashboardPermissionTranslation[dashboardaccess.PERMISSION_ADMIN], []string{
 		dashboards.ActionFoldersRead,
 		dashboards.ActionFoldersWrite,
 		dashboards.ActionFoldersDelete,
@@ -111,11 +112,11 @@ func (m dashboardPermissionsMigrator) migratePermissions(dashes []dashboard, acl
 		if (d.IsFolder || d.FolderID == 0) && len(acls) == 0 && !d.HasAcl {
 			permissionMap[d.OrgID]["managed:builtins:editor:permissions"] = append(
 				permissionMap[d.OrgID]["managed:builtins:editor:permissions"],
-				m.mapPermission(d.ID, dashboards.PERMISSION_EDIT, d.IsFolder)...,
+				m.mapPermission(d.ID, dashboardaccess.PERMISSION_EDIT, d.IsFolder)...,
 			)
 			permissionMap[d.OrgID]["managed:builtins:viewer:permissions"] = append(
 				permissionMap[d.OrgID]["managed:builtins:viewer:permissions"],
-				m.mapPermission(d.ID, dashboards.PERMISSION_VIEW, d.IsFolder)...,
+				m.mapPermission(d.ID, dashboardaccess.PERMISSION_VIEW, d.IsFolder)...,
 			)
 		} else {
 			for _, a := range deduplicateAcl(acls) {
@@ -192,7 +193,7 @@ func (m dashboardPermissionsMigrator) setPermissions(allRoles []*ac.Role, permis
 	return nil
 }
 
-func (m dashboardPermissionsMigrator) mapPermission(id int64, p dashboards.PermissionType, isFolder bool) []*ac.Permission {
+func (m dashboardPermissionsMigrator) mapPermission(id int64, p dashboardaccess.PermissionType, isFolder bool) []*ac.Permission {
 	if isFolder {
 		actions := folderPermissionTranslation[p]
 		scope := dashboards.ScopeFoldersProvider.GetResourceScope(strconv.FormatInt(id, 10))
@@ -661,15 +662,15 @@ func (m *managedFolderLibraryPanelActionsMigrator) Exec(sess *xorm.Session, mg *
 }
 
 func hasFolderAdmin(permissions []ac.Permission) bool {
-	return hasActions(folderPermissionTranslation[dashboards.PERMISSION_ADMIN], permissions)
+	return hasActions(folderPermissionTranslation[dashboardaccess.PERMISSION_ADMIN], permissions)
 }
 
 func hasFolderEdit(permissions []ac.Permission) bool {
-	return hasActions(folderPermissionTranslation[dashboards.PERMISSION_EDIT], permissions)
+	return hasActions(folderPermissionTranslation[dashboardaccess.PERMISSION_EDIT], permissions)
 }
 
 func hasFolderView(permissions []ac.Permission) bool {
-	return hasActions(folderPermissionTranslation[dashboards.PERMISSION_VIEW], permissions)
+	return hasActions(folderPermissionTranslation[dashboardaccess.PERMISSION_VIEW], permissions)
 }
 
 func hasActions(actions []string, permissions []ac.Permission) bool {

pkg/services/sqlstore/migrations/accesscontrol/team_membership.go

@@ -8,7 +8,7 @@ import (
 	"xorm.io/xorm"
 
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
-	"github.com/grafana/grafana/pkg/services/dashboards"
+	"github.com/grafana/grafana/pkg/services/dashboards/dashboardaccess"
 	"github.com/grafana/grafana/pkg/services/org"
 	"github.com/grafana/grafana/pkg/services/sqlstore/migrator"
 	"github.com/grafana/grafana/pkg/services/team"
@@ -64,12 +64,12 @@ func (p *teamPermissionMigrator) setRolePermissions(roleID int64, permissions []
 }
 
