Folders: Allow folder editors and admins to create subfolders without any additional permissions (#91215)

* separate permissions for root level folder creation and subfolder creation * fix tests * fix tests * fix tests * frontend fix * Update pkg/api/accesscontrol.go Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com> * fix frontend when action sets are disabled --------- Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com>
2025-02-25 18:55:37 -06:00 · 2024-08-01 16:20:38 +01:00
parent 85e2ea2488
commit 2e2ddc5c42
19 changed files with 178 additions and 66 deletions
--- a/pkg/services/accesscontrol/resourcepermissions/service_test.go
+++ b/pkg/services/accesscontrol/resourcepermissions/service_test.go
@@ -251,7 +251,7 @@ func TestService_RegisterActionSets(t *testing.T) {
 				},
 				{
 					Action:  "folders:edit",
-					Actions: []string{"folders:read", "dashboards:read", "folders:write", "dashboards:write"},
+					Actions: []string{"folders:read", "dashboards:read", "folders:write", "dashboards:write", "folders:create"},
 				},
 			},
 		},
--- a/pkg/services/accesscontrol/resourcepermissions/store.go
+++ b/pkg/services/accesscontrol/resourcepermissions/store.go
@@ -3,6 +3,7 @@ package resourcepermissions
 import (
 	"context"
 	"fmt"
+	"slices"
 	"strings"
 	"time"

@@ -827,19 +828,24 @@ func (s *InMemoryActionSets) ExpandActionSetsWithFilter(permissions []accesscont
 }

 func (s *InMemoryActionSets) StoreActionSet(name string, actions []string) {
-	actionSet := &ActionSet{
-		Action:  name,
-		Actions: actions,
+	// To avoid backwards incompatible changes, we don't want to store these actions in the DB
+	// Once action sets are fully enabled, we can include dashboards.ActionFoldersCreate in the list of other folder edit/admin actions
+	// Tracked in https://github.com/grafana/identity-access-team/issues/794
+	if name == "folders:edit" || name == "folders:admin" {
+		if !slices.Contains(s.actionSetToActions[name], dashboards.ActionFoldersCreate) {
+			actions = append(actions, dashboards.ActionFoldersCreate)
+		}
 	}
-	s.actionSetToActions[actionSet.Action] = append(s.actionSetToActions[actionSet.Action], actions...)
+
+	s.actionSetToActions[name] = append(s.actionSetToActions[name], actions...)

 	for _, action := range actions {
 		if _, ok := s.actionToActionSets[action]; !ok {
 			s.actionToActionSets[action] = []string{}
 		}
-		s.actionToActionSets[action] = append(s.actionToActionSets[action], actionSet.Action)
+		s.actionToActionSets[action] = append(s.actionToActionSets[action], name)
 	}
-	s.log.Debug("stored action set", "action set name", actionSet.Action)
+	s.log.Debug("stored action set", "action set name", name)
 }

 // RegisterActionSets allow the caller to expand the existing action sets with additional permissions
--- a/pkg/services/accesscontrol/resourcepermissions/store_test.go
+++ b/pkg/services/accesscontrol/resourcepermissions/store_test.go
@@ -787,7 +787,7 @@ func TestStore_StoreActionSet(t *testing.T) {

 			actionSetName := GetActionSetName(tt.resource, tt.action)
 			actionSet := asService.ResolveActionSet(actionSetName)
-			require.Equal(t, tt.actions, actionSet)
+			require.Equal(t, append(tt.actions, "folders:create"), actionSet)
 		})
 	}
 }
@@ -947,6 +947,9 @@ func TestStore_RegisterActionSet(t *testing.T) {

 			for _, expected := range tt.expectedActionSets {
 				actions := asService.ResolveActionSet(expected.Action)
+				if expected.Action == "folders:edit" || expected.Action == "folders:admin" {
+					expected.Actions = append(expected.Actions, "folders:create")
+				}
 				assert.ElementsMatch(t, expected.Actions, actions)
 			}