Auth: Lock down Grafana admin role updates if the role is externally synced (#72677)

* lock down server admin role updates on the frontend if the user is externally synced * add tests * lock Grafana Server admin role updates from the backend * rename variables * check that the user has auth info * add LDAP to providers for which Grafana Server admin role can be synced * linting
2025-02-25 18:55:37 -06:00 · 2023-08-01 16:39:08 +01:00
parent d28bb03ebc
commit d3b481dac8
9 changed files with 300 additions and 18 deletions
--- a/pkg/services/user/model.go
+++ b/pkg/services/user/model.go
@@ -142,21 +142,22 @@ type GetUserProfileQuery struct {
 }

 type UserProfileDTO struct {
-	ID                 int64           `json:"id"`
-	Email              string          `json:"email"`
-	Name               string          `json:"name"`
-	Login              string          `json:"login"`
-	Theme              string          `json:"theme"`
-	OrgID              int64           `json:"orgId,omitempty"`
-	IsGrafanaAdmin     bool            `json:"isGrafanaAdmin"`
-	IsDisabled         bool            `json:"isDisabled"`
-	IsExternal         bool            `json:"isExternal"`
-	IsExternallySynced bool            `json:"isExternallySynced"`
-	AuthLabels         []string        `json:"authLabels"`
-	UpdatedAt          time.Time       `json:"updatedAt"`
-	CreatedAt          time.Time       `json:"createdAt"`
-	AvatarURL          string          `json:"avatarUrl"`
-	AccessControl      map[string]bool `json:"accessControl,omitempty"`
+	ID                             int64           `json:"id"`
+	Email                          string          `json:"email"`
+	Name                           string          `json:"name"`
+	Login                          string          `json:"login"`
+	Theme                          string          `json:"theme"`
+	OrgID                          int64           `json:"orgId,omitempty"`
+	IsGrafanaAdmin                 bool            `json:"isGrafanaAdmin"`
+	IsDisabled                     bool            `json:"isDisabled"`
+	IsExternal                     bool            `json:"isExternal"`
+	IsExternallySynced             bool            `json:"isExternallySynced"`
+	IsGrafanaAdminExternallySynced bool            `json:"isGrafanaAdminExternallySynced"`
+	AuthLabels                     []string        `json:"authLabels"`
+	UpdatedAt                      time.Time       `json:"updatedAt"`
+	CreatedAt                      time.Time       `json:"createdAt"`
+	AvatarURL                      string          `json:"avatarUrl"`
+	AccessControl                  map[string]bool `json:"accessControl,omitempty"`
 }

 // implement Conversion interface to define custom field mapping (xorm feature)