mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
dashboard folders acl work
This commit is contained in:
Torkel Ödegaard
parent
cbbbccf12a
commit
b494fd7689
@ -16,15 +16,14 @@ func GetDashboardAcl(c *middleware.Context) Response {
|
|||||||
}
|
}
|
||||||
|
|
||||||
guardian := guardian.NewDashboardGuardian(dash, c.SignedInUser)
|
guardian := guardian.NewDashboardGuardian(dash, c.SignedInUser)
|
||||||
|
canView, err := guardian.CanView()
|
||||||
canView, err := guardian.CanView(dashboardId, c.OrgRole, c.IsGrafanaAdmin, c.OrgId, c.UserId)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return ApiError(500, "Failed to get Dashboard ACL", err)
|
return ApiError(500, "Failed to get Dashboard ACL", err)
|
||||||
} else if !hasPermission {
|
} else if !canView {
|
||||||
return ApiError(403, "Does not have access to this Dashboard ACL")
|
return ApiError(403, "Dashboard access denied", nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
query := m.GetDashboardPermissionsQuery{DashboardId: dashboardId}
|
query := m.GetDashboardPermissionsQuery{DashboardId: dash.Id}
|
||||||
if err := bus.Dispatch(&query); err != nil {
|
if err := bus.Dispatch(&query); err != nil {
|
||||||
return ApiError(500, "Failed to get Dashboard ACL", err)
|
return ApiError(500, "Failed to get Dashboard ACL", err)
|
||||||
}
|
}
|
||||||
@ -52,43 +51,43 @@ func PostDashboardAcl(c *middleware.Context, cmd m.AddOrUpdateDashboardPermissio
|
|||||||
}
|
}
|
||||||
|
|
||||||
func DeleteDashboardAclByUser(c *middleware.Context) Response {
|
func DeleteDashboardAclByUser(c *middleware.Context) Response {
|
||||||
dashboardId := c.ParamsInt64(":id")
|
// dashboardId := c.ParamsInt64(":id")
|
||||||
userId := c.ParamsInt64(":userId")
|
// userId := c.ParamsInt64(":userId")
|
||||||
cmd := m.RemoveDashboardPermissionCommand{DashboardId: dashboardId, UserId: userId, OrgId: c.OrgId}
|
// cmd := m.RemoveDashboardPermissionCommand{DashboardId: dashboardId, UserId: userId, OrgId: c.OrgId}
|
||||||
|
//
|
||||||
hasPermission, err := guardian.CanDeleteFromAcl(dashboardId, c.OrgRole, c.IsGrafanaAdmin, c.OrgId, c.UserId)
|
// hasPermission, err := guardian.CanDeleteFromAcl(dashboardId, c.OrgRole, c.IsGrafanaAdmin, c.OrgId, c.UserId)
|
||||||
if err != nil {
|
// if err != nil {
|
||||||
return ApiError(500, "Failed to delete from Dashboard ACL", err)
|
// return ApiError(500, "Failed to delete from Dashboard ACL", err)
|
||||||
}
|
// }
|
||||||
|
//
|
||||||
if !hasPermission {
|
// if !hasPermission {
|
||||||
return Json(403, util.DynMap{"status": "Forbidden", "message": "Does not have access to this Dashboard ACL"})
|
// return Json(403, util.DynMap{"status": "Forbidden", "message": "Does not have access to this Dashboard ACL"})
|
||||||
}
|
// }
|
||||||
|
//
|
||||||
if err := bus.Dispatch(&cmd); err != nil {
|
// if err := bus.Dispatch(&cmd); err != nil {
|
||||||
return ApiError(500, "Failed to delete permission for user", err)
|
// return ApiError(500, "Failed to delete permission for user", err)
|
||||||
}
|
// }
|
||||||
|
|
||||||
return Json(200, "")
|
return Json(200, "")
|
||||||
}
|
}
|
||||||
|
|
||||||
func DeleteDashboardAclByUserGroup(c *middleware.Context) Response {
|
func DeleteDashboardAclByUserGroup(c *middleware.Context) Response {
|
||||||
dashboardId := c.ParamsInt64(":id")
|
// dashboardId := c.ParamsInt64(":id")
|
||||||
userGroupId := c.ParamsInt64(":userGroupId")
|
// userGroupId := c.ParamsInt64(":userGroupId")
|
||||||
cmd := m.RemoveDashboardPermissionCommand{DashboardId: dashboardId, UserGroupId: userGroupId, OrgId: c.OrgId}
|
// cmd := m.RemoveDashboardPermissionCommand{DashboardId: dashboardId, UserGroupId: userGroupId, OrgId: c.OrgId}
|
||||||
|
//
|
||||||
hasPermission, err := guardian.CanDeleteFromAcl(dashboardId, c.OrgRole, c.IsGrafanaAdmin, c.OrgId, c.UserId)
|
// hasPermission, err := guardian.CanDeleteFromAcl(dashboardId, c.OrgRole, c.IsGrafanaAdmin, c.OrgId, c.UserId)
|
||||||
if err != nil {
|
// if err != nil {
|
||||||
