AccessControl: Fix locked role picker in orgs/edit page (#46539)

* AccessControl: Fix locked role picker in orgs/edit page

* Use correct org when computing metadata

pkg/api/accesscontrol.go

@@ -465,13 +465,16 @@ var teamsEditAccessEvaluator = ac.EvalAll(
 
 // Metadata helpers
 // getAccessControlMetadata returns the accesscontrol metadata associated with a given resource
-func (hs *HTTPServer) getAccessControlMetadata(c *models.ReqContext, prefix string, resourceID string) ac.Metadata {
+func (hs *HTTPServer) getAccessControlMetadata(c *models.ReqContext,
+	orgID int64, prefix string, resourceID string) ac.Metadata {
 	ids := map[string]bool{resourceID: true}
-	return hs.getMultiAccessControlMetadata(c, prefix, ids)[resourceID]
+	return hs.getMultiAccessControlMetadata(c, orgID, prefix, ids)[resourceID]
 }
 
 // getMultiAccessControlMetadata returns the accesscontrol metadata associated with a given set of resources
-func (hs *HTTPServer) getMultiAccessControlMetadata(c *models.ReqContext, prefix string, resourceIDs map[string]bool) map[string]ac.Metadata {
+// Context must contain permissions in the given org (see LoadPermissionsMiddleware or AuthorizeInOrgMiddleware)
+func (hs *HTTPServer) getMultiAccessControlMetadata(c *models.ReqContext,
+	orgID int64, prefix string, resourceIDs map[string]bool) map[string]ac.Metadata {
 	if hs.AccessControl.IsDisabled() || !c.QueryBool("accesscontrol") {
 		return map[string]ac.Metadata{}
 	}
@@ -480,7 +483,7 @@ func (hs *HTTPServer) getMultiAccessControlMetadata(c *models.ReqContext, prefix
 		return map[string]ac.Metadata{}
 	}
 
-	permissions, ok := c.SignedInUser.Permissions[c.OrgId]
+	permissions, ok := c.SignedInUser.Permissions[orgID]
 	if !ok {
 		return map[string]ac.Metadata{}
 	}

pkg/api/datasources.go

@@ -100,7 +100,7 @@ func (hs *HTTPServer) GetDataSourceById(c *models.ReqContext) response.Response
 	dto := convertModelToDtos(filtered[0])
 
 	// Add accesscontrol metadata
-	dto.AccessControl = hs.getAccessControlMetadata(c, "datasources:id:", strconv.FormatInt(dto.Id, 10))
+	dto.AccessControl = hs.getAccessControlMetadata(c, c.OrgId, "datasources:id:", strconv.FormatInt(dto.Id, 10))
 
 	return response.JSON(200, &dto)
 }
@@ -159,7 +159,8 @@ func (hs *HTTPServer) GetDataSourceByUID(c *models.ReqContext) response.Response
 	dto := convertModelToDtos(filtered[0])
 
 	// Add accesscontrol metadata
-	dto.AccessControl = hs.getAccessControlMetadata(c, "datasources:id:", strconv.FormatInt(dto.Id, 10))
+	dto.AccessControl = hs.getAccessControlMetadata(c, c.OrgId, "datasources:id:", strconv.FormatInt(dto.Id, 10))
+
 	return response.JSON(200, &dto)
 }
 

pkg/api/org_users.go

@@ -150,7 +150,8 @@ func (hs *HTTPServer) getOrgUsersHelper(c *models.ReqContext, query *models.GetO
 		filteredUsers = append(filteredUsers, user)
 	}
 
-	accessControlMetadata := hs.getMultiAccessControlMetadata(c, "users:id:", userIDs)
+	// Get accesscontrol metadata for users in the target org
+	accessControlMetadata := hs.getMultiAccessControlMetadata(c, query.OrgId, "users:id:", userIDs)
 	if len(accessControlMetadata) > 0 {
 		for i := range filteredUsers {
 			filteredUsers[i].AccessControl = accessControlMetadata[fmt.Sprint(filteredUsers[i].UserId)]

pkg/api/team.go

@@ -141,7 +141,7 @@ func (hs *HTTPServer) SearchTeams(c *models.ReqContext) response.Response {
 		teamIDs[strconv.FormatInt(team.Id, 10)] = true
 	}
 
-	metadata := hs.getMultiAccessControlMetadata(c, "teams:id:", teamIDs)
+	metadata := hs.getMultiAccessControlMetadata(c, c.OrgId, "teams:id:", teamIDs)
 	if len(metadata) > 0 {
 		for _, team := range query.Result.Teams {
 			team.AccessControl = metadata[strconv.FormatInt(team.Id, 10)]
@@ -195,7 +195,7 @@ func (hs *HTTPServer) GetTeamByID(c *models.ReqContext) response.Response {
 	}
 
 	// Add accesscontrol metadata
-	query.Result.AccessControl = hs.getAccessControlMetadata(c, "teams:id:", strconv.FormatInt(query.Result.Id, 10))
+	query.Result.AccessControl = hs.getAccessControlMetadata(c, c.OrgId, "teams:id:", strconv.FormatInt(query.Result.Id, 10))
 
 	query.Result.AvatarUrl = dtos.GetGravatarUrlWithDefault(query.Result.Email, query.Result.Name)
 	return response.JSON(200, &query.Result)

pkg/api/user.go

@@ -46,7 +46,7 @@ func (hs *HTTPServer) getUserUserProfile(c *models.ReqContext, userID int64) res
 		query.Result.IsExternal = true
 	}
 
-	query.Result.AccessControl = hs.getAccessControlMetadata(c, "global.users:id:", strconv.FormatInt(userID, 10))
+	query.Result.AccessControl = hs.getAccessControlMetadata(c, c.OrgId, "global.users:id:", strconv.FormatInt(userID, 10))
 	query.Result.AvatarUrl = dtos.GetGravatarUrl(query.Result.Email)
 
 	return response.JSON(200, query.Result)

pkg/services/accesscontrol/middleware/middleware.go

@@ -121,6 +121,9 @@ func AuthorizeInOrgMiddleware(ac accesscontrol.AccessControl, db sqlstore.Store)
 			}
 
 			authorize(c, ac, &userCopy, evaluator)
+
+			// Set the signed in user permissions in that org
+			c.SignedInUser.Permissions = userCopy.Permissions
 		}
 	}
 }

public/app/features/admin/AdminEditOrgPage.tsx

@@ -11,6 +11,7 @@ import { Form, Field, Input, Button, Legend, Alert } from '@grafana/ui';
 import { css } from '@emotion/css';
 import { GrafanaRouteComponentProps } from 'app/core/navigation/types';
 import { contextSrv } from 'app/core/core';
+import { accessControlQueryParam } from 'app/core/utils/accessControl';
 
 interface OrgNameDTO {
   orgName: string;
@@ -22,7 +23,7 @@ const getOrg = async (orgId: UrlQueryValue) => {
 
 const getOrgUsers = async (orgId: UrlQueryValue) => {
   if (contextSrv.hasPermission(AccessControlAction.OrgUsersRead)) {
-    return await getBackendSrv().get(`/api/orgs/${orgId}/users`);
+    return await getBackendSrv().get(`/api/orgs/${orgId}/users`, accessControlQueryParam());
   }
   return [];
 };