Auth: Move access control API to SignedInUser interface (#73144)

* move access control api to SignedInUser interface * remove unused code * add logic for reading perms from a specific org * move the specific org logic to org_user.go * add a comment --------- Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2025-02-25 18:55:37 -06:00 · 2023-08-18 12:42:18 +02:00
parent 4c9469fc9e
commit 26339f978b
17 changed files with 50 additions and 41 deletions
--- a/pkg/services/accesscontrol/accesscontrol.go
+++ b/pkg/services/accesscontrol/accesscontrol.go
@@ -64,7 +64,7 @@ type SearchOptions struct {
 }

 type TeamPermissionsService interface {
-	GetPermissions(ctx context.Context, user *user.SignedInUser, resourceID string) ([]ResourcePermission, error)
+	GetPermissions(ctx context.Context, user identity.Requester, resourceID string) ([]ResourcePermission, error)
 	SetUserPermission(ctx context.Context, orgID int64, user User, resourceID, permission string) (*ResourcePermission, error)
 }

@@ -86,7 +86,7 @@ type ServiceAccountPermissionsService interface {

 type PermissionsService interface {
 	// GetPermissions returns all permissions for given resourceID
-	GetPermissions(ctx context.Context, user *user.SignedInUser, resourceID string) ([]ResourcePermission, error)
+	GetPermissions(ctx context.Context, user identity.Requester, resourceID string) ([]ResourcePermission, error)
 	// SetUserPermission sets permission on resource for a user
 	SetUserPermission(ctx context.Context, orgID int64, user User, resourceID, permission string) (*ResourcePermission, error)
 	// SetTeamPermission sets permission on resource for a team
@@ -151,13 +151,13 @@ var ReqSignedIn = func(c *contextmodel.ReqContext) bool {
 }

 var ReqGrafanaAdmin = func(c *contextmodel.ReqContext) bool {
-	return c.IsGrafanaAdmin
+	return c.SignedInUser.GetIsGrafanaAdmin()
 }

 // ReqHasRole generates a fallback to check whether the user has a role
 // ReqHasRole(org.RoleAdmin) will always return true for Grafana server admins, eg, a Grafana Admin / Viewer role combination
 func ReqHasRole(role org.RoleType) func(c *contextmodel.ReqContext) bool {
-	return func(c *contextmodel.ReqContext) bool { return c.HasRole(role) }
+	return func(c *contextmodel.ReqContext) bool { return c.SignedInUser.HasRole(role) }
 }

 func BuildPermissionsMap(permissions []Permission) map[string]bool {