return ApiError(500, "Failed to delete from Dashboard ACL", err)
|
// return ApiError(500, "Failed to delete from Dashboard ACL", err)
|
||||||
}
|
// }
|
||||||
|
//
|
||||||
if !hasPermission {
|
// if !hasPermission {
|
||||||
return Json(403, util.DynMap{"status": "Forbidden", "message": "Does not have access to this Dashboard ACL"})
|
// return Json(403, util.DynMap{"status": "Forbidden", "message": "Does not have access to this Dashboard ACL"})
|
||||||
}
|
// }
|
||||||
|
//
|
||||||
if err := bus.Dispatch(&cmd); err != nil {
|
// if err := bus.Dispatch(&cmd); err != nil {
|
||||||
return ApiError(500, "Failed to delete permission for user", err)
|
// return ApiError(500, "Failed to delete permission for user", err)
|
||||||
}
|
// }
|
||||||
|
|
||||||
return Json(200, "")
|
return Json(200, "")
|
||||||
}
|
}
|
||||||
|
|||||||
@ -74,16 +74,21 @@ type AddOrUpdateDashboardPermissionCommand struct {
|
|||||||
|
|
||||||
type RemoveDashboardPermissionCommand struct {
|
type RemoveDashboardPermissionCommand struct {
|
||||||
DashboardId int64 `json:"dashboardId" binding:"Required"`
|
DashboardId int64 `json:"dashboardId" binding:"Required"`
|
||||||
OrgId int64 `json:"-"`
|
|
||||||
UserId int64 `json:"userId"`
|
UserId int64 `json:"userId"`
|
||||||
UserGroupId int64 `json:"userGroupId"`
|
UserGroupId int64 `json:"userGroupId"`
|
||||||
|
|
||||||
|
OrgId int64 `json:"-"`
|
||||||
}
|
}
|
||||||
|
|
||||||
//
|
//
|
||||||
// QUERIES
|
// QUERIES
|
||||||
//
|
//
|
||||||
|
|
||||||
type GetDashboardPermissionsQuery struct {
|
type GetDashboardPermissionsQuery struct {
|
||||||
DashboardId int64 `json:"dashboardId" binding:"Required"`
|
DashboardId int64
|
||||||
Result []*DashboardAclInfoDTO
|
Result []*DashboardAclInfoDTO
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type GetDashboardAclQuery struct {
|
||||||
|
DashboardId int64
|
||||||
|
Result []*DashboardAcl
|
||||||
|
}
|
||||||
|
|||||||
@ -1,8 +1,6 @@
|
|||||||
package guardian
|
package guardian
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
|
||||||
|
|
||||||
"github.com/grafana/grafana/pkg/bus"
|
"github.com/grafana/grafana/pkg/bus"
|
||||||
m "github.com/grafana/grafana/pkg/models"
|
m "github.com/grafana/grafana/pkg/models"
|
||||||
)
|
)
|
||||||
@ -22,7 +20,6 @@ func NewDashboardGuardian(dash *m.Dashboard, user *m.SignedInUser) *DashboardGua
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (g *DashboardGuardian) CanSave() (bool, error) {
|
func (g *DashboardGuardian) CanSave() (bool, error) {
|
||||||
fmt.Printf("user %v, %v", g.user.OrgRole, g.user.HasRole(m.ROLE_EDITOR))
|
|
||||||
if !g.dashboard.HasAcl {
|
if !g.dashboard.HasAcl {
|
||||||
return g.user.HasRole(m.ROLE_EDITOR), nil
|
return g.user.HasRole(m.ROLE_EDITOR), nil
|
||||||
}
|
}
|
||||||
|
|||||||
@ -11,6 +11,7 @@ func init() {
|
|||||||
bus.AddHandler("sql", AddOrUpdateDashboardPermission)
|
bus.AddHandler("sql", AddOrUpdateDashboardPermission)
|
||||||
bus.AddHandler("sql", RemoveDashboardPermission)
|
bus.AddHandler("sql", RemoveDashboardPermission)
|
||||||
bus.AddHandler("sql", GetDashboardPermissions)
|
bus.AddHandler("sql", GetDashboardPermissions)
|
||||||
|
bus.AddHandler("sql", GetDashboardAcl)
|
||||||
}
|
}
|
||||||
|
|
||||||
func AddOrUpdateDashboardPermission(cmd *m.AddOrUpdateDashboardPermissionCommand) error {
|
func AddOrUpdateDashboardPermission(cmd *m.AddOrUpdateDashboardPermissionCommand) error {
|
||||||
@ -85,6 +86,28 @@ func RemoveDashboardPermission(cmd *m.RemoveDashboardPermissionCommand) error {
|
|||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func GetDashboardAcl(query *m.GetDashboardAclQuery) error {
|
||||||
|
rawSQL := `SELECT
|
||||||
|
da.id,
|
||||||
|
da.org_id,
|
||||||
|
da.id,
|
||||||
|
da.dashboard_id,
|
||||||
|
da.user_id,
|
||||||
|
da.user_group_id,
|
||||||
|
da.permissions,
|
||||||
|
da.created,
|
||||||
|
da.updated,
|
||||||
|
FROM` + dialect.Quote("dashboard_acl") + ` as da
|
||||||
|
WHERE dashboard_id IN (
|
||||||
|
SELECT id FROM dashboard where id = ?