 // mapPermissionToRBAC translates the legacy membership (Member or Admin) into RBAC permissions
-func (p *teamPermissionMigrator) mapPermissionToRBAC(permission dashboards.PermissionType, teamID int64) []accesscontrol.Permission {
+func (p *teamPermissionMigrator) mapPermissionToRBAC(permission dashboardaccess.PermissionType, teamID int64) []accesscontrol.Permission {
 	teamIDScope := accesscontrol.Scope("teams", "id", strconv.FormatInt(teamID, 10))
 	switch permission {
 	case 0:
 		return []accesscontrol.Permission{{Action: "teams:read", Scope: teamIDScope}}
-	case dashboards.PERMISSION_ADMIN:
+	case dashboardaccess.PERMISSION_ADMIN:
 		return []accesscontrol.Permission{
 			{Action: "teams:delete", Scope: teamIDScope},
 			{Action: "teams:read", Scope: teamIDScope},
@@ -210,7 +210,7 @@ func (p *teamPermissionMigrator) generateAssociatedPermissions(teamMemberships [
 		// Downgrade team permissions if needed:
 		// only admins or editors (when editorsCanAdmin option is enabled)
 		// can access team administration endpoints
-		if m.Permission == dashboards.PERMISSION_ADMIN {
+		if m.Permission == dashboardaccess.PERMISSION_ADMIN {
 			if userRolesByOrg[m.OrgID][m.UserID] == string(org.RoleViewer) || (userRolesByOrg[m.OrgID][m.UserID] == string(org.RoleEditor) && !p.editorsCanAdmin) {
 				m.Permission = 0
 

pkg/services/sqlstore/migrations/accesscontrol/test/ac_test.go

@@ -13,7 +13,7 @@ import (
 
 	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
-	"github.com/grafana/grafana/pkg/services/dashboards"
+	"github.com/grafana/grafana/pkg/services/dashboards/dashboardaccess"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/grafana/grafana/pkg/services/org"
 	"github.com/grafana/grafana/pkg/services/sqlstore/migrations"
@@ -358,7 +358,7 @@ func setupTeams(t *testing.T, x *xorm.Engine) {
 			TeamID:     1,
 			UserID:     2,
 			External:   false,
-			Permission: dashboards.PERMISSION_ADMIN,
+			Permission: dashboardaccess.PERMISSION_ADMIN,
 			Created:    now,
 			Updated:    now,
 		},
@@ -368,7 +368,7 @@ func setupTeams(t *testing.T, x *xorm.Engine) {
 			TeamID:     1,
 			UserID:     3,
 			External:   false,
-			Permission: dashboards.PERMISSION_ADMIN,
+			Permission: dashboardaccess.PERMISSION_ADMIN,
 			Created:    now,
 			Updated:    now,
 		},
@@ -378,7 +378,7 @@ func setupTeams(t *testing.T, x *xorm.Engine) {
 			TeamID:     1,
 			UserID:     4,
 			External:   false,
-			Permission: dashboards.PERMISSION_ADMIN,
+			Permission: dashboardaccess.PERMISSION_ADMIN,
 			Created:    now,
 			Updated:    now,
 		},

pkg/services/sqlstore/permissions/dashboard.go

@@ -9,6 +9,7 @@ import (
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/services/auth/identity"
 	"github.com/grafana/grafana/pkg/services/dashboards"
+	"github.com/grafana/grafana/pkg/services/dashboards/dashboardaccess"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/grafana/grafana/pkg/services/folder"
 	"github.com/grafana/grafana/pkg/services/login"
@@ -44,11 +45,11 @@ type PermissionsFilter interface {
 	nestedFoldersSelectors(permSelector string, permSelectorArgs []any, leftTableCol string, rightTableCol string, orgID int64) (string, []any)
 }
 
