IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Access Control: Allow dashboard admins to query org users (#51652)

Browse Source 
* allow dashboard admins to query org users

* rename one more variable
This commit is contained in:
Ieva 2022-07-04 10:43:06 +01:00 committed by GitHub
parent 3df34fe064
commit 75873d05d7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 26 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/api/api.go
View File

@ -28,7 +28,7 @@ func (hs *HTTPServer) registerRoutes() {
reqGrafanaAdmin := middleware.ReqGrafanaAdmin
reqEditorRole := middleware.ReqEditorRole
reqOrgAdmin := middleware.ReqOrgAdmin
reqOrgAdminFolderAdminOrTeamAdmin := middleware.OrgAdminFolderAdminOrTeamAdmin(hs.SQLStore, hs.dashboardService)
reqOrgAdminDashOrFolderAdminOrTeamAdmin := middleware.OrgAdminDashOrFolderAdminOrTeamAdmin(hs.SQLStore, hs.dashboardService)
reqCanAccessTeams := middleware.AdminOrEditorAndFeatureEnabled(hs.Cfg.EditorsCanAdmin)
reqSnapshotPublicModeOrSignedIn := middleware.SnapshotPublicModeOrSignedIn(hs.Cfg)
redirectFromLegacyPanelEditURL := middleware.RedirectFromLegacyPanelEditURL(hs.Cfg)
@ -261,7 +261,7 @@ func (hs *HTTPServer) registerRoutes() {
ac.EvalPermission(dashboards.ActionDashboardsPermissionsWrite),
)
}
orgRoute.Get("/users/lookup", authorize(reqOrgAdminFolderAdminOrTeamAdmin, lookupEvaluator()), routing.Wrap(hs.GetOrgUsersForCurrentOrgLookup))
orgRoute.Get("/users/lookup", authorize(reqOrgAdminDashOrFolderAdminOrTeamAdmin, lookupEvaluator()), routing.Wrap(hs.GetOrgUsersForCurrentOrgLookup))
})
// create new org

8
pkg/middleware/auth.go
View File

@ -192,18 +192,18 @@ func shouldForceLogin(c *models.ReqContext) bool {
return forceLogin
}
func OrgAdminFolderAdminOrTeamAdmin(ss sqlstore.Store, ds dashboards.DashboardService) func(c *models.ReqContext) {
func OrgAdminDashOrFolderAdminOrTeamAdmin(ss sqlstore.Store, ds dashboards.DashboardService) func(c *models.ReqContext) {
return func(c *models.ReqContext) {
if c.OrgRole == models.ROLE_ADMIN {
return
}
hasAdminPermissionInFoldersQuery := models.HasAdminPermissionInFoldersQuery{SignedInUser: c.SignedInUser}
if err := ds.HasAdminPermissionInFolders(c.Req.Context(), &hasAdminPermissionInFoldersQuery); err != nil {
hasAdminPermissionInDashOrFoldersQuery := models.HasAdminPermissionInDashboardsOrFoldersQuery{SignedInUser: c.SignedInUser}
if err := ds.HasAdminPermissionInDashboardsOrFolders(c.Req.Context(), &hasAdminPermissionInDashOrFoldersQuery); err != nil {
c.JsonApiErr(500, "Failed to check if user is a folder admin", err)
}
if hasAdminPermissionInFoldersQuery.Result {
if hasAdminPermissionInDashOrFoldersQuery.Result {
return
}

2
pkg/models/folders.go
View File

@ -95,7 +95,7 @@ type HasEditPermissionInFoldersQuery struct {
Result bool
}
type HasAdminPermissionInFoldersQuery struct {
type HasAdminPermissionInDashboardsOrFoldersQuery struct {
SignedInUser *SignedInUser
Result bool
}

