Revert "Revert "RBAC: remove dashboard ACL logic from dash store, service #78130" (#78203)

Revert "Revert "RBAC: remove dashboard ACL logic from dash store, service #78130 (#78198)" This reverts commit 8057b9298d.
2025-02-25 18:55:37 -06:00 · 2023-11-15 16:45:49 +00:00
parent 210ec8247b
commit 2c73f15839
14 changed files with 27 additions and 926 deletions
--- a/pkg/services/user/userimpl/store_test.go
+++ b/pkg/services/user/userimpl/store_test.go
@@ -11,7 +11,6 @@ import (

 	"github.com/grafana/grafana/pkg/infra/db"
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
-	"github.com/grafana/grafana/pkg/services/dashboards"
 	"github.com/grafana/grafana/pkg/services/org"
 	"github.com/grafana/grafana/pkg/services/org/orgimpl"
 	"github.com/grafana/grafana/pkg/services/quota/quotaimpl"
@@ -378,12 +377,6 @@ func TestIntegrationUserDataAccess(t *testing.T) {
 		})
 		require.Nil(t, err)

-		err = updateDashboardACL(t, ss, 1, &dashboards.DashboardACL{
-			DashboardID: 1, OrgID: users[0].OrgID, UserID: users[1].ID,
-			Permission: dashboards.PERMISSION_EDIT,
-		})
-		require.Nil(t, err)
-
 		ss.CacheService.Flush()

 		query := &user.GetSignedInUserQuery{OrgID: users[1].OrgID, UserID: users[1].ID}
@@ -526,22 +519,10 @@ func TestIntegrationUserDataAccess(t *testing.T) {
 		})
 		require.Nil(t, err)

-		err = updateDashboardACL(t, ss, 1, &dashboards.DashboardACL{
-			DashboardID: 1, OrgID: users[0].OrgID, UserID: users[1].ID,
-			Permission: dashboards.PERMISSION_EDIT,
-		})
-		require.Nil(t, err)
-
 		// When the user is deleted
 		err = userStore.Delete(context.Background(), users[1].ID)
 		require.Nil(t, err)

-		permQuery := &dashboards.GetDashboardACLInfoListQuery{DashboardID: 1, OrgID: users[0].OrgID}
-		permQueryResult, err := userStore.getDashboardACLInfoList(permQuery)
-		require.Nil(t, err)
-
-		require.Len(t, permQueryResult, 0)
-
 		// A user is an org member and has been assigned permissions
 		// Re-init DB
 		ss = db.InitTestDB(t)
@@ -560,12 +541,6 @@ func TestIntegrationUserDataAccess(t *testing.T) {
 		})
 		require.Nil(t, err)

-		err = updateDashboardACL(t, ss, 1, &dashboards.DashboardACL{
-			DashboardID: 1, OrgID: users[0].OrgID, UserID: users[1].ID,
-			Permission: dashboards.PERMISSION_EDIT,
-		})
-		require.Nil(t, err)
-
 		ss.CacheService.Flush()

 		query3 := &user.GetSignedInUserQuery{OrgID: users[1].OrgID, UserID: users[1].ID}
@@ -591,12 +566,6 @@ func TestIntegrationUserDataAccess(t *testing.T) {
 		// the user is deleted
 		err = userStore.Delete(context.Background(), users[1].ID)
 		require.Nil(t, err)
-
-		permQuery = &dashboards.GetDashboardACLInfoListQuery{DashboardID: 1, OrgID: users[0].OrgID}
-		permQueryResult, err = userStore.getDashboardACLInfoList(permQuery)
-		require.Nil(t, err)
-
-		require.Len(t, permQueryResult, 0)
 	})

 	t.Run("Testing DB - return list of users that the SignedInUser has permission to read", func(t *testing.T) {
@@ -947,41 +916,6 @@ func createFiveTestUsers(t *testing.T, svc user.Service, fn func(i int) *user.Cr
 	return users
 }

