Identity: Port snapshots and annotations to Requester (#76103)

* Port snapshots to Requester * Port annotations to Requester
2025-02-25 18:55:37 -06:00 · 2023-10-06 11:59:48 +02:00
parent 342af2d078
commit c4874f97f8
5 changed files with 28 additions and 15 deletions
--- a/pkg/services/annotations/annotationsimpl/xorm_store.go
+++ b/pkg/services/annotations/annotationsimpl/xorm_store.go
@@ -12,13 +12,13 @@ import (
 	"github.com/grafana/grafana/pkg/infra/log"
 	ac "github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/services/annotations"
+	"github.com/grafana/grafana/pkg/services/auth/identity"
 	"github.com/grafana/grafana/pkg/services/dashboards"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/grafana/grafana/pkg/services/sqlstore"
 	"github.com/grafana/grafana/pkg/services/sqlstore/permissions"
 	"github.com/grafana/grafana/pkg/services/sqlstore/searchstore"
 	"github.com/grafana/grafana/pkg/services/tag"
-	"github.com/grafana/grafana/pkg/services/user"
 	"github.com/grafana/grafana/pkg/setting"
 )

@@ -378,14 +378,15 @@ type acFilter struct {
 	recParams   []interface{}
 }

-func (r *xormRepositoryImpl) getAccessControlFilter(user *user.SignedInUser) (acFilter, error) {
+func (r *xormRepositoryImpl) getAccessControlFilter(user identity.Requester) (acFilter, error) {
 	var recQueries string
 	var recQueriesParams []interface{}

-	if user == nil || user.Permissions[user.OrgID] == nil {
+	if user == nil || user.IsNil() {
 		return acFilter{}, errors.New("missing permissions")
 	}
-	scopes, has := user.Permissions[user.OrgID][ac.ActionAnnotationsRead]
+
+	scopes, has := user.GetPermissions()[ac.ActionAnnotationsRead]
 	if !has {
 		return acFilter{}, errors.New("missing permissions")
 	}
--- a/pkg/services/annotations/models.go
+++ b/pkg/services/annotations/models.go
@@ -2,7 +2,7 @@ package annotations

 import (
 	"github.com/grafana/grafana/pkg/components/simplejson"
-	"github.com/grafana/grafana/pkg/services/user"
+	"github.com/grafana/grafana/pkg/services/auth/identity"
 )

 type ItemQuery struct {
@@ -18,7 +18,7 @@ type ItemQuery struct {
 	Tags         []string `json:"tags"`
 	Type         string   `json:"type"`
 	MatchAny     bool     `json:"matchAny"`
-	SignedInUser *user.SignedInUser
+	SignedInUser identity.Requester

 	Limit int64 `json:"limit"`
 }
--- a/pkg/services/dashboardsnapshots/database/database.go
+++ b/pkg/services/dashboardsnapshots/database/database.go
@@ -7,6 +7,7 @@ import (
 	"github.com/grafana/grafana/pkg/components/simplejson"
 	"github.com/grafana/grafana/pkg/infra/db"
 	"github.com/grafana/grafana/pkg/infra/log"
+	"github.com/grafana/grafana/pkg/services/auth/identity"
 	"github.com/grafana/grafana/pkg/services/dashboardsnapshots"
 	"github.com/grafana/grafana/pkg/services/org"
 	"github.com/grafana/grafana/pkg/setting"
@@ -124,12 +125,23 @@ func (d *DashboardSnapshotStore) SearchDashboardSnapshots(ctx context.Context, q
 			sess.Where("name LIKE ?", query.Name)
 		}

+		namespace, id := query.SignedInUser.GetNamespacedID()
+		var userID int64
+		switch namespace {
+		case identity.NamespaceServiceAccount, identity.NamespaceUser:
+			var err error
+			userID, err = identity.IntIdentifier(namespace, id)
+			if err != nil {
+				return err
+			}
+		}
+
 		// admins can see all snapshots, everyone else can only see their own snapshots
 		switch {
-		case query.SignedInUser.OrgRole == org.RoleAdmin:
-			sess.Where("org_id = ?", query.OrgID)
-		case !query.SignedInUser.IsAnonymous:
-			sess.Where("org_id = ? AND user_id = ?", query.OrgID, query.SignedInUser.UserID)
+		case query.SignedInUser.GetOrgRole() == org.RoleAdmin:
+			sess.Where("org_id = ?", query.SignedInUser.GetOrgID())
+		case namespace != identity.NamespaceAnonymous:
+			sess.Where("org_id = ? AND user_id = ?", query.OrgID, userID)
 		default:
 			queryResult = snapshots
 			return nil
--- a/pkg/services/dashboardsnapshots/database/database_test.go
+++ b/pkg/services/dashboardsnapshots/database/database_test.go
@@ -72,7 +72,7 @@ func TestIntegrationDashboardSnapshotDBAccess(t *testing.T) {
 		t.Run("And the user has the admin role", func(t *testing.T) {
 			query := dashboardsnapshots.GetDashboardSnapshotsQuery{
 				OrgID:        1,
-				SignedInUser: &user.SignedInUser{OrgRole: org.RoleAdmin},
+				SignedInUser: &user.SignedInUser{OrgRole: org.RoleAdmin, UserID: 1000, OrgID: 1},
 			}
 			queryResult, err := dashStore.SearchDashboardSnapshots(context.Background(), &query)
 			require.NoError(t, err)
@@ -168,7 +168,7 @@ func TestIntegrationDeleteExpiredSnapshots(t *testing.T) {

 		query := dashboardsnapshots.GetDashboardSnapshotsQuery{
 			OrgID:        1,
-			SignedInUser: &user.SignedInUser{OrgRole: org.RoleAdmin},
+			SignedInUser: &user.SignedInUser{OrgRole: org.RoleAdmin, UserID: 1000, OrgID: 1},
 		}
 		queryResult, err := dashStore.SearchDashboardSnapshots(context.Background(), &query)
 		require.NoError(t, err)
@@ -181,7 +181,7 @@ func TestIntegrationDeleteExpiredSnapshots(t *testing.T) {

 		query = dashboardsnapshots.GetDashboardSnapshotsQuery{
 			OrgID:        1,
-			SignedInUser: &user.SignedInUser{OrgRole: org.RoleAdmin},
+			SignedInUser: &user.SignedInUser{OrgRole: org.RoleAdmin, UserID: 1000, OrgID: 1},
 		}
 		queryResult, err = dashStore.SearchDashboardSnapshots(context.Background(), &query)
 		require.NoError(t, err)
--- a/pkg/services/dashboardsnapshots/models.go
+++ b/pkg/services/dashboardsnapshots/models.go
@@ -4,7 +4,7 @@ import (
 	"time"

 	"github.com/grafana/grafana/pkg/components/simplejson"
-	"github.com/grafana/grafana/pkg/services/user"
+	"github.com/grafana/grafana/pkg/services/auth/identity"
 )

 // DashboardSnapshot model
@@ -98,5 +98,5 @@ type GetDashboardSnapshotsQuery struct {
 	Name         string
 	Limit        int
 	OrgID        int64
-	SignedInUser *user.SignedInUser
+	SignedInUser identity.Requester
 }