4
pkg/services/dashboards/dashboard.go
View File

@ -21,7 +21,7 @@ type DashboardService interface {
GetDashboardUIDById(ctx context.Context, query *models.GetDashboardRefByIdQuery) error
GetPublicDashboard(ctx context.Context, accessToken string) (*models.Dashboard, error)
GetPublicDashboardConfig(ctx context.Context, orgId int64, dashboardUid string) (*models.PublicDashboard, error)
HasAdminPermissionInFolders(ctx context.Context, query *models.HasAdminPermissionInFoldersQuery) error
HasAdminPermissionInDashboardsOrFolders(ctx context.Context, query *models.HasAdminPermissionInDashboardsOrFoldersQuery) error
HasEditPermissionInFolders(ctx context.Context, query *models.HasEditPermissionInFoldersQuery) error
ImportDashboard(ctx context.Context, dto *SaveDashboardDTO) (*models.Dashboard, error)
MakeUserAdmin(ctx context.Context, orgID int64, userID, dashboardID int64, setViewAndEditPermissions bool) error
@ -68,7 +68,7 @@ type Store interface {
GetPublicDashboardConfig(ctx context.Context, orgId int64, dashboardUid string) (*models.PublicDashboard, error)
GetPublicDashboard(ctx context.Context, accessToken string) (*models.PublicDashboard, *models.Dashboard, error)
GenerateNewPublicDashboardUid(ctx context.Context) (string, error)
HasAdminPermissionInFolders(ctx context.Context, query *models.HasAdminPermissionInFoldersQuery) error
HasAdminPermissionInDashboardsOrFolders(ctx context.Context, query *models.HasAdminPermissionInDashboardsOrFoldersQuery) error
HasEditPermissionInFolders(ctx context.Context, query *models.HasEditPermissionInFoldersQuery) error
// SaveAlerts saves dashboard alerts.
SaveAlerts(ctx context.Context, dashID int64, alerts []*models.Alert) error

6
pkg/services/dashboards/dashboard_service_mock.go
View File

@ -215,12 +215,12 @@ func (_m *FakeDashboardService) GetPublicDashboardConfig(ctx context.Context, or
return r0, r1
}
// HasAdminPermissionInFolders provides a mock function with given fields: ctx, query
func (_m *FakeDashboardService) HasAdminPermissionInFolders(ctx context.Context, query *models.HasAdminPermissionInFoldersQuery) error {
// HasAdminPermissionInDashboardsOrFolders provides a mock function with given fields: ctx, query
func (_m *FakeDashboardService) HasAdminPermissionInDashboardsOrFolders(ctx context.Context, query *models.HasAdminPermissionInDashboardsOrFoldersQuery) error {
ret := _m.Called(ctx, query)
var r0 error
if rf, ok := ret.Get(0).(func(context.Context, *models.HasAdminPermissionInFoldersQuery) error); ok {
if rf, ok := ret.Get(0).(func(context.Context, *models.HasAdminPermissionInDashboardsOrFoldersQuery) error); ok {
r0 = rf(ctx, query)
} else {
r0 = ret.Error(0)

4
pkg/services/dashboards/database/acl.go
View File

@ -123,7 +123,7 @@ func (d *DashboardStore) HasEditPermissionInFolders(ctx context.Context, query *
})
}
func (d *DashboardStore) HasAdminPermissionInFolders(ctx context.Context, query *models.HasAdminPermissionInFoldersQuery) error {
func (d *DashboardStore) HasAdminPermissionInDashboardsOrFolders(ctx context.Context, query *models.HasAdminPermissionInDashboardsOrFoldersQuery) error {
return d.sqlStore.WithDbSession(ctx, func(dbSession *sqlstore.DBSession) error {
if query.SignedInUser.HasRole(models.ROLE_ADMIN) {
query.Result = true
@ -131,7 +131,7 @@ func (d *DashboardStore) HasAdminPermissionInFolders(ctx context.Context, query
}
builder := &sqlstore.SQLBuilder{}
builder.Write("SELECT COUNT(dashboard.id) AS count FROM dashboard WHERE dashboard.org_id = ? AND dashboard.is_folder = ?", query.SignedInUser.OrgId, d.dialect.BooleanStr(true))
builder.Write("SELECT COUNT(dashboard.id) AS count FROM dashboard WHERE dashboard.org_id = ?", query.SignedInUser.OrgId)
builder.WriteDashboardPermissionFilter(query.SignedInUser, models.PERMISSION_ADMIN)
type folderCount struct {

