AccessControl: Modify provisioning to prevent built-in role assignment (#48031)

* Add basic and managed prefixes to avoid magic strings For now let's stick with grafana_builtins add function isBasic to RoleDTO add function isBasic to Role Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Add team store to wire Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: Jguer <joao.guerreiro@grafana.com>
2025-02-25 18:55:37 -06:00 · 2022-04-21 14:14:45 +02:00
parent b727c324b8
commit 9ed7e48454
3 changed files with 17 additions and 4 deletions
--- a/pkg/services/accesscontrol/models.go
+++ b/pkg/services/accesscontrol/models.go
@@ -41,6 +41,10 @@ func (r *Role) IsFixed() bool {
 	return strings.HasPrefix(r.Name, FixedRolePrefix)
 }

+func (r *Role) IsBasic() bool {
+	return strings.HasPrefix(r.Name, BasicRolePrefix) || strings.HasPrefix(r.UID, BasicRoleUIDPrefix)
+}
+
 func (r *Role) GetDisplayName() string {
 	if r.IsFixed() && r.DisplayName == "" {
 		r.DisplayName = fallbackDisplayName(r.Name)
@@ -118,6 +122,10 @@ func (r *RoleDTO) IsFixed() bool {
 	return strings.HasPrefix(r.Name, FixedRolePrefix)
 }

+func (r *RoleDTO) IsBasic() bool {
+	return strings.HasPrefix(r.Name, BasicRolePrefix) || strings.HasPrefix(r.UID, BasicRoleUIDPrefix)
+}
+
 func (r *RoleDTO) GetDisplayName() string {
 	if r.IsFixed() && r.DisplayName == "" {
 		r.DisplayName = fallbackDisplayName(r.Name)
@@ -261,9 +269,12 @@ type SetResourcePermissionCommand struct {
 }

 const (
-	GlobalOrgID      = 0
-	FixedRolePrefix  = "fixed:"
-	RoleGrafanaAdmin = "Grafana Admin"
+	GlobalOrgID        = 0
+	FixedRolePrefix    = "fixed:"
+	ManagedRolePrefix  = "managed:"
+	BasicRolePrefix    = "grafana:builtins:"
+	BasicRoleUIDPrefix = "grafana_builtins_"
+	RoleGrafanaAdmin   = "Grafana Admin"

 	GeneralFolderUID = "general"