From 65534e62a64b312a86eaf8817273d1d390d29ae0 Mon Sep 17 00:00:00 2001
From: Ieva <ieva.vasiljeva@grafana.com>
Date: Fri, 23 Feb 2024 16:03:23 +0000
Subject: [PATCH] RBAC: add kind, attribute and identifier to annotation
 permissions during the migration (#83299)

add kind, attribute and identifier to annotation permissions during the migration
---
 .../accesscontrol/dashboard_permissions.go    | 57 ++++++++++++-------
 1 file changed, 37 insertions(+), 20 deletions(-)

diff --git a/pkg/services/sqlstore/migrations/accesscontrol/dashboard_permissions.go b/pkg/services/sqlstore/migrations/accesscontrol/dashboard_permissions.go
index 0198ded5738..9a2aeda1287 100644
--- a/pkg/services/sqlstore/migrations/accesscontrol/dashboard_permissions.go
+++ b/pkg/services/sqlstore/migrations/accesscontrol/dashboard_permissions.go
@@ -730,14 +730,22 @@ func (m *managedDashboardAnnotationActionsMigrator) Exec(sess *xorm.Session, mg
 
 	for roleId, mappedPermissions := range mapped {
 		for scope, roleActions := range mappedPermissions {
+			// Create a temporary permission to split the scope into kind, attribute and identifier
+			tempPerm := ac.Permission{
+				Scope: scope,
+			}
+			kind, attribute, identifier := tempPerm.SplitScope()
 			if roleActions[dashboards.ActionDashboardsRead] {
 				if !roleActions[ac.ActionAnnotationsRead] {
 					toAdd = append(toAdd, ac.Permission{
-						RoleID:  roleId,
-						Updated: now,
-						Created: now,
-						Scope:   scope,
-						Action:  ac.ActionAnnotationsRead,
+						RoleID:     roleId,
+						Updated:    now,
+						Created:    now,
+						Scope:      scope,
+						Action:     ac.ActionAnnotationsRead,
+						Kind:       kind,
+						Attribute:  attribute,
+						Identifier: identifier,
 					})
 				}
 			}
@@ -745,29 +753,38 @@ func (m *managedDashboardAnnotationActionsMigrator) Exec(sess *xorm.Session, mg
 			if roleActions[dashboards.ActionDashboardsWrite] {
 				if !roleActions[ac.ActionAnnotationsCreate] {
 					toAdd = append(toAdd, ac.Permission{
-						RoleID:  roleId,
-						Updated: now,
-						Created: now,
-						Scope:   scope,
-						Action:  ac.ActionAnnotationsCreate,
+						RoleID:     roleId,
+						Updated:    now,
+						Created:    now,
+						Scope:      scope,
+						Action:     ac.ActionAnnotationsCreate,
+						Kind:       kind,
+						Attribute:  attribute,
+						Identifier: identifier,
 					})
 				}
 				if !roleActions[ac.ActionAnnotationsDelete] {
 					toAdd = append(toAdd, ac.Permission{
-						RoleID:  roleId,
-						Updated: now,
-						Created: now,
-						Scope:   scope,
-						Action:  ac.ActionAnnotationsDelete,
+						RoleID:     roleId,
+						Updated:    now,
+						Created:    now,
+						Scope:      scope,
+						Action:     ac.ActionAnnotationsDelete,
+						Kind:       kind,
+						Attribute:  attribute,
+						Identifier: identifier,
 					})
 				}
 				if !roleActions[ac.ActionAnnotationsWrite] {
 					toAdd = append(toAdd, ac.Permission{
-						RoleID:  roleId,
-						Updated: now,
-						Created: now,
-						Scope:   scope,
-						Action:  ac.ActionAnnotationsWrite,
+						RoleID:     roleId,
+						Updated:    now,
+						Created:    now,
+						Scope:      scope,
+						Action:     ac.ActionAnnotationsWrite,
+						Kind:       kind,
+						Attribute:  attribute,
+						Identifier: identifier,
 					})
 				}
 			}