-// NewAccessControlDashboardPermissionFilter creates a new AccessControlDashboardPermissionFilter that is configured with specific actions calculated based on the dashboards.PermissionType and query type
+// NewAccessControlDashboardPermissionFilter creates a new AccessControlDashboardPermissionFilter that is configured with specific actions calculated based on the dashboardaccess.PermissionType and query type
 // The filter is configured to use the new permissions filter (without subqueries) if the feature flag is enabled
 // The filter is configured to use the old permissions filter (with subqueries) if the feature flag is disabled
-func NewAccessControlDashboardPermissionFilter(user identity.Requester, permissionLevel dashboards.PermissionType, queryType string, features featuremgmt.FeatureToggles, recursiveQueriesAreSupported bool) PermissionsFilter {
-	needEdit := permissionLevel > dashboards.PERMISSION_VIEW
+func NewAccessControlDashboardPermissionFilter(user identity.Requester, permissionLevel dashboardaccess.PermissionType, queryType string, features featuremgmt.FeatureToggles, recursiveQueriesAreSupported bool) PermissionsFilter {
+	needEdit := permissionLevel > dashboardaccess.PERMISSION_VIEW
 
 	var folderActions []string
 	var dashboardActions []string

pkg/services/sqlstore/permissions/dashboard_test.go

@@ -17,6 +17,7 @@ import (
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/services/accesscontrol/mock"
 	"github.com/grafana/grafana/pkg/services/dashboards"
+	"github.com/grafana/grafana/pkg/services/dashboards/dashboardaccess"
 	"github.com/grafana/grafana/pkg/services/dashboards/database"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/grafana/grafana/pkg/services/folder"
@@ -40,7 +41,7 @@ func TestIntegration_DashboardPermissionFilter(t *testing.T) {
 	type testCase struct {
 		desc           string
 		queryType      string
-		permission     dashboards.PermissionType
+		permission     dashboardaccess.PermissionType
 		permissions    []accesscontrol.Permission
 		expectedResult int
 	}
@@ -48,7 +49,7 @@ func TestIntegration_DashboardPermissionFilter(t *testing.T) {
 	tests := []testCase{
 		{
 			desc:       "Should be able to view all dashboards with wildcard scope",
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			permissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeDashboardsAll},
 			},
@@ -56,7 +57,7 @@ func TestIntegration_DashboardPermissionFilter(t *testing.T) {
 		},
 		{
 			desc:       "Should be able to view all dashboards with folder wildcard scope",
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			permissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeFoldersAll},
 			},
@@ -64,7 +65,7 @@ func TestIntegration_DashboardPermissionFilter(t *testing.T) {
 		},
 		{
 			desc:       "Should be able to view dashboards under the root with folders:uid:general scope",
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			permissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folder.GeneralFolderUID)},
 			},
@@ -72,7 +73,7 @@ func TestIntegration_DashboardPermissionFilter(t *testing.T) {
 		},
 		{
 			desc:       "Should not be able to view editable dashboards under the root with folders:uid:general scope if missing write action",
-			permission: dashboards.PERMISSION_EDIT,
+			permission: dashboardaccess.PERMISSION_EDIT,
 			permissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folder.GeneralFolderUID)},
 			},
@@ -80,7 +81,7 @@ func TestIntegration_DashboardPermissionFilter(t *testing.T) {
 		},
 		{
 			desc:       "Should be able to view editable dashboards under the root with folders:uid:general scope if has write action",
-			permission: dashboards.PERMISSION_EDIT,
+			permission: dashboardaccess.PERMISSION_EDIT,
 			permissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folder.GeneralFolderUID)},
 				{Action: dashboards.ActionDashboardsWrite, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folder.GeneralFolderUID)},
@@ -89,7 +90,7 @@ func TestIntegration_DashboardPermissionFilter(t *testing.T) {
 		},
 		{
 			desc:       "Should be able to view a subset of dashboards with dashboard scopes",
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			permissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:110"},
 				{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:40"},
@@ -102,7 +103,7 @@ func TestIntegration_DashboardPermissionFilter(t *testing.T) {
 		},
 		{
 			desc:       "Should be able to view a subset of dashboards with dashboard action and folder scope",
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			permissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionDashboardsRead, Scope: "folders:uid:8"},
 				{Action: dashboards.ActionDashboardsRead, Scope: "folders:uid:10"},
