mirror of
https://github.com/grafana/grafana.git
synced 2025-01-24 23:37:01 -06:00
AccessControl: Modify provisioning to prevent built-in role assignment (#48031)
* Add basic and managed prefixes to avoid magic strings For now let's stick with grafana_builtins add function isBasic to RoleDTO add function isBasic to Role Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Add team store to wire Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: Jguer <joao.guerreiro@grafana.com>
This commit is contained in:
parent
b727c324b8
commit
9ed7e48454
@ -253,6 +253,7 @@ var wireSet = wire.NewSet(
|
|||||||
wireBasicSet,
|
wireBasicSet,
|
||||||
sqlstore.ProvideService,
|
sqlstore.ProvideService,
|
||||||
wire.Bind(new(alerting.AlertStore), new(*sqlstore.SQLStore)),
|
wire.Bind(new(alerting.AlertStore), new(*sqlstore.SQLStore)),
|
||||||
|
wire.Bind(new(sqlstore.TeamStore), new(*sqlstore.SQLStore)),
|
||||||
ngmetrics.ProvideService,
|
ngmetrics.ProvideService,
|
||||||
wire.Bind(new(notifications.TempUserStore), new(*sqlstore.SQLStore)),
|
wire.Bind(new(notifications.TempUserStore), new(*sqlstore.SQLStore)),
|
||||||
wire.Bind(new(notifications.Service), new(*notifications.NotificationService)),
|
wire.Bind(new(notifications.Service), new(*notifications.NotificationService)),
|
||||||
@ -268,6 +269,7 @@ var wireTestSet = wire.NewSet(
|
|||||||
sqlstore.ProvideServiceForTests,
|
sqlstore.ProvideServiceForTests,
|
||||||
ngmetrics.ProvideServiceForTest,
|
ngmetrics.ProvideServiceForTest,
|
||||||
wire.Bind(new(alerting.AlertStore), new(*sqlstore.SQLStore)),
|
wire.Bind(new(alerting.AlertStore), new(*sqlstore.SQLStore)),
|
||||||
|
wire.Bind(new(sqlstore.TeamStore), new(*sqlstore.SQLStore)),
|
||||||
|
|
||||||
notifications.MockNotificationService,
|
notifications.MockNotificationService,
|
||||||
wire.Bind(new(notifications.TempUserStore), new(*mockstore.SQLStoreMock)),
|
wire.Bind(new(notifications.TempUserStore), new(*mockstore.SQLStoreMock)),
|
||||||
|
@ -32,7 +32,7 @@ type flatResourcePermission struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (p *flatResourcePermission) IsManaged() bool {
|
func (p *flatResourcePermission) IsManaged() bool {
|
||||||
return strings.HasPrefix(p.RoleName, "managed:") && !p.IsInherited()
|
return strings.HasPrefix(p.RoleName, accesscontrol.ManagedRolePrefix) && !p.IsInherited()
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *flatResourcePermission) IsInherited() bool {
|
func (p *flatResourcePermission) IsInherited() bool {
|
||||||
|
@ -41,6 +41,10 @@ func (r *Role) IsFixed() bool {
|
|||||||
return strings.HasPrefix(r.Name, FixedRolePrefix)
|
return strings.HasPrefix(r.Name, FixedRolePrefix)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (r *Role) IsBasic() bool {
|
||||||
|
return strings.HasPrefix(r.Name, BasicRolePrefix) || strings.HasPrefix(r.UID, BasicRoleUIDPrefix)
|
||||||
|
}
|
||||||
|
|
||||||
func (r *Role) GetDisplayName() string {
|
func (r *Role) GetDisplayName() string {
|
||||||
if r.IsFixed() && r.DisplayName == "" {
|
if r.IsFixed() && r.DisplayName == "" {
|
||||||
r.DisplayName = fallbackDisplayName(r.Name)
|
r.DisplayName = fallbackDisplayName(r.Name)
|
||||||
@ -118,6 +122,10 @@ func (r *RoleDTO) IsFixed() bool {
|
|||||||
return strings.HasPrefix(r.Name, FixedRolePrefix)
|
return strings.HasPrefix(r.Name, FixedRolePrefix)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (r *RoleDTO) IsBasic() bool {
|
||||||
|
return strings.HasPrefix(r.Name, BasicRolePrefix) || strings.HasPrefix(r.UID, BasicRoleUIDPrefix)
|
||||||
|
}
|
||||||
|
|
||||||
func (r *RoleDTO) GetDisplayName() string {
|
func (r *RoleDTO) GetDisplayName() string {
|
||||||
if r.IsFixed() && r.DisplayName == "" {
|
if r.IsFixed() && r.DisplayName == "" {
|
||||||
r.DisplayName = fallbackDisplayName(r.Name)
|
r.DisplayName = fallbackDisplayName(r.Name)
|
||||||
@ -261,9 +269,12 @@ type SetResourcePermissionCommand struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
const (
|
const (
|
||||||
GlobalOrgID = 0
|
GlobalOrgID = 0
|
||||||
FixedRolePrefix = "fixed:"
|
FixedRolePrefix = "fixed:"
|
||||||
RoleGrafanaAdmin = "Grafana Admin"
|
ManagedRolePrefix = "managed:"
|
||||||
|
BasicRolePrefix = "grafana:builtins:"
|
||||||
|
BasicRoleUIDPrefix = "grafana_builtins_"
|
||||||
|
RoleGrafanaAdmin = "Grafana Admin"
|
||||||
|
|
||||||
GeneralFolderUID = "general"
|
GeneralFolderUID = "general"
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user