12
pkg/services/dashboards/database/database_folder_test.go
View File

@ -322,10 +322,10 @@ func TestIntegrationDashboardFolderDataAccess(t *testing.T) {
})
t.Run("should have admin permission in folders", func(t *testing.T) {
query := &models.HasAdminPermissionInFoldersQuery{
query := &models.HasAdminPermissionInDashboardsOrFoldersQuery{
SignedInUser: &models.SignedInUser{UserId: adminUser.ID, OrgId: 1, OrgRole: models.ROLE_ADMIN},
}
err := dashboardStore.HasAdminPermissionInFolders(context.Background(), query)
err := dashboardStore.HasAdminPermissionInDashboardsOrFolders(context.Background(), query)
require.NoError(t, err)
require.True(t, query.Result)
})
@ -370,10 +370,10 @@ func TestIntegrationDashboardFolderDataAccess(t *testing.T) {
})
t.Run("should not have admin permission in folders", func(t *testing.T) {
query := &models.HasAdminPermissionInFoldersQuery{
query := &models.HasAdminPermissionInDashboardsOrFoldersQuery{
SignedInUser: &models.SignedInUser{UserId: adminUser.ID, OrgId: 1, OrgRole: models.ROLE_EDITOR},
}
err := dashboardStore.HasAdminPermissionInFolders(context.Background(), query)
err := dashboardStore.HasAdminPermissionInDashboardsOrFolders(context.Background(), query)
require.NoError(t, err)
require.False(t, query.Result)
})
@ -418,10 +418,10 @@ func TestIntegrationDashboardFolderDataAccess(t *testing.T) {
})
t.Run("should not have admin permission in folders", func(t *testing.T) {
query := &models.HasAdminPermissionInFoldersQuery{
query := &models.HasAdminPermissionInDashboardsOrFoldersQuery{
SignedInUser: &models.SignedInUser{UserId: adminUser.ID, OrgId: 1, OrgRole: models.ROLE_VIEWER},
}
err := dashboardStore.HasAdminPermissionInFolders(context.Background(), query)
err := dashboardStore.HasAdminPermissionInDashboardsOrFolders(context.Background(), query)
require.NoError(t, err)
require.False(t, query.Result)
})

4
pkg/services/dashboards/service/dashboard_service.go
View File

@ -573,8 +573,8 @@ func (dr *DashboardServiceImpl) GetDashboardAclInfoList(ctx context.Context, que
return dr.dashboardStore.GetDashboardAclInfoList(ctx, query)
}
func (dr *DashboardServiceImpl) HasAdminPermissionInFolders(ctx context.Context, query *models.HasAdminPermissionInFoldersQuery) error {
return dr.dashboardStore.HasAdminPermissionInFolders(ctx, query)
func (dr *DashboardServiceImpl) HasAdminPermissionInDashboardsOrFolders(ctx context.Context, query *models.HasAdminPermissionInDashboardsOrFoldersQuery) error {
return dr.dashboardStore.HasAdminPermissionInDashboardsOrFolders(ctx, query)
}
func (dr *DashboardServiceImpl) HasEditPermissionInFolders(ctx context.Context, query *models.HasEditPermissionInFoldersQuery) error {

6
pkg/services/dashboards/store_mock.go
View File

@ -374,12 +374,12 @@ func (_m *FakeDashboardStore) GetPublicDashboardConfig(ctx context.Context, orgI
return r0, r1
}
// HasAdminPermissionInFolders provides a mock function with given fields: ctx, query
func (_m *FakeDashboardStore) HasAdminPermissionInFolders(ctx context.Context, query *models.HasAdminPermissionInFoldersQuery) error {
// HasAdminPermissionInDashboardsOrFolders provides a mock function with given fields: ctx, query
func (_m *FakeDashboardStore) HasAdminPermissionInDashboardsOrFolders(ctx context.Context, query *models.HasAdminPermissionInDashboardsOrFoldersQuery) error {
ret := _m.Called(ctx, query)
var r0 error
if rf, ok := ret.Get(0).(func(context.Context, *models.HasAdminPermissionInFoldersQuery) error); ok {
if rf, ok := ret.Get(0).(func(context.Context, *models.HasAdminPermissionInDashboardsOrFoldersQuery) error); ok {
r0 = rf(ctx, query)
} else {
r0 = ret.Error(0)

2
pkg/services/sqlstore/mockstore/mockstore.go
View File

@ -581,7 +581,7 @@ func (m *SQLStoreMock) SearchOrgs(ctx context.Context, query *models.SearchOrgsQ
return m.ExpectedError
}
func (m *SQLStoreMock) HasAdminPermissionInFolders(ctx context.Context, query *models.HasAdminPermissionInFoldersQuery) error {
func (m *SQLStoreMock) HasAdminPermissionInDashboardsOrFolders(ctx context.Context, query *models.HasAdminPermissionInDashboardsOrFoldersQuery) error {
return m.ExpectedError
}