Access Control: Update Alerting Navbar links builder to use fine-grained access control (#46743)

* remove unnecesarry grants for some alerting roles * add permissions checks to navigation
2025-02-11 16:15:42 -06:00 · 2022-03-18 12:58:50 -04:00 · 2022-03-18 12:58:50 -04:00 · 6967b15e76
commit 6967b15e76
parent f2450575b3
2 changed files with 28 additions and 21 deletions
--- a/pkg/api/index.go
+++ b/pkg/api/index.go
@ -229,17 +229,7 @@ func (hs *HTTPServer) getNavTree(c *models.ReqContext, hasEditPerm bool) ([]*dto
 	uaVisibleForOrg := hs.Cfg.UnifiedAlerting.IsEnabled() && !uaIsDisabledForOrg

 	if setting.AlertingEnabled != nil && *setting.AlertingEnabled || uaVisibleForOrg {
-		alertChildNavs := hs.buildAlertNavLinks(c, uaVisibleForOrg)
-		navTree = append(navTree, &dtos.NavLink{
-			Text:       "Alerting",
-			SubTitle:   "Alert rules and notifications",
-			Id:         "alerting",
-			Icon:       "bell",
-			Url:        hs.Cfg.AppSubURL + "/alerting/list",
-			Children:   alertChildNavs,
-			Section:    dtos.NavSectionCore,
-			SortWeight: dtos.WeightAlerting,
-		})
+		navTree = append(navTree, hs.buildAlertNavLinks(c, uaVisibleForOrg)...)
 	}

 	appLinks, err := hs.getAppLinks(c)
@ -472,11 +462,16 @@ func (hs *HTTPServer) buildDashboardNavLinks(c *models.ReqContext, hasEditPerm b
 }

 func (hs *HTTPServer) buildAlertNavLinks(c *models.ReqContext, uaVisibleForOrg bool) []*dtos.NavLink {
-	alertChildNavs := []*dtos.NavLink{
-		{Text: "Alert rules", Id: "alert-list", Url: hs.Cfg.AppSubURL + "/alerting/list", Icon: "list-ul"},
+	hasAccess := ac.HasAccess(hs.AccessControl, c)
+	var alertChildNavs []*dtos.NavLink
+
+	if hasAccess(ac.ReqSignedIn, ac.EvalAny(ac.EvalPermission(ac.ActionAlertingRuleRead), ac.EvalPermission(ac.ActionAlertingNotificationsExternalRead))) {
+		alertChildNavs = append(alertChildNavs, &dtos.NavLink{
+			Text: "Alert rules", Id: "alert-list", Url: hs.Cfg.AppSubURL + "/alerting/list", Icon: "list-ul",
+		})
 	}

-	if c.OrgRole == models.ROLE_ADMIN || c.OrgRole == models.ROLE_EDITOR {
+	if hasAccess(ac.ReqOrgAdminOrEditor, ac.EvalAny(ac.EvalPermission(ac.ActionAlertingNotificationsRead), ac.EvalPermission(ac.ActionAlertingNotificationsExternalRead))) {
 		if uaVisibleForOrg {
 			alertChildNavs = append(alertChildNavs, &dtos.NavLink{
 				Text: "Contact points", Id: "receivers", Url: hs.Cfg.AppSubURL + "/alerting/notifications",
@ -490,17 +485,34 @@ func (hs *HTTPServer) buildAlertNavLinks(c *models.ReqContext, uaVisibleForOrg b
 			})
 		}
 	}
-	if uaVisibleForOrg {
+
+	if uaVisibleForOrg && hasAccess(ac.ReqSignedIn, ac.EvalAny(ac.EvalPermission(ac.ActionAlertingInstanceRead), ac.EvalPermission(ac.ActionAlertingInstancesExternalRead))) {
 		alertChildNavs = append(alertChildNavs, &dtos.NavLink{Text: "Silences", Id: "silences", Url: hs.Cfg.AppSubURL + "/alerting/silences", Icon: "bell-slash"})
 		alertChildNavs = append(alertChildNavs, &dtos.NavLink{Text: "Alert groups", Id: "groups", Url: hs.Cfg.AppSubURL + "/alerting/groups", Icon: "layer-group"})
 	}
+
 	if c.OrgRole == models.ROLE_ADMIN && uaVisibleForOrg {
 		alertChildNavs = append(alertChildNavs, &dtos.NavLink{
 			Text: "Admin", Id: "alerting-admin", Url: hs.Cfg.AppSubURL + "/alerting/admin",
 			Icon: "cog",
 		})
 	}
-	return alertChildNavs
+
+	if len(alertChildNavs) > 0 {
+		return []*dtos.NavLink{
+			{
+				Text:       "Alerting",
+				SubTitle:   "Alert rules and notifications",
+				Id:         "alerting",
+				Icon:       "bell",
+				Url:        hs.Cfg.AppSubURL + "/alerting/list",
+				Children:   alertChildNavs,
+				Section:    dtos.NavSectionCore,
+				SortWeight: dtos.WeightAlerting,
+			},
+		}
+	}
+	return nil
 }

 func (hs *HTTPServer) buildCreateNavLinks(c *models.ReqContext) []*dtos.NavLink {
--- a/pkg/services/ngalert/accesscontrol.go
+++ b/pkg/services/ngalert/accesscontrol.go
@ -60,7 +60,6 @@ var (
 				},
 			}),
 		},
-		Grants: []string{string(models.ROLE_EDITOR)},
 	}

 	instancesReaderRole = accesscontrol.RoleRegistration{
@ -81,7 +80,6 @@ var (
 				},
 			},
 		},
-		Grants: []string{string(models.ROLE_VIEWER)},
 	}

 	instancesEditorRole = accesscontrol.RoleRegistration{
@ -104,7 +102,6 @@ var (
 				},
 			}),
 		},
-		Grants: []string{string(models.ROLE_EDITOR)},
 	}

 	notificationsReaderRole = accesscontrol.RoleRegistration{
@ -124,7 +121,6 @@ var (
 				},
 			},
 		},
-		Grants: []string{string(models.ROLE_VIEWER)},
 	}

 	notificationsEditorRole = accesscontrol.RoleRegistration{
@ -150,7 +146,6 @@ var (
 				},
 			}),
 		},
-		Grants: []string{string(models.ROLE_EDITOR)},
 	}

 	alertingReaderRole = accesscontrol.RoleRegistration{