RBAC: remove dashboard ACL logic from dash store and service (#78130)

remove dashboard ACL logic from dash store and service
2025-02-25 18:55:37 -06:00 · 2023-11-15 08:25:51 +00:00
parent 1a53a716e9
commit dd54931147
14 changed files with 27 additions and 926 deletions
--- a/pkg/services/team/teamimpl/store_test.go
+++ b/pkg/services/team/teamimpl/store_test.go
@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"strings"
 	"testing"
-	"time"

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -351,30 +350,6 @@ func TestIntegrationTeamCommandsAndQueries(t *testing.T) {
 				})
 			})

-			t.Run("Should be able to remove a group with users and permissions", func(t *testing.T) {
-				groupID := team2.ID
-				err := teamSvc.AddTeamMember(userIds[1], testOrgID, groupID, false, 0)
-				require.NoError(t, err)
-				err = teamSvc.AddTeamMember(userIds[2], testOrgID, groupID, false, 0)
-				require.NoError(t, err)
-				err = updateDashboardACL(t, sqlStore, 1, &dashboards.DashboardACL{
-					DashboardID: 1, OrgID: testOrgID, Permission: dashboards.PERMISSION_EDIT, TeamID: groupID,
-				})
-				require.NoError(t, err)
-				err = teamSvc.DeleteTeam(context.Background(), &team.DeleteTeamCommand{OrgID: testOrgID, ID: groupID})
-				require.NoError(t, err)
-
-				query := &team.GetTeamByIDQuery{OrgID: testOrgID, ID: groupID}
-				_, err = teamSvc.GetTeamByID(context.Background(), query)
-				require.Equal(t, err, team.ErrTeamNotFound)
-
-				permQuery := &dashboards.GetDashboardACLInfoListQuery{DashboardID: 1, OrgID: testOrgID}
-				permQueryResult, err := getDashboardACLInfoList(sqlStore, permQuery)
-				require.NoError(t, err)
-
-				require.Equal(t, len(permQueryResult), 0)
-			})
-
 			t.Run("Should not return hidden users in team member count", func(t *testing.T) {
 				sqlStore = db.InitTestDB(t)
 				setup()
@@ -646,123 +621,3 @@ func hasWildcardScope(user identity.Requester, action string) bool {
 	}
 	return false
 }
-
-// TODO: Use FakeDashboardStore when org has its own service
-func updateDashboardACL(t *testing.T, sqlStore *sqlstore.SQLStore, dashboardID int64, items ...*dashboards.DashboardACL) error {
-	t.Helper()
-
-	err := sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
-		_, err := sess.Exec("DELETE FROM dashboard_acl WHERE dashboard_id=?", dashboardID)
-		if err != nil {
-			return fmt.Errorf("deleting from dashboard_acl failed: %w", err)
-		}
-
-		for _, item := range items {
-			item.Created = time.Now()
-			item.Updated = time.Now()
-			if item.UserID == 0 && item.TeamID == 0 && (item.Role == nil || !item.Role.IsValid()) {
-				return dashboards.ErrDashboardACLInfoMissing
-			}
-
-			if item.DashboardID == 0 {
-				return dashboards.ErrDashboardPermissionDashboardEmpty
-			}
-
-			sess.Nullable("user_id", "team_id")
-			if _, err := sess.Insert(item); err != nil {
-				return err
-			}
-		}
-
-		// Update dashboard HasACL flag
-		dashboard := dashboards.Dashboard{HasACL: true}
-		_, err = sess.Cols("has_acl").Where("id=?", dashboardID).Update(&dashboard)
-		return err
-	})
-	return err
-}
-
-// This function was copied from pkg/services/dashboards/database to circumvent
-// import cycles. When this org-related code is refactored into a service the
-// tests can the real GetDashboardACLInfoList functions
-func getDashboardACLInfoList(s *sqlstore.SQLStore, query *dashboards.GetDashboardACLInfoListQuery) ([]*dashboards.DashboardACLInfoDTO, error) {
-	queryResult := make([]*dashboards.DashboardACLInfoDTO, 0)
-	outerErr := s.WithDbSession(context.Background(), func(dbSession *db.Session) error {
-		falseStr := s.GetDialect().BooleanStr(false)
-
-		if query.DashboardID == 0 {
-			sql := `SELECT
-		da.id,
-		da.org_id,
-		da.dashboard_id,
-		da.user_id,
-		da.team_id,
-		da.permission,
-		da.role,
-		da.created,
-		da.updated,
-		'' as user_login,
-		'' as user_email,
-		'' as team,
-		'' as title,
-		'' as slug,
-		'' as uid,` +
-				falseStr + ` AS is_folder,` +
-				falseStr + ` AS inherited
-		FROM dashboard_acl as da
-		WHERE da.dashboard_id = -1`
-			return dbSession.SQL(sql).Find(&queryResult)
-		}
-
-		rawSQL := `
-			-- get permissions for the dashboard and its parent folder
-			SELECT
-				da.id,
-				da.org_id,
-				da.dashboard_id,
-				da.user_id,
-				da.team_id,
-				da.permission,
-				da.role,
-				da.created,
-				da.updated,
-				u.login AS user_login,
-				u.email AS user_email,
-				ug.name AS team,
-				ug.email AS team_email,
-				d.title,
-				d.slug,
-				d.uid,
-				d.is_folder,
-				CASE WHEN (da.dashboard_id = -1 AND d.folder_id > 0) OR da.dashboard_id = d.folder_id THEN ` + s.GetDialect().BooleanStr(true) + ` ELSE ` + falseStr + ` END AS inherited
-			FROM dashboard as d
-				LEFT JOIN dashboard folder on folder.id = d.folder_id
-				LEFT JOIN dashboard_acl AS da ON
-				da.dashboard_id = d.id OR
-				da.dashboard_id = d.folder_id OR
-				(
-					-- include default permissions -->
-					da.org_id = -1 AND (
-					  (folder.id IS NOT NULL AND folder.has_acl = ` + falseStr + `) OR
-					  (folder.id IS NULL AND d.has_acl = ` + falseStr + `)
-					)
-				)
-				LEFT JOIN ` + s.GetDialect().Quote("user") + ` AS u ON u.id = da.user_id
-				LEFT JOIN team ug on ug.id = da.team_id
-			WHERE d.org_id = ? AND d.id = ? AND da.id IS NOT NULL
-			ORDER BY da.id ASC
-			`
-
-		return dbSession.SQL(rawSQL, query.OrgID, query.DashboardID).Find(&queryResult)
-	})
-
-	if outerErr != nil {
-		return nil, outerErr
-	}
-
-	for _, p := range queryResult {
-		p.PermissionName = p.Permission.String()
-	}
-
-	return queryResult, nil
-}