@@ -111,7 +112,7 @@ func TestIntegration_DashboardPermissionFilter(t *testing.T) {
 		},
 		{
 			desc:       "Should be able to view all folders with folder wildcard",
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			permissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:*"},
 			},
@@ -119,7 +120,7 @@ func TestIntegration_DashboardPermissionFilter(t *testing.T) {
 		},
 		{
 			desc:       "Should be able to view a subset folders",
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			permissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:3"},
 				{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:6"},
@@ -129,7 +130,7 @@ func TestIntegration_DashboardPermissionFilter(t *testing.T) {
 		},
 		{
 			desc:       "Should return folders and dashboard with 'edit' permission",
-			permission: dashboards.PERMISSION_EDIT,
+			permission: dashboardaccess.PERMISSION_EDIT,
 			permissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:3"},
 				{Action: dashboards.ActionDashboardsCreate, Scope: "folders:uid:3"},
@@ -140,7 +141,7 @@ func TestIntegration_DashboardPermissionFilter(t *testing.T) {
 		},
 		{
 			desc:       "Should return the dashboards that the User has dashboards:write permission on in case of 'edit' permission",
-			permission: dashboards.PERMISSION_EDIT,
+			permission: dashboardaccess.PERMISSION_EDIT,
 			permissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:3"},
 				{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:31"},
@@ -152,7 +153,7 @@ func TestIntegration_DashboardPermissionFilter(t *testing.T) {
 		},
 		{
 			desc:       "Should return the folders that the User has dashboards:create permission on in case of 'edit' permission",
-			permission: dashboards.PERMISSION_EDIT,
+			permission: dashboardaccess.PERMISSION_EDIT,
 			permissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:3"},
 				{Action: dashboards.ActionDashboardsCreate, Scope: "folders:uid:3"},
@@ -164,7 +165,7 @@ func TestIntegration_DashboardPermissionFilter(t *testing.T) {
 		},
 		{
 			desc:       "Should return folders that users can read alerts from",
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			queryType:  searchstore.TypeAlertFolder,
 			permissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:3"},
@@ -176,7 +177,7 @@ func TestIntegration_DashboardPermissionFilter(t *testing.T) {
 		},
 		{
 			desc:       "Should return folders that users can read alerts when user has read wildcard",
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			queryType:  searchstore.TypeAlertFolder,
 			permissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionFoldersRead, Scope: "*"},
@@ -232,7 +233,7 @@ func TestIntegration_DashboardPermissionFilter_WithSelfContainedPermissions(t *t
 	type testCase struct {
 		desc                    string
 		queryType               string
-		permission              dashboards.PermissionType
+		permission              dashboardaccess.PermissionType
 		signedInUserPermissions []accesscontrol.Permission
 		expectedResult          int
 	}
@@ -240,7 +241,7 @@ func TestIntegration_DashboardPermissionFilter_WithSelfContainedPermissions(t *t
 	tests := []testCase{
 		{
 			desc:       "Should be able to view all dashboards with wildcard scope",
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			signedInUserPermissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeDashboardsAll},
 			},
@@ -248,7 +249,7 @@ func TestIntegration_DashboardPermissionFilter_WithSelfContainedPermissions(t *t
 		},
 		{
 			desc:       "Should be able to view all dashboards with folder wildcard scope",
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			signedInUserPermissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeFoldersAll},
 			},
@@ -256,13 +257,13 @@ func TestIntegration_DashboardPermissionFilter_WithSelfContainedPermissions(t *t
 		},
 		{
 			desc:                    "Should not be able to view any dashboards or folders without any permissions",
-			permission:              dashboards.PERMISSION_VIEW,
+			permission:              dashboardaccess.PERMISSION_VIEW,
 			signedInUserPermissions: []accesscontrol.Permission{},
 			expectedResult:          0,
 		},
 		{
 			desc:       "Should be able to view a subset of dashboards with dashboard scopes",
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			signedInUserPermissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:110"},
 				{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:40"},
@@ -275,7 +276,7 @@ func TestIntegration_DashboardPermissionFilter_WithSelfContainedPermissions(t *t
 		},
 		{
 			desc:       "Should be able to view a subset of dashboards with dashboard action and folder scope",
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 
