mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
Team: Create permission type for team membership (#92352)
* Create permission type enum for team and remove usage of dashboard permission type
This commit is contained in:
Karl Persson
GitHub
@@ -31,7 +31,6 @@ import (
|
||||
"github.com/grafana/grafana/pkg/services/contexthandler/ctxkey"
|
||||
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
|
||||
"github.com/grafana/grafana/pkg/services/dashboards"
|
||||
"github.com/grafana/grafana/pkg/services/dashboards/dashboardaccess"
|
||||
"github.com/grafana/grafana/pkg/services/dashboards/database"
|
||||
dashboardservice "github.com/grafana/grafana/pkg/services/dashboards/service"
|
||||
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
||||
@@ -261,7 +260,7 @@ func setupDB(b testing.TB) benchScenario {
|
||||
UserID: userID,
|
||||
TeamID: teamID,
|
||||
OrgID: orgID,
|
||||
Permission: dashboardaccess.PERMISSION_VIEW,
|
||||
Permission: team.PermissionTypeMember,
|
||||
Created: now,
|
||||
Updated: now,
|
||||
})
|
||||
|
||||
@@ -17,7 +17,6 @@ import (
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol/database"
|
||||
rs "github.com/grafana/grafana/pkg/services/accesscontrol/resourcepermissions"
|
||||
"github.com/grafana/grafana/pkg/services/dashboards/dashboardaccess"
|
||||
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
||||
"github.com/grafana/grafana/pkg/services/org"
|
||||
"github.com/grafana/grafana/pkg/services/org/orgimpl"
|
||||
@@ -403,15 +402,15 @@ func createUserAndTeam(t *testing.T, store db.DB, userSrv user.Service, teamSvc
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
team, err := teamSvc.CreateTeam(context.Background(), "team", "", orgID)
|
||||
createdTeam, err := teamSvc.CreateTeam(context.Background(), "team", "", orgID)
|
||||
require.NoError(t, err)
|
||||
|
||||
err = store.WithDbSession(context.Background(), func(sess *db.Session) error {
|
||||
return teamimpl.AddOrUpdateTeamMemberHook(sess, user.ID, orgID, team.ID, false, dashboardaccess.PERMISSION_VIEW)
|
||||
return teamimpl.AddOrUpdateTeamMemberHook(sess, user.ID, orgID, createdTeam.ID, false, team.PermissionTypeMember)
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
return user, team
|
||||
return user, createdTeam
|
||||
}
|
||||
|
||||
type helperServices struct {
|
||||
@@ -453,11 +452,11 @@ func createUsersAndTeams(t *testing.T, store db.DB, svcs helperServices, orgID i
|
||||
continue
|
||||
}
|
||||
|
||||
team, err := svcs.teamSvc.CreateTeam(context.Background(), fmt.Sprintf("team%v", i+1), "", orgID)
|
||||
createdTeam, err := svcs.teamSvc.CreateTeam(context.Background(), fmt.Sprintf("team%v", i+1), "", orgID)
|
||||
require.NoError(t, err)
|
||||
|
||||
err = store.WithDbSession(context.Background(), func(sess *db.Session) error {
|
||||
return teamimpl.AddOrUpdateTeamMemberHook(sess, user.ID, orgID, team.ID, false, dashboardaccess.PERMISSION_VIEW)
|
||||
return teamimpl.AddOrUpdateTeamMemberHook(sess, user.ID, orgID, createdTeam.ID, false, team.PermissionTypeMember)
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
@@ -465,7 +464,7 @@ func createUsersAndTeams(t *testing.T, store db.DB, svcs helperServices, orgID i
|
||||
&org.UpdateOrgUserCommand{Role: users[i].orgRole, OrgID: orgID, UserID: user.ID})
|
||||
require.NoError(t, err)
|
||||
|
||||
res = append(res, dbUser{userID: user.ID, teamID: team.ID})
|
||||