-// TODO: Use FakeDashboardStore when org has its own service
-func updateDashboardACL(t *testing.T, sqlStore db.DB, dashboardID int64, items ...*dashboards.DashboardACL) error {
-	t.Helper()
-
-	err := sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
-		_, err := sess.Exec("DELETE FROM dashboard_acl WHERE dashboard_id=?", dashboardID)
-		if err != nil {
-			return fmt.Errorf("deleting from dashboard_acl failed: %w", err)
-		}
-
-		for _, item := range items {
-			item.Created = time.Now()
-			item.Updated = time.Now()
-			if item.UserID == 0 && item.TeamID == 0 && (item.Role == nil || !item.Role.IsValid()) {
-				return dashboards.ErrDashboardACLInfoMissing
-			}
-
-			if item.DashboardID == 0 {
-				return dashboards.ErrDashboardPermissionDashboardEmpty
-			}
-
-			sess.Nullable("user_id", "team_id")
-			if _, err := sess.Insert(item); err != nil {
-				return err
-			}
-		}
-
-		// Update dashboard HasACL flag
-		dashboard := dashboards.Dashboard{HasACL: true}
-		_, err = sess.Cols("has_acl").Where("id=?", dashboardID).Update(&dashboard)
-		return err
-	})
-	return err
-}
-
 func TestMetricsUsage(t *testing.T) {
 	ss := db.InitTestDB(t)
 	userStore := ProvideStore(ss, setting.NewCfg())
@@ -1029,91 +963,6 @@ func TestMetricsUsage(t *testing.T) {
 	})
 }

-// This function was copied from pkg/services/dashboards/database to circumvent
-// import cycles. When this org-related code is refactored into a service the
-// tests can the real GetDashboardACLInfoList functions
-func (ss *sqlStore) getDashboardACLInfoList(query *dashboards.GetDashboardACLInfoListQuery) ([]*dashboards.DashboardACLInfoDTO, error) {
-	queryResult := make([]*dashboards.DashboardACLInfoDTO, 0)
-	outerErr := ss.db.WithDbSession(context.Background(), func(dbSession *db.Session) error {
-		falseStr := ss.dialect.BooleanStr(false)
-
-		if query.DashboardID == 0 {
-			sql := `SELECT
-		da.id,
-		da.org_id,
-		da.dashboard_id,
-		da.user_id,
-		da.team_id,
-		da.permission,
-		da.role,
-		da.created,
-		da.updated,
-		'' as user_login,
-		'' as user_email,
-		'' as team,
-		'' as title,
-		'' as slug,
-		'' as uid,` +
-				falseStr + ` AS is_folder,` +
-				falseStr + ` AS inherited
-		FROM dashboard_acl as da
-		WHERE da.dashboard_id = -1`
-			return dbSession.SQL(sql).Find(&queryResult)
-		}
-
-		rawSQL := `
-			-- get permissions for the dashboard and its parent folder
-			SELECT
-				da.id,
-				da.org_id,
-				da.dashboard_id,
-				da.user_id,
-				da.team_id,
-				da.permission,
-				da.role,
-				da.created,
-				da.updated,
-				u.login AS user_login,
-				u.email AS user_email,
-				ug.name AS team,
-				ug.email AS team_email,
-				d.title,
-				d.slug,
-				d.uid,
-				d.is_folder,
-				CASE WHEN (da.dashboard_id = -1 AND d.folder_id > 0) OR da.dashboard_id = d.folder_id THEN ` + ss.dialect.BooleanStr(true) + ` ELSE ` + falseStr + ` END AS inherited
-			FROM dashboard as d
-				LEFT JOIN dashboard folder on folder.id = d.folder_id
-				LEFT JOIN dashboard_acl AS da ON
-				da.dashboard_id = d.id OR
-				da.dashboard_id = d.folder_id OR
-				(
-					-- include default permissions -->
-					da.org_id = -1 AND (
-					  (folder.id IS NOT NULL AND folder.has_acl = ` + falseStr + `) OR
-					  (folder.id IS NULL AND d.has_acl = ` + falseStr + `)
-					)
-				)
-				LEFT JOIN ` + ss.dialect.Quote("user") + ` AS u ON u.id = da.user_id
-				LEFT JOIN team ug on ug.id = da.team_id
-			WHERE d.org_id = ? AND d.id = ? AND da.id IS NOT NULL
-			ORDER BY da.id ASC
-			`
-
-		return dbSession.SQL(rawSQL, query.OrgID, query.DashboardID).Find(&queryResult)
-	})
-
-	if outerErr != nil {
-		return nil, outerErr
-	}
-
-	for _, p := range queryResult {
-		p.PermissionName = p.Permission.String()
-	}
-
-	return queryResult, nil
-}
-
 func createOrgAndUserSvc(t *testing.T, store db.DB, cfg *setting.Cfg) (org.Service, user.Service) {
 	t.Helper()