Handle case where there are no matching ids for all actions passed to (#46646)

2025-02-25 18:55:37 -06:00 · 2022-03-16 16:31:33 +01:00 · 2022-03-16 16:31:33 +01:00 · 943a8508a6
commit 943a8508a6
parent 2727e2503f
2 changed files with 16 additions and 0 deletions
--- a/pkg/services/accesscontrol/filter.go
+++ b/pkg/services/accesscontrol/filter.go
@ -69,6 +69,10 @@ func Filter(user *models.SignedInUser, sqlID, prefix string, actions ...string)
 		}
 	}

+	if len(ids) == 0 {
+		return denyQuery, nil
+	}
+
 	query := strings.Builder{}
 	query.WriteRune(' ')
 	query.WriteString(sqlID)
--- a/pkg/services/accesscontrol/filter_test.go
+++ b/pkg/services/accesscontrol/filter_test.go
@ -117,6 +117,18 @@ func TestFilter_Datasources(t *testing.T) {
 			expectedDataSources: []string{"ds:3", "ds:7", "ds:8"},
 			expectErr:           false,
 		},
+		{
+			desc:    "expect no data sources when scopes does not match",
+			sqlID:   "data_source.id",
+			prefix:  "datasources",
+			actions: []string{"datasources:read", "datasources:write"},
+			permissions: map[string][]string{
+				"datasources:read":  {"datasources:id:3", "datasources:id:7", "datasources:id:8"},
+				"datasources:write": {"datasources:id:10"},
+			},
+			expectedDataSources: []string{},
+			expectErr:           false,
+		},
 	}

 	// set sqlIDAcceptList before running tests