|
||||||
|
UNION
|
||||||
|
SELECT parent_id from dashboard where id = ?
|
||||||
|
)`
|
||||||
|
|
||||||
|
query.Result = make([]*m.DashboardAcl, 0)
|
||||||
|
return x.SQL(rawSQL, query.DashboardId).Find(&query.Result)
|
||||||
|
}
|
||||||
|
|
||||||
func GetDashboardPermissions(query *m.GetDashboardPermissionsQuery) error {
|
func GetDashboardPermissions(query *m.GetDashboardPermissionsQuery) error {
|
||||||
rawSQL := `SELECT
|
rawSQL := `SELECT
|
||||||
da.id,
|
da.id,
|
||||||
|
|||||||
@ -76,12 +76,12 @@ func createUser(name string, role string, isAdmin bool) m.User {
|
|||||||
return currentUserCmd.Result
|
return currentUserCmd.Result
|
||||||
}
|
}
|
||||||
|
|
||||||
func updateTestDashboardWithAcl(dashId int64, userId int64, permissionType m.PermissionType) {
|
func updateTestDashboardWithAcl(dashId int64, userId int64, permission m.PermissionType) {
|
||||||
err := AddOrUpdateDashboardPermission(&m.AddOrUpdateDashboardPermissionCommand{
|
err := AddOrUpdateDashboardPermission(&m.AddOrUpdateDashboardPermissionCommand{
|
||||||
OrgId: 1,
|
OrgId: 1,
|
||||||
UserId: userId,
|
UserId: userId,
|
||||||
DashboardId: dashId,
|
DashboardId: dashId,
|
||||||
PermissionType: permissionType,
|
Permissions: permission,
|
||||||
})
|
})
|
||||||
So(err, ShouldBeNil)
|
So(err, ShouldBeNil)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -94,7 +94,7 @@ func TestUserGroupCommandsAndQueries(t *testing.T) {
|
|||||||
So(err, ShouldBeNil)
|
So(err, ShouldBeNil)
|
||||||
err = AddUserGroupMember(&m.AddUserGroupMemberCommand{OrgId: 1, UserGroupId: groupId, UserId: userIds[2]})
|
err = AddUserGroupMember(&m.AddUserGroupMemberCommand{OrgId: 1, UserGroupId: groupId, UserId: userIds[2]})
|
||||||
So(err, ShouldBeNil)
|
So(err, ShouldBeNil)
|
||||||
err = AddOrUpdateDashboardPermission(&m.AddOrUpdateDashboardPermissionCommand{DashboardId: 1, OrgId: 1, PermissionType: m.PERMISSION_EDIT, UserGroupId: groupId})
|
err = AddOrUpdateDashboardPermission(&m.AddOrUpdateDashboardPermissionCommand{DashboardId: 1, OrgId: 1, Permissions: m.PERMISSION_EDIT, UserGroupId: groupId})
|
||||||
|
|
||||||
err = DeleteUserGroup(&m.DeleteUserGroupCommand{Id: groupId})
|
err = DeleteUserGroup(&m.DeleteUserGroupCommand{Id: groupId})
|
||||||
So(err, ShouldBeNil)
|
So(err, ShouldBeNil)
|
||||||
|
|||||||
@ -99,7 +99,7 @@ func TestUserDataAccess(t *testing.T) {
|
|||||||
err = AddOrgUser(&models.AddOrgUserCommand{LoginOrEmail: users[0].Login, Role: models.ROLE_VIEWER, OrgId: users[0].OrgId})
|
err = AddOrgUser(&models.AddOrgUserCommand{LoginOrEmail: users[0].Login, Role: models.ROLE_VIEWER, OrgId: users[0].OrgId})
|
||||||
So(err, ShouldBeNil)
|
So(err, ShouldBeNil)
|
||||||
|
|
||||||
err = AddOrUpdateDashboardPermission(&models.AddOrUpdateDashboardPermissionCommand{DashboardId: 1, OrgId: users[0].OrgId, UserId: users[0].Id, PermissionType: models.PERMISSION_EDIT})
|
err = AddOrUpdateDashboardPermission(&models.AddOrUpdateDashboardPermissionCommand{DashboardId: 1, OrgId: users[0].OrgId, UserId: users[0].Id, Permissions: models.PERMISSION_EDIT})
|
||||||
So(err, ShouldBeNil)
|
So(err, ShouldBeNil)
|
||||||
|
|
||||||
err = SavePreferences(&models.SavePreferencesCommand{UserId: users[0].Id, OrgId: users[0].OrgId, HomeDashboardId: 1, Theme: "dark"})
|
err = SavePreferences(&models.SavePreferencesCommand{UserId: users[0].Id, OrgId: users[0].OrgId, HomeDashboardId: 1, Theme: "dark"})
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user