IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

AccessControl: Clear user permission cache for update org user role (#62745)

Browse Source 
* clear user permission cache for update org user role

* check enabled state of ac
This commit is contained in:
Jo
2023-02-03 14:37:41 +01:00
committed by GitHub
parent 6840cc11ff
commit 12d192d80e
2 changed files with 12 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
pkg/api/org_users.go
View File

@@ -381,16 +381,23 @@ func (hs *HTTPServer) UpdateOrgUser(c *contextmodel.ReqContext) response.Respons
func (hs *HTTPServer) updateOrgUserHelper(c *contextmodel.ReqContext, cmd org.UpdateOrgUserCommand) response.Response { func (hs *HTTPServer) updateOrgUserHelper(c *contextmodel.ReqContext, cmd org.UpdateOrgUserCommand) response.Response {
if !cmd.Role.IsValid() { if !cmd.Role.IsValid() {
return response.Error(400, "Invalid role specified", nil) return response.Error(http.StatusBadRequest, "Invalid role specified", nil)
} }
if !c.OrgRole.Includes(cmd.Role) && !c.IsGrafanaAdmin { if !c.OrgRole.Includes(cmd.Role) && !c.IsGrafanaAdmin {
return response.Error(http.StatusForbidden, "Cannot assign a role higher than user's role", nil) return response.Error(http.StatusForbidden, "Cannot assign a role higher than user's role", nil)
} }
if err := hs.orgService.UpdateOrgUser(c.Req.Context(), &cmd); err != nil { if err := hs.orgService.UpdateOrgUser(c.Req.Context(), &cmd); err != nil {
if errors.Is(err, org.ErrLastOrgAdmin) { if errors.Is(err, org.ErrLastOrgAdmin) {
return response.Error(400, "Cannot change role so that there is no organization admin left", nil) return response.Error(http.StatusBadRequest, "Cannot change role so that there is no organization admin left", nil)
} }
return response.Error(500, "Failed update org user", err) return response.Error(http.StatusInternalServerError, "Failed update org user", err)
}
if !hs.accesscontrolService.IsDisabled() {
hs.accesscontrolService.ClearUserPermissionCache(&user.SignedInUser{
UserID: cmd.UserID,
OrgID: cmd.OrgID,
})
} }
return response.Success("Organization user updated") return response.Success("Organization user updated")

2
pkg/api/org_users_test.go
View File

@@ -630,6 +630,7 @@ func TestOrgUsersAPIEndpointWithSetPerms_AccessControl(t *testing.T) {
ExpectedUser: &user.User{}, ExpectedUser: &user.User{},
ExpectedSignedInUser: userWithPermissions(1, tt.permissions), ExpectedSignedInUser: userWithPermissions(1, tt.permissions),
} }
hs.accesscontrolService = &actest.FakeService{}
}) })
u := userWithPermissions(1, tt.permissions) u := userWithPermissions(1, tt.permissions)
@@ -703,6 +704,7 @@ func TestPatchOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
hs.Cfg.RBACEnabled = tt.enableAccessControl hs.Cfg.RBACEnabled = tt.enableAccessControl
hs.orgService = &orgtest.FakeOrgService{} hs.orgService = &orgtest.FakeOrgService{}
hs.authInfoService = &logintest.AuthInfoServiceFake{} hs.authInfoService = &logintest.AuthInfoServiceFake{}
hs.accesscontrolService = &actest.FakeService{}
hs.userService = &usertest.FakeUserService{ hs.userService = &usertest.FakeUserService{
ExpectedUser: &user.User{}, ExpectedUser: &user.User{},
ExpectedSignedInUser: userWithPermissions(1, tt.permissions), ExpectedSignedInUser: userWithPermissions(1, tt.permissions),