 			signedInUserPermissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionDashboardsRead, Scope: "folders:uid:8"},
@@ -285,7 +286,7 @@ func TestIntegration_DashboardPermissionFilter_WithSelfContainedPermissions(t *t
 		},
 		{
 			desc:       "Should be able to view dashboards under the root with folders:uid:general scope",
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			signedInUserPermissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folder.GeneralFolderUID)},
 			},
@@ -293,7 +294,7 @@ func TestIntegration_DashboardPermissionFilter_WithSelfContainedPermissions(t *t
 		},
 		{
 			desc:       "Should not be able to view editable dashboards under the root with folders:uid:general scope if missing write action",
-			permission: dashboards.PERMISSION_EDIT,
+			permission: dashboardaccess.PERMISSION_EDIT,
 			signedInUserPermissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folder.GeneralFolderUID)},
 			},
@@ -301,7 +302,7 @@ func TestIntegration_DashboardPermissionFilter_WithSelfContainedPermissions(t *t
 		},
 		{
 			desc:       "Should be able to view editable dashboards under the root with folders:uid:general scope if has write action",
-			permission: dashboards.PERMISSION_EDIT,
+			permission: dashboardaccess.PERMISSION_EDIT,
 			signedInUserPermissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folder.GeneralFolderUID)},
 				{Action: dashboards.ActionDashboardsWrite, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folder.GeneralFolderUID)},
@@ -310,7 +311,7 @@ func TestIntegration_DashboardPermissionFilter_WithSelfContainedPermissions(t *t
 		},
 		{
 			desc:       "Should be able to view all folders with folder wildcard",
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			signedInUserPermissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:*"},
 			},
@@ -318,7 +319,7 @@ func TestIntegration_DashboardPermissionFilter_WithSelfContainedPermissions(t *t
 		},
 		{
 			desc:       "Should be able to view a subset folders",
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			signedInUserPermissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:3"},
 				{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:6"},
@@ -328,7 +329,7 @@ func TestIntegration_DashboardPermissionFilter_WithSelfContainedPermissions(t *t
 		},
 		{
 			desc:       "Should return folders and dashboard with 'edit' permission",
-			permission: dashboards.PERMISSION_EDIT,
+			permission: dashboardaccess.PERMISSION_EDIT,
 			signedInUserPermissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:3"},
 				{Action: dashboards.ActionDashboardsCreate, Scope: "folders:uid:3"},
@@ -339,7 +340,7 @@ func TestIntegration_DashboardPermissionFilter_WithSelfContainedPermissions(t *t
 		},
 		{
 			desc:       "Should return the dashboards that the User has dashboards:write permission on in case of 'edit' permission",
-			permission: dashboards.PERMISSION_EDIT,
+			permission: dashboardaccess.PERMISSION_EDIT,
 			signedInUserPermissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:3"},
 				{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:31"},
@@ -351,7 +352,7 @@ func TestIntegration_DashboardPermissionFilter_WithSelfContainedPermissions(t *t
 		},
 		{
 			desc:       "Should return the folders that the User has dashboards:create permission on in case of 'edit' permission",
-			permission: dashboards.PERMISSION_EDIT,
+			permission: dashboardaccess.PERMISSION_EDIT,
 			signedInUserPermissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:3"},
 				{Action: dashboards.ActionDashboardsCreate, Scope: "folders:uid:3"},
@@ -363,7 +364,7 @@ func TestIntegration_DashboardPermissionFilter_WithSelfContainedPermissions(t *t
 		},
 		{
 			desc:       "Should return folders that users can read alerts from",
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			queryType:  searchstore.TypeAlertFolder,
 			signedInUserPermissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:3"},
@@ -375,7 +376,7 @@ func TestIntegration_DashboardPermissionFilter_WithSelfContainedPermissions(t *t
 		},
 		{
 			desc:       "Should return folders that users can read alerts when user has read wildcard",
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			queryType:  searchstore.TypeAlertFolder,
 			signedInUserPermissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionFoldersRead, Scope: "*"},
@@ -427,7 +428,7 @@ func TestIntegration_DashboardNestedPermissionFilter(t *testing.T) {
 	testCases := []struct {
 		desc           string
 		queryType      string
-		permission     dashboards.PermissionType
+		permission     dashboardaccess.PermissionType
 		permissions    []accesscontrol.Permission
 		expectedResult []string
 		features       []any
