RBAC: add kind, attribute and identifier to annotation permissions during the migration (#83299)

add kind, attribute and identifier to annotation permissions during the migration
2025-02-09 23:16:16 -06:00 · 2024-02-23 16:03:23 +00:00 · 2024-02-23 16:03:23 +00:00 · 65534e62a6
commit 65534e62a6
parent b2601d71d5
1 changed files with 37 additions and 20 deletions
--- a/pkg/services/sqlstore/migrations/accesscontrol/dashboard_permissions.go
+++ b/pkg/services/sqlstore/migrations/accesscontrol/dashboard_permissions.go
@ -730,14 +730,22 @@ func (m *managedDashboardAnnotationActionsMigrator) Exec(sess *xorm.Session, mg

 	for roleId, mappedPermissions := range mapped {
 		for scope, roleActions := range mappedPermissions {
+			// Create a temporary permission to split the scope into kind, attribute and identifier
+			tempPerm := ac.Permission{
+				Scope: scope,
+			}
+			kind, attribute, identifier := tempPerm.SplitScope()
 			if roleActions[dashboards.ActionDashboardsRead] {
 				if !roleActions[ac.ActionAnnotationsRead] {
 					toAdd = append(toAdd, ac.Permission{
-						RoleID:  roleId,
-						Updated: now,
-						Created: now,
-						Scope:   scope,
-						Action:  ac.ActionAnnotationsRead,
+						RoleID:     roleId,
+						Updated:    now,
+						Created:    now,
+						Scope:      scope,
+						Action:     ac.ActionAnnotationsRead,
+						Kind:       kind,
+						Attribute:  attribute,
+						Identifier: identifier,
 					})
 				}
 			}
@ -745,29 +753,38 @@ func (m *managedDashboardAnnotationActionsMigrator) Exec(sess *xorm.Session, mg
 			if roleActions[dashboards.ActionDashboardsWrite] {
 				if !roleActions[ac.ActionAnnotationsCreate] {
 					toAdd = append(toAdd, ac.Permission{
-						RoleID:  roleId,
-						Updated: now,
-						Created: now,
-						Scope:   scope,
-						Action:  ac.ActionAnnotationsCreate,
+						RoleID:     roleId,
+						Updated:    now,
+						Created:    now,
+						Scope:      scope,
+						Action:     ac.ActionAnnotationsCreate,
+						Kind:       kind,
+						Attribute:  attribute,
+						Identifier: identifier,
 					})
 				}
 				if !roleActions[ac.ActionAnnotationsDelete] {
 					toAdd = append(toAdd, ac.Permission{
-						RoleID:  roleId,
-						Updated: now,
-						Created: now,
-						Scope:   scope,
-						Action:  ac.ActionAnnotationsDelete,
+						RoleID:     roleId,
+						Updated:    now,
+						Created:    now,
+						Scope:      scope,
+						Action:     ac.ActionAnnotationsDelete,
+						Kind:       kind,
+						Attribute:  attribute,
+						Identifier: identifier,
 					})
 				}
 				if !roleActions[ac.ActionAnnotationsWrite] {
 					toAdd = append(toAdd, ac.Permission{
-						RoleID:  roleId,
-						Updated: now,
-						Created: now,
-						Scope:   scope,
-						Action:  ac.ActionAnnotationsWrite,
+						RoleID:     roleId,
+						Updated:    now,
+						Created:    now,
+						Scope:      scope,
+						Action:     ac.ActionAnnotationsWrite,
+						Kind:       kind,
+						Attribute:  attribute,
+						Identifier: identifier,
 					})
 				}
 			}