From b494fd768938ff58e11ff0543b607586e9da604c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torkel=20=C3=96degaard?= Date: Mon, 19 Jun 2017 11:03:54 -0400 Subject: [PATCH] dashboard folders acl work --- pkg/api/dashboard_acl.go | 73 ++++++++++++------------ pkg/models/dashboard_acl.go | 11 +++- pkg/services/guardian/models.go | 3 - pkg/services/sqlstore/dashboard_acl.go | 23 ++++++++ pkg/services/sqlstore/guardian_test.go | 10 ++-- pkg/services/sqlstore/user_group_test.go | 2 +- pkg/services/sqlstore/user_test.go | 2 +- 7 files changed, 74 insertions(+), 50 deletions(-) diff --git a/pkg/api/dashboard_acl.go b/pkg/api/dashboard_acl.go index 53698cb6dd3..6af5127db1f 100644 --- a/pkg/api/dashboard_acl.go +++ b/pkg/api/dashboard_acl.go @@ -16,15 +16,14 @@ func GetDashboardAcl(c *middleware.Context) Response { } guardian := guardian.NewDashboardGuardian(dash, c.SignedInUser) - - canView, err := guardian.CanView(dashboardId, c.OrgRole, c.IsGrafanaAdmin, c.OrgId, c.UserId) + canView, err := guardian.CanView() if err != nil { return ApiError(500, "Failed to get Dashboard ACL", err) - } else if !hasPermission { - return ApiError(403, "Does not have access to this Dashboard ACL") + } else if !canView { + return ApiError(403, "Dashboard access denied", nil) } - query := m.GetDashboardPermissionsQuery{DashboardId: dashboardId} + query := m.GetDashboardPermissionsQuery{DashboardId: dash.Id} if err := bus.Dispatch(&query); err != nil { return ApiError(500, "Failed to get Dashboard ACL", err) } @@ -52,43 +51,43 @@ func PostDashboardAcl(c *middleware.Context, cmd m.AddOrUpdateDashboardPermissio } func DeleteDashboardAclByUser(c *middleware.Context) Response { - dashboardId := c.ParamsInt64(":id") - userId := c.ParamsInt64(":userId") - cmd := m.RemoveDashboardPermissionCommand{DashboardId: dashboardId, UserId: userId, OrgId: c.OrgId} - - hasPermission, err := guardian.CanDeleteFromAcl(dashboardId, c.OrgRole, c.IsGrafanaAdmin, c.OrgId, c.UserId) - if err != nil { - return ApiError(500, "Failed to delete from Dashboard ACL", err) - } - - if !hasPermission { - return Json(403, util.DynMap{"status": "Forbidden", "message": "Does not have access to this Dashboard ACL"}) - } - - if err := bus.Dispatch(&cmd); err != nil { - return ApiError(500, "Failed to delete permission for user", err) - } + // dashboardId := c.ParamsInt64(":id") + // userId := c.ParamsInt64(":userId") + // cmd := m.RemoveDashboardPermissionCommand{DashboardId: dashboardId, UserId: userId, OrgId: c.OrgId} + // + // hasPermission, err := guardian.CanDeleteFromAcl(dashboardId, c.OrgRole, c.IsGrafanaAdmin, c.OrgId, c.UserId) + // if err != nil { + // return ApiError(500, "Failed to delete from Dashboard ACL", err) + // } + // + // if !hasPermission { + // return Json(403, util.DynMap{"status": "Forbidden", "message": "Does not have access to this Dashboard ACL"}) + // } + // + // if err := bus.Dispatch(&cmd); err != nil { + // return ApiError(500, "Failed to delete permission for user", err) + // } return Json(200, "") } func DeleteDashboardAclByUserGroup(c *middleware.Context) Response { - dashboardId := c.ParamsInt64(":id") - userGroupId := c.ParamsInt64(":userGroupId") - cmd := m.RemoveDashboardPermissionCommand{DashboardId: dashboardId, UserGroupId: userGroupId, OrgId: c.OrgId} - - hasPermission, err := guardian.CanDeleteFromAcl(dashboardId, c.OrgRole, c.IsGrafanaAdmin, c.OrgId, c.UserId) - if err != nil { - return ApiError(500, "Failed to delete from Dashboard ACL", err) - } - - if !hasPermission { - return Json(403, util.DynMap{"status": "Forbidden", "message": "Does not have access to this Dashboard ACL"}) - } - - if err := bus.Dispatch(&cmd); err != nil { - return ApiError(500, "Failed to delete permission for user", err) - } + // dashboardId := c.ParamsInt64(":id") + // userGroupId := c.ParamsInt64(":userGroupId") + // cmd := m.RemoveDashboardPermissionCommand{DashboardId: dashboardId, UserGroupId: userGroupId, OrgId: c.OrgId} + // + // hasPermission, err := guardian.CanDeleteFromAcl(dashboardId, c.OrgRole, c.IsGrafanaAdmin, c.OrgId, c.UserId) + // if err != nil { + // return ApiError(500, "Failed to delete from Dashboard ACL", err) + // } + // + // if !hasPermission { + // return Json(403, util.DynMap{"status": "Forbidden", "message": "Does not have access to this Dashboard ACL"}) + // } + // + // if err := bus.Dispatch(&cmd); err != nil { + // return ApiError(500, "Failed to delete permission for user", err) + // } return Json(200, "") } diff --git a/pkg/models/dashboard_acl.go b/pkg/models/dashboard_acl.go index 4e1a3136f1f..6830cc8ec3a 100644 --- a/pkg/models/dashboard_acl.go +++ b/pkg/models/dashboard_acl.go @@ -74,16 +74,21 @@ type AddOrUpdateDashboardPermissionCommand struct { type RemoveDashboardPermissionCommand struct { DashboardId int64 `json:"dashboardId" binding:"Required"` - OrgId int64 `json:"-"` UserId int64 `json:"userId"` UserGroupId int64 `json:"userGroupId"` + + OrgId int64 `json:"-"` } // // QUERIES // - type GetDashboardPermissionsQuery struct { - DashboardId int64 `json:"dashboardId" binding:"Required"` + DashboardId int64 Result []*DashboardAclInfoDTO } + +type GetDashboardAclQuery struct { + DashboardId int64 + Result []*DashboardAcl +} diff --git a/pkg/services/guardian/models.go b/pkg/services/guardian/models.go index 0f1103eff38..21747650735 100644 --- a/pkg/services/guardian/models.go +++ b/pkg/services/guardian/models.go @@ -1,8 +1,6 @@ package guardian import ( - "fmt" - "github.com/grafana/grafana/pkg/bus" m "github.com/grafana/grafana/pkg/models" ) @@ -22,7 +20,6 @@ func NewDashboardGuardian(dash *m.Dashboard, user *m.SignedInUser) *DashboardGua } func (g *DashboardGuardian) CanSave() (bool, error) { - fmt.Printf("user %v, %v", g.user.OrgRole, g.user.HasRole(m.ROLE_EDITOR)) if !g.dashboard.HasAcl { return g.user.HasRole(m.ROLE_EDITOR), nil } diff --git a/pkg/services/sqlstore/dashboard_acl.go b/pkg/services/sqlstore/dashboard_acl.go index 23f04ce9e79..22d1af071c7 100644 --- a/pkg/services/sqlstore/dashboard_acl.go +++ b/pkg/services/sqlstore/dashboard_acl.go @@ -11,6 +11,7 @@ func init() { bus.AddHandler("sql", AddOrUpdateDashboardPermission) bus.AddHandler("sql", RemoveDashboardPermission) bus.AddHandler("sql", GetDashboardPermissions) + bus.AddHandler("sql", GetDashboardAcl) } func AddOrUpdateDashboardPermission(cmd *m.AddOrUpdateDashboardPermissionCommand) error { @@ -85,6 +86,28 @@ func RemoveDashboardPermission(cmd *m.RemoveDashboardPermissionCommand) error { }) } +func GetDashboardAcl(query *m.GetDashboardAclQuery) error { + rawSQL := `SELECT + da.id, + da.org_id, + da.id, + da.dashboard_id, + da.user_id, + da.user_group_id, + da.permissions, + da.created, + da.updated, + FROM` + dialect.Quote("dashboard_acl") + ` as da + WHERE dashboard_id IN ( + SELECT id FROM dashboard where id = ? + UNION + SELECT parent_id from dashboard where id = ? + )` + + query.Result = make([]*m.DashboardAcl, 0) + return x.SQL(rawSQL, query.DashboardId).Find(&query.Result) +} + func GetDashboardPermissions(query *m.GetDashboardPermissionsQuery) error { rawSQL := `SELECT da.id, diff --git a/pkg/services/sqlstore/guardian_test.go b/pkg/services/sqlstore/guardian_test.go index dfdc51d675f..23ac6efa489 100644 --- a/pkg/services/sqlstore/guardian_test.go +++ b/pkg/services/sqlstore/guardian_test.go @@ -76,12 +76,12 @@ func createUser(name string, role string, isAdmin bool) m.User { return currentUserCmd.Result } -func updateTestDashboardWithAcl(dashId int64, userId int64, permissionType m.PermissionType) { +func updateTestDashboardWithAcl(dashId int64, userId int64, permission m.PermissionType) { err := AddOrUpdateDashboardPermission(&m.AddOrUpdateDashboardPermissionCommand{ - OrgId: 1, - UserId: userId, - DashboardId: dashId, - PermissionType: permissionType, + OrgId: 1, + UserId: userId, + DashboardId: dashId, + Permissions: permission, }) So(err, ShouldBeNil) } diff --git a/pkg/services/sqlstore/user_group_test.go b/pkg/services/sqlstore/user_group_test.go index 0d0610df4f4..3f21408122b 100644 --- a/pkg/services/sqlstore/user_group_test.go +++ b/pkg/services/sqlstore/user_group_test.go @@ -94,7 +94,7 @@ func TestUserGroupCommandsAndQueries(t *testing.T) { So(err, ShouldBeNil) err = AddUserGroupMember(&m.AddUserGroupMemberCommand{OrgId: 1, UserGroupId: groupId, UserId: userIds[2]}) So(err, ShouldBeNil) - err = AddOrUpdateDashboardPermission(&m.AddOrUpdateDashboardPermissionCommand{DashboardId: 1, OrgId: 1, PermissionType: m.PERMISSION_EDIT, UserGroupId: groupId}) + err = AddOrUpdateDashboardPermission(&m.AddOrUpdateDashboardPermissionCommand{DashboardId: 1, OrgId: 1, Permissions: m.PERMISSION_EDIT, UserGroupId: groupId}) err = DeleteUserGroup(&m.DeleteUserGroupCommand{Id: groupId}) So(err, ShouldBeNil) diff --git a/pkg/services/sqlstore/user_test.go b/pkg/services/sqlstore/user_test.go index 03819e3959a..3c9cba74b38 100644 --- a/pkg/services/sqlstore/user_test.go +++ b/pkg/services/sqlstore/user_test.go @@ -99,7 +99,7 @@ func TestUserDataAccess(t *testing.T) { err = AddOrgUser(&models.AddOrgUserCommand{LoginOrEmail: users[0].Login, Role: models.ROLE_VIEWER, OrgId: users[0].OrgId}) So(err, ShouldBeNil) - err = AddOrUpdateDashboardPermission(&models.AddOrUpdateDashboardPermissionCommand{DashboardId: 1, OrgId: users[0].OrgId, UserId: users[0].Id, PermissionType: models.PERMISSION_EDIT}) + err = AddOrUpdateDashboardPermission(&models.AddOrUpdateDashboardPermissionCommand{DashboardId: 1, OrgId: users[0].OrgId, UserId: users[0].Id, Permissions: models.PERMISSION_EDIT}) So(err, ShouldBeNil) err = SavePreferences(&models.SavePreferencesCommand{UserId: users[0].Id, OrgId: users[0].OrgId, HomeDashboardId: 1, Theme: "dark"})