@@ -435,7 +436,7 @@ func TestIntegration_DashboardNestedPermissionFilter(t *testing.T) {
 		{
 			desc:           "Should not be able to view dashboards under inherited folders with no permissions if nested folders are enabled",
 			queryType:      searchstore.TypeDashboard,
-			permission:     dashboards.PERMISSION_VIEW,
+			permission:     dashboardaccess.PERMISSION_VIEW,
 			permissions:    nil,
 			features:       []any{featuremgmt.FlagNestedFolders},
 			expectedResult: nil,
@@ -443,14 +444,14 @@ func TestIntegration_DashboardNestedPermissionFilter(t *testing.T) {
 		{
 			desc:           "Should not be able to view inherited folders with no permissions if nested folders are enabled",
 			queryType:      searchstore.TypeFolder,
-			permission:     dashboards.PERMISSION_VIEW,
+			permission:     dashboardaccess.PERMISSION_VIEW,
 			permissions:    nil,
 			features:       []any{featuremgmt.FlagNestedFolders},
 			expectedResult: nil,
 		},
 		{
 			desc:           "Should not be able to view inherited dashboards and folders with no permissions if nested folders are enabled",
-			permission:     dashboards.PERMISSION_VIEW,
+			permission:     dashboardaccess.PERMISSION_VIEW,
 			permissions:    nil,
 			features:       []any{featuremgmt.FlagNestedFolders},
 			expectedResult: nil,
@@ -458,7 +459,7 @@ func TestIntegration_DashboardNestedPermissionFilter(t *testing.T) {
 		{
 			desc:       "Should be able to view dashboards under inherited folders with wildcard scope if nested folders are enabled",
 			queryType:  searchstore.TypeDashboard,
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			permissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeFoldersAll},
 			},
@@ -468,7 +469,7 @@ func TestIntegration_DashboardNestedPermissionFilter(t *testing.T) {
 		{
 			desc:       "Should be able to view dashboards under inherited folders if nested folders are enabled",
 			queryType:  searchstore.TypeDashboard,
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			permissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionDashboardsRead, Scope: "folders:uid:parent"},
 			},
@@ -478,7 +479,7 @@ func TestIntegration_DashboardNestedPermissionFilter(t *testing.T) {
 		{
 			desc:       "Should not be able to view dashboards under inherited folders if nested folders are not enabled",
 			queryType:  searchstore.TypeDashboard,
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			permissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionDashboardsRead, Scope: "folders:uid:parent"},
 			},
@@ -488,7 +489,7 @@ func TestIntegration_DashboardNestedPermissionFilter(t *testing.T) {
 		{
 			desc:       "Should be able to view inherited folders if nested folders are enabled",
 			queryType:  searchstore.TypeFolder,
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			permissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:parent"},
 			},
@@ -498,7 +499,7 @@ func TestIntegration_DashboardNestedPermissionFilter(t *testing.T) {
 		{
 			desc:       "Should not be able to view inherited folders if nested folders are not enabled",
 			queryType:  searchstore.TypeFolder,
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			permissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:parent"},
 			},
@@ -507,7 +508,7 @@ func TestIntegration_DashboardNestedPermissionFilter(t *testing.T) {
 		},
 		{
 			desc:       "Should be able to view inherited dashboards and folders if nested folders are enabled",
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			permissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:parent"},
 				{Action: dashboards.ActionDashboardsRead, Scope: "folders:uid:parent"},
@@ -517,7 +518,7 @@ func TestIntegration_DashboardNestedPermissionFilter(t *testing.T) {
 		},
 		{
 			desc:       "Should not be able to view inherited dashboards and folders if nested folders are not enabled",
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			permissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:parent"},
 				{Action: dashboards.ActionDashboardsRead, Scope: "folders:uid:parent"},
@@ -580,7 +581,7 @@ func TestIntegration_DashboardNestedPermissionFilter_WithSelfContainedPermission
 	testCases := []struct {
 		desc                    string
 		queryType               string
-		permission              dashboards.PermissionType
+		permission              dashboardaccess.PermissionType
 		signedInUserPermissions []accesscontrol.Permission
 		expectedResult          []string
 		features                []any
@@ -588,7 +589,7 @@ func TestIntegration_DashboardNestedPermissionFilter_WithSelfContainedPermission
 		{
 			desc:                    "Should not be able to view dashboards under inherited folders with no permissions if nested folders are enabled",