res = append(res, dbUser{userID: user.ID, teamID: createdTeam.ID})
|
||||
}
|
||||
|
||||
return res
|
||||
|
||||
@@ -9,7 +9,6 @@ import (
|
||||
"github.com/grafana/grafana/pkg/infra/db"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol/resourcepermissions"
|
||||
"github.com/grafana/grafana/pkg/services/dashboards/dashboardaccess"
|
||||
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
||||
"github.com/grafana/grafana/pkg/services/licensing"
|
||||
"github.com/grafana/grafana/pkg/services/team"
|
||||
@@ -83,9 +82,9 @@ func ProvideTeamPermissions(
|
||||
}
|
||||
switch permission {
|
||||
case "Member":
|
||||
return teamimpl.AddOrUpdateTeamMemberHook(session, user.ID, orgID, teamId, user.IsExternal, 0)
|
||||
return teamimpl.AddOrUpdateTeamMemberHook(session, user.ID, orgID, teamId, user.IsExternal, team.PermissionTypeMember)
|
||||
case "Admin":
|
||||
return teamimpl.AddOrUpdateTeamMemberHook(session, user.ID, orgID, teamId, user.IsExternal, dashboardaccess.PERMISSION_ADMIN)
|
||||
return teamimpl.AddOrUpdateTeamMemberHook(session, user.ID, orgID, teamId, user.IsExternal, team.PermissionTypeAdmin)
|
||||
case "":
|
||||
return teamimpl.RemoveTeamMemberHook(session, &team.RemoveTeamMemberCommand{
|
||||
OrgID: orgID,
|
||||
|
||||
@@ -8,7 +8,6 @@ import (
|
||||
"xorm.io/xorm"
|
||||
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
"github.com/grafana/grafana/pkg/services/dashboards/dashboardaccess"
|
||||
"github.com/grafana/grafana/pkg/services/org"
|
||||
"github.com/grafana/grafana/pkg/services/sqlstore/migrator"
|
||||
"github.com/grafana/grafana/pkg/services/team"
|
||||
@@ -64,12 +63,12 @@ func (p *teamPermissionMigrator) setRolePermissions(roleID int64, permissions []
|
||||
}
|
||||
|
||||
// mapPermissionToRBAC translates the legacy membership (Member or Admin) into RBAC permissions
|
||||
func (p *teamPermissionMigrator) mapPermissionToRBAC(permission dashboardaccess.PermissionType, teamID int64) []accesscontrol.Permission {
|
||||
func (p *teamPermissionMigrator) mapPermissionToRBAC(permission team.PermissionType, teamID int64) []accesscontrol.Permission {
|
||||
teamIDScope := accesscontrol.Scope("teams", "id", strconv.FormatInt(teamID, 10))
|
||||
switch permission {
|
||||
case 0:
|
||||
case team.PermissionTypeMember:
|
||||
return []accesscontrol.Permission{{Action: "teams:read", Scope: teamIDScope}}
|
||||
case dashboardaccess.PERMISSION_ADMIN:
|
||||
case team.PermissionTypeAdmin:
|
||||
return []accesscontrol.Permission{
|
||||
{Action: "teams:delete", Scope: teamIDScope},
|
||||
{Action: "teams:read", Scope: teamIDScope},
|
||||
@@ -210,7 +209,7 @@ func (p *teamPermissionMigrator) generateAssociatedPermissions(teamMemberships [
|
||||
// Downgrade team permissions if needed:
|
||||
// only admins or editors (when editorsCanAdmin option is enabled)
|
||||
// can access team administration endpoints
|
||||
if m.Permission == dashboardaccess.PERMISSION_ADMIN {
|
||||
if m.Permission == team.PermissionTypeAdmin {
|
||||
if userRolesByOrg[m.OrgID][m.UserID] == string(org.RoleViewer) || (userRolesByOrg[m.OrgID][m.UserID] == string(org.RoleEditor) && !p.editorsCanAdmin) {
|
||||
m.Permission = 0
|
||||
|
||||
|
||||
@@ -12,7 +12,6 @@ import (
|
||||
|
||||
"github.com/grafana/grafana/pkg/infra/log"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
"github.com/grafana/grafana/pkg/services/dashboards/dashboardaccess"
|
||||
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
