RBAC: FIX Allow specifying several valid scopes for a kind (#93176)

* PermRegistry: Fix regression with actions applying to multiple scopes

* Add tests

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

---------

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

pkg/services/accesscontrol/permreg/permreg.go

@@ -128,11 +128,9 @@ func (pr *permissionRegistry) RegisterPluginScope(scope string) {
 }
 
 func (pr *permissionRegistry) RegisterPermission(action, scope string) error {
-	if _, ok := pr.actionScopePrefixes[action]; ok {
-		// action already registered
-		return nil
+	if _, ok := pr.actionScopePrefixes[action]; !ok {
+		pr.actionScopePrefixes[action] = PrefixSet{}
 	}
-	pr.actionScopePrefixes[action] = PrefixSet{}
 
 	if scope == "" {
 		// scopeless action

pkg/services/accesscontrol/permreg/permreg_test.go

@@ -103,7 +103,11 @@ func Test_permissionRegistry_RegisterPermission(t *testing.T) {
 
 func Test_permissionRegistry_IsPermissionValid(t *testing.T) {
 	pr := newPermissionRegistry()
-	err := pr.RegisterPermission("folders:read", "folders:uid:")
+	err := pr.RegisterPermission("folders:read", "folders:*")
+	require.NoError(t, err)
+	err = pr.RegisterPermission("dashboards:read", "dashboards:*")
+	require.NoError(t, err)
+	err = pr.RegisterPermission("dashboards:read", "folders:*")
 	require.NoError(t, err)
 	err = pr.RegisterPermission("test-app.settings:read", "")
 	require.NoError(t, err)
@@ -132,6 +136,18 @@ func Test_permissionRegistry_IsPermissionValid(t *testing.T) {
 			scope:   "folders:*",
 			wantErr: false,
 		},
+		{
+			name:    "valid dashboards read with dashboard scope",
+			action:  "dashboards:read",
+			scope:   "dashboards:uid:my_team_dash",
+			wantErr: false,
+		},
+		{
+			name:    "valid dashboards read with folder scope",
+			action:  "dashboards:read",
+			scope:   "folders:uid:my_team_folder",
+			wantErr: false,
+		},
 		{
 			name:    "valid folders read with super wildcard",
 			action:  "folders:read",