IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

RBAC: Fix the check for whether an action set should be added (#89219)

Browse Source 
fox the check for whether an action set should be added
This commit is contained in:
Ieva 2024-06-14 15:23:29 +03:00 committed by GitHub
parent b2864d6dfb
commit 4e3294cd8d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
pkg/services/accesscontrol/resourcepermissions/store.go
View File

@ -671,7 +671,7 @@ func (s *store) createPermissions(sess *db.Session, roleID int64, cmd SetResourc
/* /*
Add ACTION SET of managed permissions to in-memory store Add ACTION SET of managed permissions to in-memory store
*/ */
if s.shouldStoreActionSet(permission) { if s.shouldStoreActionSet(resource, permission) {
actionSetName := GetActionSetName(resource, permission) actionSetName := GetActionSetName(resource, permission)
p := managedPermission(actionSetName, resource, resourceID, resourceAttribute) p := managedPermission(actionSetName, resource, resourceID, resourceAttribute)
p.RoleID = roleID p.RoleID = roleID
@ -683,13 +683,13 @@ func (s *store) createPermissions(sess *db.Session, roleID int64, cmd SetResourc
// If there are no missing actions for the resource (in case of access level downgrade or resource removal), we don't need to insert any actions // If there are no missing actions for the resource (in case of access level downgrade or resource removal), we don't need to insert any actions
// we still want to add the action set (when permission != "") // we still want to add the action set (when permission != "")
if len(missingActions) == 0 && !s.shouldStoreActionSet(permission) { if len(missingActions) == 0 && !s.shouldStoreActionSet(resource, permission) {
return nil return nil
} }
// if we have actionset feature enabled and are only working with action sets // if we have actionset feature enabled and are only working with action sets
// skip adding the missing actions to the permissions table // skip adding the missing actions to the permissions table
if !(s.shouldStoreActionSet(permission) && s.cfg.OnlyStoreAccessActionSets) { if !(s.shouldStoreActionSet(resource, permission) && s.cfg.OnlyStoreAccessActionSets) {
for action := range missingActions { for action := range missingActions {
p := managedPermission(action, resource, resourceID, resourceAttribute) p := managedPermission(action, resource, resourceID, resourceAttribute)
p.RoleID = roleID p.RoleID = roleID
@ -706,8 +706,12 @@ func (s *store) createPermissions(sess *db.Session, roleID int64, cmd SetResourc
return nil return nil
} }
func (s *store) shouldStoreActionSet(permission string) bool { func (s *store) shouldStoreActionSet(resource, permission string) bool {
return (s.features.IsEnabled(context.TODO(), featuremgmt.FlagAccessActionSets) && permission != "" && isFolderOrDashboardAction(permission)) if !(s.features.IsEnabled(context.TODO(), featuremgmt.FlagAccessActionSets) && permission != "") {
return false
}
actionSetName := GetActionSetName(resource, permission)
return isFolderOrDashboardAction(actionSetName)
} }
func deletePermissions(sess *db.Session, ids []int64) error { func deletePermissions(sess *db.Session, ids []int64) error {