||||
"github.com/grafana/grafana/pkg/services/org"
|
||||
"github.com/grafana/grafana/pkg/services/sqlstore/migrations"
|
||||
@@ -328,7 +327,7 @@ func setupTeams(t *testing.T, x *xorm.Engine) {
|
||||
TeamID: 1,
|
||||
UserID: 1,
|
||||
External: false,
|
||||
Permission: 0,
|
||||
Permission: team.PermissionTypeMember,
|
||||
Created: now,
|
||||
Updated: now,
|
||||
},
|
||||
@@ -338,7 +337,7 @@ func setupTeams(t *testing.T, x *xorm.Engine) {
|
||||
TeamID: 1,
|
||||
UserID: 2,
|
||||
External: false,
|
||||
Permission: dashboardaccess.PERMISSION_ADMIN,
|
||||
Permission: team.PermissionTypeAdmin,
|
||||
Created: now,
|
||||
Updated: now,
|
||||
},
|
||||
@@ -348,7 +347,7 @@ func setupTeams(t *testing.T, x *xorm.Engine) {
|
||||
TeamID: 1,
|
||||
UserID: 3,
|
||||
External: false,
|
||||
Permission: dashboardaccess.PERMISSION_ADMIN,
|
||||
Permission: team.PermissionTypeAdmin,
|
||||
Created: now,
|
||||
Updated: now,
|
||||
},
|
||||
@@ -358,7 +357,7 @@ func setupTeams(t *testing.T, x *xorm.Engine) {
|
||||
TeamID: 1,
|
||||
UserID: 4,
|
||||
External: false,
|
||||
Permission: dashboardaccess.PERMISSION_ADMIN,
|
||||
Permission: team.PermissionTypeAdmin,
|
||||
Created: now,
|
||||
Updated: now,
|
||||
},
|
||||
@@ -368,7 +367,7 @@ func setupTeams(t *testing.T, x *xorm.Engine) {
|
||||
TeamID: 2,
|
||||
UserID: 5,
|
||||
External: false,
|
||||
Permission: 0,
|
||||
Permission: team.PermissionTypeMember,
|
||||
Created: now,
|
||||
Updated: now,
|
||||
},
|
||||
|
||||
@@ -5,7 +5,6 @@ import (
|
||||
"time"
|
||||
|
||||
"github.com/grafana/grafana/pkg/apimachinery/identity"
|
||||
"github.com/grafana/grafana/pkg/services/dashboards/dashboardaccess"
|
||||
"github.com/grafana/grafana/pkg/services/search/model"
|
||||
)
|
||||
|
||||
@@ -21,9 +20,6 @@ var (
|
||||
ErrTeamMemberAlreadyAdded = errors.New("user is already added to this team")
|
||||
)
|
||||
|
||||
const MemberPermissionName = "Member"
|
||||
const AdminPermissionName = "Admin"
|
||||
|
||||
// Team model
|
||||
type Team struct {
|
||||
ID int64 `json:"id" xorm:"pk autoincr 'id'"`
|
||||
@@ -91,15 +87,29 @@ type SearchTeamsQuery struct {
|
||||
}
|
||||
|
||||
type TeamDTO struct {
|
||||
ID int64 `json:"id" xorm:"id"`
|
||||
UID string `json:"uid" xorm:"uid"`
|
||||
OrgID int64 `json:"orgId" xorm:"org_id"`
|
||||
Name string `json:"name"`
|
||||
Email string `json:"email"`
|
||||
AvatarURL string `json:"avatarUrl"`
|
||||
MemberCount int64 `json:"memberCount"`
|
||||
Permission dashboardaccess.PermissionType `json:"permission"`
|
||||
AccessControl map[string]bool `json:"accessControl"`
|
||||
ID int64 `json:"id" xorm:"id"`
|
||||
UID string `json:"uid" xorm:"uid"`
|
||||
OrgID int64 `json:"orgId" xorm:"org_id"`
|
||||
Name string `json:"name"`
|
||||
Email string `json:"email"`
|
||||
AvatarURL string `json:"avatarUrl"`
|
||||
MemberCount int64 `json:"memberCount"`
|
||||
Permission PermissionType `json:"permission"`
|
||||
AccessControl map[string]bool `json:"accessControl"`
|
||||
}
|
||||
|
||||
type PermissionType int
|
||||
|
||||
const (
|
||||
PermissionTypeMember PermissionType = 0
|
||||
PermissionTypeAdmin PermissionType = 4
|
||||
)
|
||||
|
||||
func (p PermissionType) String() string {
|
||||
if p == PermissionTypeAdmin {
|
||||
return "Admin"
|
||||
}
|
||||
return "Member"
|
||||
}
|
||||
|
||||
type SearchTeamQueryResult struct {
|
||||
@@ -116,7 +126,7 @@ type TeamMember struct {
