Access control: expose permissions to the frontend (#32954)

* Expose user permissions to the frontend

* Do not include empty scope

* Extend ContextSrv with hasPermission() method

* Add access control types

* Fix type error (make permissions optional)

* Fallback if access control disabled

* Move UserPermission to types

* Simplify hasPermission()

pkg/api/dtos/models.go

@@ -25,24 +25,27 @@ type LoginCommand struct {
 }
 
 type CurrentUser struct {
-	IsSignedIn                 bool              `json:"isSignedIn"`
-	Id                         int64             `json:"id"`
-	Login                      string            `json:"login"`
-	Email                      string            `json:"email"`
-	Name                       string            `json:"name"`
-	LightTheme                 bool              `json:"lightTheme"`
-	OrgCount                   int               `json:"orgCount"`
-	OrgId                      int64             `json:"orgId"`
-	OrgName                    string            `json:"orgName"`
-	OrgRole                    models.RoleType   `json:"orgRole"`
-	IsGrafanaAdmin             bool              `json:"isGrafanaAdmin"`
-	GravatarUrl                string            `json:"gravatarUrl"`
-	Timezone                   string            `json:"timezone"`
-	Locale                     string            `json:"locale"`
-	HelpFlags1                 models.HelpFlags1 `json:"helpFlags1"`
-	HasEditPermissionInFolders bool              `json:"hasEditPermissionInFolders"`
+	IsSignedIn                 bool               `json:"isSignedIn"`
+	Id                         int64              `json:"id"`
+	Login                      string             `json:"login"`
+	Email                      string             `json:"email"`
+	Name                       string             `json:"name"`
+	LightTheme                 bool               `json:"lightTheme"`
+	OrgCount                   int                `json:"orgCount"`
+	OrgId                      int64              `json:"orgId"`
+	OrgName                    string             `json:"orgName"`
+	OrgRole                    models.RoleType    `json:"orgRole"`
+	IsGrafanaAdmin             bool               `json:"isGrafanaAdmin"`
+	GravatarUrl                string             `json:"gravatarUrl"`
+	Timezone                   string             `json:"timezone"`
+	Locale                     string             `json:"locale"`
+	HelpFlags1                 models.HelpFlags1  `json:"helpFlags1"`
+	HasEditPermissionInFolders bool               `json:"hasEditPermissionInFolders"`
+	Permissions                UserPermissionsMap `json:"permissions,omitempty"`
 }
 
+type UserPermissionsMap map[string]map[string]string
+
 type MetricRequest struct {
 	From    string             `json:"from"`
 	To      string             `json:"to"`

pkg/api/index.go

@@ -8,6 +8,7 @@ import (
 	"github.com/grafana/grafana/pkg/api/dtos"
 	"github.com/grafana/grafana/pkg/bus"
 	"github.com/grafana/grafana/pkg/models"
+	"github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/setting"
 )
 
@@ -427,6 +428,15 @@ func (hs *HTTPServer) setIndexViewData(c *models.ReqContext) (*dtos.IndexViewDat
 		ContentDeliveryURL:      hs.Cfg.GetContentDeliveryURL(hs.License.ContentDeliveryPrefix()),
 	}
 
+	if hs.Cfg.FeatureToggles["accesscontrol"] {
+		userPermissions, err := hs.AccessControl.GetUserPermissions(c.Req.Context(), c.SignedInUser)
+		if err != nil {
+			return nil, err
+		}
+
+		data.User.Permissions = accesscontrol.BuildPermissionsMap(userPermissions)
+	}
+
 	if setting.DisableGravatar {
 		data.User.GravatarUrl = hs.Cfg.AppSubURL + "/public/img/user_profile.png"
 	}