AccessControl: Enforce user check when enterprise accesscontrol is on (#49003)

* AccessControl: Enforce user check when enterprise accesscontrol is on * Update the test not to fail enterprise build * Adding a log as suggested by Kalle Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * Update log message Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
2025-02-25 18:55:37 -06:00 · 2022-05-17 15:47:31 +02:00 · 2022-05-17 15:47:31 +02:00 · 7cb7290a3e
commit 7cb7290a3e
parent 83e234d4f6
2 changed files with 33 additions and 4 deletions
--- a/pkg/services/sqlstore/org_test.go
+++ b/pkg/services/sqlstore/org_test.go
@ -203,7 +203,13 @@ func TestAccountDataAccess(t *testing.T) {
 					err = sqlStore.UpdateOrgUser(context.Background(), &updateCmd)
 					require.NoError(t, err)

-					orgUsersQuery := models.GetOrgUsersQuery{OrgId: ac1.OrgId}
+					orgUsersQuery := models.GetOrgUsersQuery{
+						OrgId: ac1.OrgId,
+						User: &models.SignedInUser{
+							OrgId:       ac1.OrgId,
+							Permissions: map[int64]map[string][]string{ac1.OrgId: {accesscontrol.ActionOrgUsersRead: {accesscontrol.ScopeUsersAll}}},
+						},
+					}
 					err = sqlStore.GetOrgUsers(context.Background(), &orgUsersQuery)
 					require.NoError(t, err)

@ -233,7 +239,13 @@ func TestAccountDataAccess(t *testing.T) {
 				})

 				t.Run("Can get organization users", func(t *testing.T) {
-					query := models.GetOrgUsersQuery{OrgId: ac1.OrgId}
+					query := models.GetOrgUsersQuery{
+						OrgId: ac1.OrgId,
+						User: &models.SignedInUser{
+							OrgId:       ac1.OrgId,
+							Permissions: map[int64]map[string][]string{ac1.OrgId: {accesscontrol.ActionOrgUsersRead: {accesscontrol.ScopeUsersAll}}},
+						},
+					}
 					err := sqlStore.GetOrgUsers(context.Background(), &query)

 					require.NoError(t, err)
@ -245,6 +257,10 @@ func TestAccountDataAccess(t *testing.T) {
 					query := models.GetOrgUsersQuery{
 						OrgId: ac1.OrgId,
 						Query: "ac1",
+						User: &models.SignedInUser{
+							OrgId:       ac1.OrgId,
+							Permissions: map[int64]map[string][]string{ac1.OrgId: {accesscontrol.ActionOrgUsersRead: {accesscontrol.ScopeUsersAll}}},
+						},
 					}
 					err := sqlStore.GetOrgUsers(context.Background(), &query)

@ -258,6 +274,10 @@ func TestAccountDataAccess(t *testing.T) {
 						OrgId: ac1.OrgId,
 						Query: "ac",
 						Limit: 1,
+						User: &models.SignedInUser{
+							OrgId:       ac1.OrgId,
+							Permissions: map[int64]map[string][]string{ac1.OrgId: {accesscontrol.ActionOrgUsersRead: {accesscontrol.ScopeUsersAll}}},
+						},
 					}
 					err := sqlStore.GetOrgUsers(context.Background(), &query)

@ -338,7 +358,13 @@ func TestAccountDataAccess(t *testing.T) {
 					err = sqlStore.AddOrgUser(context.Background(), &orgUserCmd)
 					require.NoError(t, err)

-					query := models.GetOrgUsersQuery{OrgId: ac1.OrgId}
+					query := models.GetOrgUsersQuery{
+						OrgId: ac1.OrgId,
+						User: &models.SignedInUser{
+							OrgId:       ac1.OrgId,
+							Permissions: map[int64]map[string][]string{ac1.OrgId: {accesscontrol.ActionOrgUsersRead: {accesscontrol.ScopeUsersAll}}},
+						},
+					}
 					err = sqlStore.GetOrgUsers(context.Background(), &query)
 					require.NoError(t, err)
 					// require.Equal(t, len(query.Result), 3)
--- a/pkg/services/sqlstore/org_users.go
+++ b/pkg/services/sqlstore/org_users.go
@ -109,7 +109,10 @@ func (ss *SQLStore) GetOrgUsers(ctx context.Context, query *models.GetOrgUsersQu
 		whereConditions = append(whereConditions, fmt.Sprintf("%s.is_service_account = ?", ss.Dialect.Quote("user")))
 		whereParams = append(whereParams, ss.Dialect.BooleanStr(false))

-		if ss.Cfg.IsEnterprise && !accesscontrol.IsDisabled(ss.Cfg) && query.User != nil {
+		if query.User == nil {
+			ss.log.Warn("Query user not set for filtering.")
+		}
+		if ss.Cfg.IsEnterprise && !accesscontrol.IsDisabled(ss.Cfg) {
 			acFilter, err := accesscontrol.Filter(query.User, "org_user.user_id", "users:id:", accesscontrol.ActionOrgUsersRead)
 			if err != nil {
 				return err