 			queryType:               searchstore.TypeDashboard,
-			permission:              dashboards.PERMISSION_VIEW,
+			permission:              dashboardaccess.PERMISSION_VIEW,
 			signedInUserPermissions: nil,
 			features:                []any{featuremgmt.FlagNestedFolders},
 			expectedResult:          nil,
@@ -596,14 +597,14 @@ func TestIntegration_DashboardNestedPermissionFilter_WithSelfContainedPermission
 		{
 			desc:                    "Should not be able to view inherited folders with no permissions if nested folders are enabled",
 			queryType:               searchstore.TypeFolder,
-			permission:              dashboards.PERMISSION_VIEW,
+			permission:              dashboardaccess.PERMISSION_VIEW,
 			signedInUserPermissions: nil,
 			features:                []any{featuremgmt.FlagNestedFolders},
 			expectedResult:          nil,
 		},
 		{
 			desc:                    "Should not be able to view inherited dashboards and folders with no permissions if nested folders are enabled",
-			permission:              dashboards.PERMISSION_VIEW,
+			permission:              dashboardaccess.PERMISSION_VIEW,
 			signedInUserPermissions: nil,
 			features:                []any{featuremgmt.FlagNestedFolders},
 			expectedResult:          nil,
@@ -611,7 +612,7 @@ func TestIntegration_DashboardNestedPermissionFilter_WithSelfContainedPermission
 		{
 			desc:       "Should be able to view dashboards under inherited folders with wildcard scope if nested folders are enabled",
 			queryType:  searchstore.TypeDashboard,
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			signedInUserPermissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeFoldersAll},
 			},
@@ -621,7 +622,7 @@ func TestIntegration_DashboardNestedPermissionFilter_WithSelfContainedPermission
 		{
 			desc:       "Should be able to view dashboards under inherited folders if nested folders are enabled",
 			queryType:  searchstore.TypeDashboard,
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			signedInUserPermissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionDashboardsRead, Scope: "folders:uid:parent"},
 			},
@@ -631,7 +632,7 @@ func TestIntegration_DashboardNestedPermissionFilter_WithSelfContainedPermission
 		{
 			desc:       "Should not be able to view dashboards under inherited folders if nested folders are not enabled",
 			queryType:  searchstore.TypeDashboard,
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			signedInUserPermissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionDashboardsRead, Scope: "folders:uid:parent"},
 			},
@@ -641,7 +642,7 @@ func TestIntegration_DashboardNestedPermissionFilter_WithSelfContainedPermission
 		{
 			desc:       "Should be able to view inherited folders if nested folders are enabled",
 			queryType:  searchstore.TypeFolder,
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			signedInUserPermissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:parent"},
 			},
@@ -651,7 +652,7 @@ func TestIntegration_DashboardNestedPermissionFilter_WithSelfContainedPermission
 		{
 			desc:       "Should not be able to view inherited folders if nested folders are not enabled",
 			queryType:  searchstore.TypeFolder,
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			signedInUserPermissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:parent"},
 			},
@@ -660,7 +661,7 @@ func TestIntegration_DashboardNestedPermissionFilter_WithSelfContainedPermission
 		},
 		{
 			desc:       "Should be able to view inherited dashboards and folders if nested folders are enabled",
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			signedInUserPermissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:parent"},
 				{Action: dashboards.ActionDashboardsRead, Scope: "folders:uid:parent"},
@@ -670,7 +671,7 @@ func TestIntegration_DashboardNestedPermissionFilter_WithSelfContainedPermission
 		},
 		{
 			desc:       "Should not be able to view inherited dashboards and folders if nested folders are not enabled",
-			permission: dashboards.PERMISSION_VIEW,
+			permission: dashboardaccess.PERMISSION_VIEW,
 			signedInUserPermissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:parent"},
 				{Action: dashboards.ActionDashboardsRead, Scope: "folders:uid:parent"},
@@ -680,7 +681,7 @@ func TestIntegration_DashboardNestedPermissionFilter_WithSelfContainedPermission
 		},
 		{
 			desc:       "Should be able to edit inherited dashboards and folders if nested folders are enabled",
-			permission: dashboards.PERMISSION_EDIT,
+			permission: dashboardaccess.PERMISSION_EDIT,
 			signedInUserPermissions: []accesscontrol.Permission{
 				{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:subfolder"},
 				{Action: dashboards.ActionDashboardsCreate, Scope: "folders:uid:subfolder"},

