LibraryPanels: Adds permissions to getAllHandler (#31416)

* LibraryPanels: Adds permissions to getAllHandler * Chore: adds a test to verify the permissions * Chore: tests refactor
2025-02-25 18:55:37 -06:00 · 2021-02-24 14:06:22 +01:00 · 2021-02-24 14:06:22 +01:00 · 466462de37
commit 466462de37
parent f3a7cb4709
7 changed files with 411 additions and 573 deletions
--- a/pkg/services/librarypanels/api.go
+++ b/pkg/services/librarypanels/api.go
@ -97,7 +97,7 @@ func (lps *LibraryPanelService) getHandler(c *models.ReqContext) response.Respon

 // getAllHandler handles GET /api/library-panels/.
 func (lps *LibraryPanelService) getAllHandler(c *models.ReqContext) response.Response {
-	libraryPanels, err := lps.getAllLibraryPanels(c)
+	libraryPanels, err := lps.getAllLibraryPanels(c, c.QueryInt64("limit"))
 	if err != nil {
 		return response.Error(500, "Failed to get library panels", err)
 	}
--- a/pkg/services/librarypanels/database.go
+++ b/pkg/services/librarypanels/database.go
@ -14,7 +14,8 @@ import (

 var (
 	sqlStatmentLibrayPanelDTOWithMeta = `
-SELECT lp.id, lp.org_id, lp.folder_id, lp.uid, lp.name, lp.model, lp.created, lp.created_by, lp.updated, lp.updated_by
+SELECT DISTINCT
+	lp.id, lp.org_id, lp.folder_id, lp.uid, lp.name, lp.model, lp.created, lp.created_by, lp.updated, lp.updated_by
 	, 0 AS can_edit
 	, u1.login AS created_by_name
 	, u1.email AS created_by_email
@ -275,14 +276,21 @@ func (lps *LibraryPanelService) getLibraryPanel(c *models.ReqContext, uid string
 }

 // getAllLibraryPanels gets all library panels.
-func (lps *LibraryPanelService) getAllLibraryPanels(c *models.ReqContext) ([]LibraryPanelDTO, error) {
-	orgID := c.SignedInUser.OrgId
+func (lps *LibraryPanelService) getAllLibraryPanels(c *models.ReqContext, limit int64) ([]LibraryPanelDTO, error) {
 	libraryPanels := make([]LibraryPanelWithMeta, 0)
 	err := lps.SQLStore.WithDbSession(c.Context.Req.Context(), func(session *sqlstore.DBSession) error {
-		sql := sqlStatmentLibrayPanelDTOWithMeta + "WHERE lp.org_id=?"
-		sess := session.SQL(sql, orgID)
-		err := sess.Find(&libraryPanels)
-		if err != nil {
+		builder := sqlstore.SQLBuilder{}
+		builder.Write(sqlStatmentLibrayPanelDTOWithMeta)
+		builder.Write(" LEFT JOIN dashboard AS dashboard on lp.folder_id = dashboard.id")
+		builder.Write(` WHERE lp.org_id = ?`, c.SignedInUser.OrgId)
+		if c.SignedInUser.OrgRole != models.ROLE_ADMIN {
+			builder.WriteDashboardPermissionFilter(c.SignedInUser, models.PERMISSION_VIEW)
+		}
+		if limit == 0 {
+			limit = 1000
+		}
+		builder.Write(lps.SQLStore.Dialect.Limit(limit))
+		if err := session.SQL(builder.GetSQLString(), builder.GetParams()...).Find(&libraryPanels); err != nil {
 			return err
 		}

--- a/pkg/services/librarypanels/librarypanels_test.go
+++ b/pkg/services/librarypanels/librarypanels_test.go
--- a/pkg/services/sqlstore/alert.go
+++ b/pkg/services/sqlstore/alert.go
@ -125,7 +125,7 @@ func HandleAlertsQuery(query *models.GetAlertsQuery) error {
 	}

 	if query.User.OrgRole != models.ROLE_ADMIN {
-		builder.writeDashboardPermissionFilter(query.User, models.PERMISSION_VIEW)
+		builder.WriteDashboardPermissionFilter(query.User, models.PERMISSION_VIEW)
 	}

 	builder.Write(" ORDER BY name ASC")
--- a/pkg/services/sqlstore/dashboard.go
+++ b/pkg/services/sqlstore/dashboard.go
@ -720,7 +720,7 @@ func HasEditPermissionInFolders(query *models.HasEditPermissionInFoldersQuery) e

 	builder := &SQLBuilder{}
 	builder.Write("SELECT COUNT(dashboard.id) AS count FROM dashboard WHERE dashboard.org_id = ? AND dashboard.is_folder = ?", query.SignedInUser.OrgId, dialect.BooleanStr(true))
-	builder.writeDashboardPermissionFilter(query.SignedInUser, models.PERMISSION_EDIT)
+	builder.WriteDashboardPermissionFilter(query.SignedInUser, models.PERMISSION_EDIT)

 	type folderCount struct {
 		Count int64
@ -744,7 +744,7 @@ func HasAdminPermissionInFolders(query *models.HasAdminPermissionInFoldersQuery)

 	builder := &SQLBuilder{}
 	builder.Write("SELECT COUNT(dashboard.id) AS count FROM dashboard WHERE dashboard.org_id = ? AND dashboard.is_folder = ?", query.SignedInUser.OrgId, dialect.BooleanStr(true))
-	builder.writeDashboardPermissionFilter(query.SignedInUser, models.PERMISSION_ADMIN)
+	builder.WriteDashboardPermissionFilter(query.SignedInUser, models.PERMISSION_ADMIN)

 	type folderCount struct {
 		Count int64
--- a/pkg/services/sqlstore/sqlbuilder.go
+++ b/pkg/services/sqlstore/sqlbuilder.go
@ -24,11 +24,15 @@ func (sb *SQLBuilder) GetSQLString() string {
 	return sb.sql.String()
 }

+func (sb *SQLBuilder) GetParams() []interface{} {
+	return sb.params
+}
+
 func (sb *SQLBuilder) AddParams(params ...interface{}) {
 	sb.params = append(sb.params, params...)
 }

-func (sb *SQLBuilder) writeDashboardPermissionFilter(user *models.SignedInUser, permission models.PermissionType) {
+func (sb *SQLBuilder) WriteDashboardPermissionFilter(user *models.SignedInUser, permission models.PermissionType) {
 	if user.OrgRole == models.ROLE_ADMIN {
 		return
 	}
--- a/pkg/services/sqlstore/sqlbuilder_test.go
+++ b/pkg/services/sqlstore/sqlbuilder_test.go
@ -15,7 +15,7 @@ import (
 )

 func TestSQLBuilder(t *testing.T) {
-	t.Run("writeDashboardPermissionFilter", func(t *testing.T) {
+	t.Run("WriteDashboardPermissionFilter", func(t *testing.T) {
 		t.Run("user ACL", func(t *testing.T) {
 			test(t,
 				DashboardProps{},
@ -340,7 +340,7 @@ func getDashboards(sqlStore *SQLStore, search Search, aclUserId int64) ([]*dashb

 	var res []*dashboardResponse
 	builder.Write("SELECT * FROM dashboard WHERE true")
-	builder.writeDashboardPermissionFilter(signedInUser, search.RequiredPermission)
+	builder.WriteDashboardPermissionFilter(signedInUser, search.RequiredPermission)
 	err := sqlStore.engine.SQL(builder.GetSQLString(), builder.params...).Find(&res)
 	return res, err
 }