|
||||
TeamID int64 `xorm:"team_id"`
|
||||
UserID int64 `xorm:"user_id"`
|
||||
External bool // Signals that the membership has been created by an external systems, such as LDAP
|
||||
Permission dashboardaccess.PermissionType
|
||||
Permission PermissionType
|
||||
|
||||
Created time.Time
|
||||
Updated time.Time
|
||||
@@ -126,12 +136,12 @@ type TeamMember struct {
|
||||
// COMMANDS
|
||||
|
||||
type AddTeamMemberCommand struct {
|
||||
UserID int64 `json:"userId" binding:"Required"`
|
||||
Permission dashboardaccess.PermissionType `json:"-"`
|
||||
UserID int64 `json:"userId" binding:"Required"`
|
||||
Permission PermissionType `json:"-"`
|
||||
}
|
||||
|
||||
type UpdateTeamMemberCommand struct {
|
||||
Permission dashboardaccess.PermissionType `json:"permission"`
|
||||
Permission PermissionType `json:"permission"`
|
||||
}
|
||||
|
||||
type SetTeamMembershipsCommand struct {
|
||||
@@ -161,16 +171,16 @@ type GetTeamMembersQuery struct {
|
||||
// Projections and DTOs
|
||||
|
||||
type TeamMemberDTO struct {
|
||||
OrgID int64 `json:"orgId" xorm:"org_id"`
|
||||
TeamID int64 `json:"teamId" xorm:"team_id"`
|
||||
TeamUID string `json:"teamUID" xorm:"uid"`
|
||||
UserID int64 `json:"userId" xorm:"user_id"`
|
||||
External bool `json:"-"`
|
||||
AuthModule string `json:"auth_module"`
|
||||
Email string `json:"email"`
|
||||
Name string `json:"name"`
|
||||
Login string `json:"login"`
|
||||
AvatarURL string `json:"avatarUrl" xorm:"avatar_url"`
|
||||
Labels []string `json:"labels"`
|
||||
Permission dashboardaccess.PermissionType `json:"permission"`
|
||||
OrgID int64 `json:"orgId" xorm:"org_id"`
|
||||
TeamID int64 `json:"teamId" xorm:"team_id"`
|
||||
TeamUID string `json:"teamUID" xorm:"uid"`
|
||||
UserID int64 `json:"userId" xorm:"user_id"`
|
||||
External bool `json:"-"`
|
||||
AuthModule string `json:"auth_module"`
|
||||
Email string `json:"email"`
|
||||
Name string `json:"name"`
|
||||
Login string `json:"login"`
|
||||
AvatarURL string `json:"avatarUrl" xorm:"avatar_url"`
|
||||
Labels []string `json:"labels"`
|
||||
Permission PermissionType `json:"permission"`
|
||||
}
|
||||
|
||||
@@ -12,7 +12,6 @@ import (
|
||||
"github.com/grafana/grafana/pkg/apimachinery/identity"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
|
||||
"github.com/grafana/grafana/pkg/services/dashboards/dashboardaccess"
|
||||
"github.com/grafana/grafana/pkg/services/login"
|
||||
"github.com/grafana/grafana/pkg/services/team"
|
||||
"github.com/grafana/grafana/pkg/services/user"
|
||||
@@ -92,7 +91,10 @@ func (tapi *TeamAPI) addTeamMember(c *contextmodel.ReqContext) response.Response
|
||||
return response.Error(http.StatusBadRequest, "User is already added to this team", nil)
|
||||
}
|
||||
|
||||
err = addOrUpdateTeamMember(c.Req.Context(), tapi.teamPermissionsService, cmd.UserID, c.SignedInUser.GetOrgID(), teamID, team.MemberPermissionName)
|
||||
err = addOrUpdateTeamMember(
|
||||
c.Req.Context(), tapi.teamPermissionsService,
|
||||
cmd.UserID, c.SignedInUser.GetOrgID(), teamID, team.PermissionTypeMember.String(),
|
||||
)
|
||||
if err != nil {
|
||||
return response.Error(http.StatusInternalServerError, "Failed to add Member to Team", err)
|
||||
}
|
||||
@@ -135,7 +137,7 @@ func (tapi *TeamAPI) updateTeamMember(c *contextmodel.ReqContext) response.Respo
|
||||
return response.Error(http.StatusNotFound, "Team member not found.", nil)
|
||||
