LBAC for datasources: Override lbac rules if present when updating via datasources endpoints (#94608)

bloc updates to datasources
2025-02-25 18:55:37 -06:00 · 2024-10-17 11:29:30 +01:00 · 2024-10-17 11:29:30 +01:00 · a46ff09bf9
commit a46ff09bf9
parent 573b40ab98
2 changed files with 20 additions and 0 deletions
--- a/pkg/services/datasources/models.go
+++ b/pkg/services/datasources/models.go
@ -205,6 +205,8 @@ type UpdateDataSourceCommand struct {
 	EncryptedSecureJsonData map[string][]byte `json:"-"`
 	UpdateSecretFn          UpdateSecretFn    `json:"-"`
 	IgnoreOldSecureJsonData bool              `json:"-"`
+
+	OnlyUpdateLBACRulesFromAPI bool `json:"-"`
 }

 // DeleteDataSourceCommand will delete a DataSource based on OrgID as well as the UID (preferred), ID, or Name.
--- a/pkg/services/datasources/service/datasource.go
+++ b/pkg/services/datasources/service/datasource.go
@ -534,6 +534,24 @@ func (s *Service) UpdateDataSource(ctx context.Context, cmd *datasources.UpdateD
 			}
 		}

+		// TODO: we will eventually remove this check for moving the resource to it's separate API
+		if s.features != nil && s.features.IsEnabled(ctx, featuremgmt.FlagTeamHttpHeaders) && !cmd.OnlyUpdateLBACRulesFromAPI {
+			s.logger.Debug("Overriding LBAC rules with stored ones",
+				"reason", "update_lbac_rules_from_datasource_api",
+				"action", "use_updateLBACRules_API",
+				"datasource_id", dataSource.ID,
+				"datasource_uid", dataSource.UID)
+
+			if dataSource.JsonData != nil {
+				previousRules := dataSource.JsonData.Get("teamHttpHeaders")
+				if previousRules == nil {
+					cmd.JsonData.Del("teamHttpHeaders")
+				} else {
+					cmd.JsonData.Set("teamHttpHeaders", previousRules)
+				}
+			}
+		}
+
 		if cmd.Name != "" && cmd.Name != dataSource.Name {
 			query := &datasources.GetDataSourceQuery{
 				Name:  cmd.Name,