From 12d192d80ecbe7a433022c3f140e41317b818b4b Mon Sep 17 00:00:00 2001 From: Jo Date: Fri, 3 Feb 2023 14:37:41 +0100 Subject: [PATCH] AccessControl: Clear user permission cache for update org user role (#62745) * clear user permission cache for update org user role * check enabled state of ac --- pkg/api/org_users.go | 13 ++++++++++--- pkg/api/org_users_test.go | 2 ++ 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/pkg/api/org_users.go b/pkg/api/org_users.go index b0c7c807cc0..c44561f6357 100644 --- a/pkg/api/org_users.go +++ b/pkg/api/org_users.go @@ -381,16 +381,23 @@ func (hs *HTTPServer) UpdateOrgUser(c *contextmodel.ReqContext) response.Respons func (hs *HTTPServer) updateOrgUserHelper(c *contextmodel.ReqContext, cmd org.UpdateOrgUserCommand) response.Response { if !cmd.Role.IsValid() { - return response.Error(400, "Invalid role specified", nil) + return response.Error(http.StatusBadRequest, "Invalid role specified", nil) } if !c.OrgRole.Includes(cmd.Role) && !c.IsGrafanaAdmin { return response.Error(http.StatusForbidden, "Cannot assign a role higher than user's role", nil) } if err := hs.orgService.UpdateOrgUser(c.Req.Context(), &cmd); err != nil { if errors.Is(err, org.ErrLastOrgAdmin) { - return response.Error(400, "Cannot change role so that there is no organization admin left", nil) + return response.Error(http.StatusBadRequest, "Cannot change role so that there is no organization admin left", nil) } - return response.Error(500, "Failed update org user", err) + return response.Error(http.StatusInternalServerError, "Failed update org user", err) + } + + if !hs.accesscontrolService.IsDisabled() { + hs.accesscontrolService.ClearUserPermissionCache(&user.SignedInUser{ + UserID: cmd.UserID, + OrgID: cmd.OrgID, + }) } return response.Success("Organization user updated") diff --git a/pkg/api/org_users_test.go b/pkg/api/org_users_test.go index 2f2d0cd8f7f..e4ae7c5b0e7 100644 --- a/pkg/api/org_users_test.go +++ b/pkg/api/org_users_test.go @@ -630,6 +630,7 @@ func TestOrgUsersAPIEndpointWithSetPerms_AccessControl(t *testing.T) { ExpectedUser: &user.User{}, ExpectedSignedInUser: userWithPermissions(1, tt.permissions), } + hs.accesscontrolService = &actest.FakeService{} }) u := userWithPermissions(1, tt.permissions) @@ -703,6 +704,7 @@ func TestPatchOrgUsersAPIEndpoint_AccessControl(t *testing.T) { hs.Cfg.RBACEnabled = tt.enableAccessControl hs.orgService = &orgtest.FakeOrgService{} hs.authInfoService = &logintest.AuthInfoServiceFake{} + hs.accesscontrolService = &actest.FakeService{} hs.userService = &usertest.FakeUserService{ ExpectedUser: &user.User{}, ExpectedSignedInUser: userWithPermissions(1, tt.permissions),