IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

RBAC: FIX Allow specifying several valid scopes for a kind (#93176)

Browse Source 
* PermRegistry: Fix regression with actions applying to multiple scopes

* Add tests

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

---------

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
This commit is contained in:
Gabriel MABILLE 2024-09-10 18:22:40 +02:00 committed by GitHub
parent 3f9227183d
commit 697afc71b4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 19 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/services/accesscontrol/permreg/permreg.go
View File

@ -128,11 +128,9 @@ func (pr *permissionRegistry) RegisterPluginScope(scope string) {
} }
func (pr *permissionRegistry) RegisterPermission(action, scope string) error { func (pr *permissionRegistry) RegisterPermission(action, scope string) error {
if _, ok := pr.actionScopePrefixes[action]; ok { if _, ok := pr.actionScopePrefixes[action]; !ok {
// action already registered
return nil
}
pr.actionScopePrefixes[action] = PrefixSet{} pr.actionScopePrefixes[action] = PrefixSet{}
}
if scope == "" { if scope == "" {
// scopeless action // scopeless action

18
pkg/services/accesscontrol/permreg/permreg_test.go
View File

@ -103,7 +103,11 @@ func Test_permissionRegistry_RegisterPermission(t *testing.T) {
func Test_permissionRegistry_IsPermissionValid(t *testing.T) { func Test_permissionRegistry_IsPermissionValid(t *testing.T) {
pr := newPermissionRegistry() pr := newPermissionRegistry()
err := pr.RegisterPermission("folders:read", "folders:uid:") err := pr.RegisterPermission("folders:read", "folders:*")
require.NoError(t, err)
err = pr.RegisterPermission("dashboards:read", "dashboards:*")
require.NoError(t, err)
err = pr.RegisterPermission("dashboards:read", "folders:*")
require.NoError(t, err) require.NoError(t, err)
err = pr.RegisterPermission("test-app.settings:read", "") err = pr.RegisterPermission("test-app.settings:read", "")
require.NoError(t, err) require.NoError(t, err)
@ -132,6 +136,18 @@ func Test_permissionRegistry_IsPermissionValid(t *testing.T) {
scope: "folders:*", scope: "folders:*",
wantErr: false, wantErr: false,
}, },
{
name: "valid dashboards read with dashboard scope",
action: "dashboards:read",
scope: "dashboards:uid:my_team_dash",
wantErr: false,
},
{
name: "valid dashboards read with folder scope",
action: "dashboards:read",
scope: "folders:uid:my_team_folder",
wantErr: false,
},
{ {
name: "valid folders read with super wildcard", name: "valid folders read with super wildcard",
action: "folders:read", action: "folders:read",