IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

only check dashboard scope in guardian and register resolver for tests (#50427)

Browse Source
This commit is contained in:
Karl Persson 2022-06-09 11:53:16 +02:00 committed by GitHub
parent fdf67276ea
commit bc87edb727
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 14 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
pkg/services/guardian/accesscontrol_guardian.go
View File

@ -44,7 +44,6 @@ type AccessControlDashboardGuardian struct {
log log.Logger log log.Logger
dashboardID int64 dashboardID int64
dashboard *models.Dashboard dashboard *models.Dashboard
parentFolderUID string
user *models.SignedInUser user *models.SignedInUser
store sqlstore.Store store sqlstore.Store
ac accesscontrol.AccessControl ac accesscontrol.AccessControl
@ -62,10 +61,9 @@ func (a *AccessControlDashboardGuardian) CanSave() (bool, error) {
return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid))) return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid)))
} }
return a.evaluate(accesscontrol.EvalAny( return a.evaluate(
accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)), accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)), )
))
} }
func (a *AccessControlDashboardGuardian) CanEdit() (bool, error) { func (a *AccessControlDashboardGuardian) CanEdit() (bool, error) {
@ -80,10 +78,9 @@ func (a *AccessControlDashboardGuardian) CanEdit() (bool, error) {
return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid))) return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid)))
} }
return a.evaluate(accesscontrol.EvalAny( return a.evaluate(
accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)), accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)), )
))
} }
func (a *AccessControlDashboardGuardian) CanView() (bool, error) { func (a *AccessControlDashboardGuardian) CanView() (bool, error) {
@ -95,10 +92,9 @@ func (a *AccessControlDashboardGuardian) CanView() (bool, error) {
return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersRead, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid))) return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersRead, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid)))
} }
return a.evaluate(accesscontrol.EvalAny( return a.evaluate(
accesscontrol.EvalPermission(dashboards.ActionDashboardsRead, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)), accesscontrol.EvalPermission(dashboards.ActionDashboardsRead, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
accesscontrol.EvalPermission(dashboards.ActionDashboardsRead, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)), )
))
} }
func (a *AccessControlDashboardGuardian) CanAdmin() (bool, error) { func (a *AccessControlDashboardGuardian) CanAdmin() (bool, error) {
@ -113,15 +109,9 @@ func (a *AccessControlDashboardGuardian) CanAdmin() (bool, error) {
)) ))
} }
return a.evaluate(accesscontrol.EvalAny( return a.evaluate(accesscontrol.EvalAll(
accesscontrol.EvalAll( accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsRead, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsRead, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)), accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsWrite, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsWrite, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
),
accesscontrol.EvalAll(
accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsRead, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)),
accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)),
),
)) ))
} }
@ -134,10 +124,9 @@ func (a *AccessControlDashboardGuardian) CanDelete() (bool, error) {
return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersDelete, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid))) return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersDelete, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid)))
} }
return a.evaluate(accesscontrol.EvalAny( return a.evaluate(
accesscontrol.EvalPermission(dashboards.ActionDashboardsDelete, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)), accesscontrol.EvalPermission(dashboards.ActionDashboardsDelete, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
accesscontrol.EvalPermission(dashboards.ActionDashboardsDelete, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)), )
))
} }
func (a *AccessControlDashboardGuardian) CanCreate(folderID int64, isFolder bool) (bool, error) { func (a *AccessControlDashboardGuardian) CanCreate(folderID int64, isFolder bool) (bool, error) {
@ -269,13 +258,6 @@ func (a *AccessControlDashboardGuardian) loadDashboard() error {
if err := a.dashboardService.GetDashboard(a.ctx, query); err != nil { if err := a.dashboardService.GetDashboard(a.ctx, query); err != nil {
return err return err
} }
if !query.Result.IsFolder {
folder, err := a.loadParentFolder(query.Result.FolderId)
if err != nil {
return err
}
a.parentFolderUID = folder.Uid
}
a.dashboard = query.Result a.dashboard = query.Result
} }
return nil return nil

5
pkg/services/guardian/accesscontrol_guardian_test.go
View File

@ -587,14 +587,15 @@ func setupAccessControlGuardianTest(t *testing.T, uid string, permissions []*acc
toSave.SetUid(uid) toSave.SetUid(uid)
// seed dashboard // seed dashboard
dash, err := dashdb.ProvideDashboardStore(store).SaveDashboard(models.SaveDashboardCommand{ dashStore := dashdb.ProvideDashboardStore(store)
dash, err := dashStore.SaveDashboard(models.SaveDashboardCommand{
Dashboard: toSave.Data, Dashboard: toSave.Data,
UserId: 1, UserId: 1,
OrgId: 1, OrgId: 1,
FolderId: 0,
}) })
require.NoError(t, err) require.NoError(t, err)
ac := accesscontrolmock.New().WithPermissions(permissions) ac := accesscontrolmock.New().WithPermissions(permissions)
ac.RegisterScopeAttributeResolver(dashboards.NewDashboardUIDScopeResolver(dashStore))
license := licensingtest.NewFakeLicensing() license := licensingtest.NewFakeLicensing()
license.On("FeatureEnabled", "accesscontrol.enforcement").Return(true).Maybe() license.On("FeatureEnabled", "accesscontrol.enforcement").Return(true).Maybe()