pkg/services/sqlstore/permissions/dashboards_bench_test.go

@@ -17,6 +17,7 @@ import (
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/services/accesscontrol/mock"
 	"github.com/grafana/grafana/pkg/services/dashboards"
+	"github.com/grafana/grafana/pkg/services/dashboards/dashboardaccess"
 	"github.com/grafana/grafana/pkg/services/dashboards/database"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/grafana/grafana/pkg/services/folder"
@@ -56,7 +57,7 @@ func benchmarkDashboardPermissionFilter(b *testing.B, numUsers, numDashboards, n
 
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
-		filter := permissions.NewAccessControlDashboardPermissionFilter(&usr, dashboards.PERMISSION_VIEW, "", features, recursiveQueriesAreSupported)
+		filter := permissions.NewAccessControlDashboardPermissionFilter(&usr, dashboardaccess.PERMISSION_VIEW, "", features, recursiveQueriesAreSupported)
 		var result int
 		err := store.WithDbSession(context.Background(), func(sess *sqlstore.DBSession) error {
 			q, params := filter.Where()

pkg/services/sqlstore/searchstore/search_test.go

@@ -12,6 +12,7 @@ import (
 	"github.com/grafana/grafana/pkg/infra/db"
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/services/dashboards"
+	"github.com/grafana/grafana/pkg/services/dashboards/dashboardaccess"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/grafana/grafana/pkg/services/org"
 	"github.com/grafana/grafana/pkg/services/sqlstore/permissions"
@@ -299,7 +300,7 @@ func TestBuilder_RBAC(t *testing.T) {
 				user.Permissions = map[int64]map[string][]string{1: accesscontrol.GroupScopesByAction(tc.userPermissions)}
 			}
 
-			level := dashboards.PERMISSION_EDIT
+			level := dashboardaccess.PERMISSION_EDIT
 
 			builder := &searchstore.Builder{
 				Filters: []any{