}
|
||||
|
||||
err = addOrUpdateTeamMember(c.Req.Context(), tapi.teamPermissionsService, userId, orgId, teamId, getPermissionName(cmd.Permission))
|
||||
err = addOrUpdateTeamMember(c.Req.Context(), tapi.teamPermissionsService, userId, orgId, teamId, cmd.Permission.String())
|
||||
if err != nil {
|
||||
return response.Error(http.StatusInternalServerError, "Failed to update team member.", err)
|
||||
}
|
||||
@@ -202,13 +204,13 @@ func (tapi *TeamAPI) getTeamMembershipUpdates(ctx context.Context, orgID, teamID
|
||||
membersToRemove := make([]int64, 0)
|
||||
for _, member := range currentMemberships {
|
||||
if _, ok := adminEmails[member.Email]; ok {
|
||||
if getPermissionName(member.Permission) == team.AdminPermissionName {
|
||||
if member.Permission == team.PermissionTypeAdmin {
|
||||
delete(adminEmails, member.Email)
|
||||
}
|
||||
continue
|
||||
}
|
||||
if _, ok := memberEmails[member.Email]; ok {
|
||||
if getPermissionName(member.Permission) == team.MemberPermissionName {
|
||||
if member.Permission == team.PermissionTypeMember {
|
||||
delete(memberEmails, member.Email)
|
||||
}
|
||||
continue
|
||||
@@ -227,10 +229,10 @@ func (tapi *TeamAPI) getTeamMembershipUpdates(ctx context.Context, orgID, teamID
|
||||
|
||||
teamMemberships := make([]accesscontrol.SetResourcePermissionCommand, 0, len(adminIDs)+len(memberIDs)+len(membersToRemove))
|
||||
for _, admin := range adminIDs {
|
||||
teamMemberships = append(teamMemberships, accesscontrol.SetResourcePermissionCommand{Permission: team.AdminPermissionName, UserID: admin})
|
||||
teamMemberships = append(teamMemberships, accesscontrol.SetResourcePermissionCommand{Permission: team.PermissionTypeAdmin.String(), UserID: admin})
|
||||
}
|
||||
for _, member := range memberIDs {
|
||||
teamMemberships = append(teamMemberships, accesscontrol.SetResourcePermissionCommand{Permission: team.MemberPermissionName, UserID: member})
|
||||
teamMemberships = append(teamMemberships, accesscontrol.SetResourcePermissionCommand{Permission: team.PermissionTypeMember.String(), UserID: member})
|
||||
}
|
||||
for _, member := range membersToRemove {
|
||||
teamMemberships = append(teamMemberships, accesscontrol.SetResourcePermissionCommand{Permission: "", UserID: member})
|
||||
@@ -252,16 +254,6 @@ func (tapi *TeamAPI) getUserIDs(ctx context.Context, emails map[string]struct{})
|
||||
return userIDs, nil
|
||||
}
|
||||
|
||||
func getPermissionName(permission dashboardaccess.PermissionType) string {
|
||||
permissionName := permission.String()
|
||||
// Team member permission is 0, which maps to an empty string.
|
||||
// However, we want the team permission service to display "Member" for team members. This is a hack to make it work.
|
||||
if permissionName == "" {
|
||||
permissionName = team.MemberPermissionName
|
||||
}
|
||||
return permissionName
|
||||
}
|
||||
|
||||
// swagger:route DELETE /teams/{team_id}/members/{user_id} teams removeTeamMember
|
||||
//
|
||||
// Remove Member From Team.
|
||||
|
||||
@@ -16,7 +16,6 @@ import (
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol/actest"
|
||||
"github.com/grafana/grafana/pkg/services/authz/zanzana"
|
||||
"github.com/grafana/grafana/pkg/services/dashboards"
|
||||
"github.com/grafana/grafana/pkg/services/dashboards/dashboardaccess"
|
||||
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
||||
"github.com/grafana/grafana/pkg/services/licensing"
|
||||
"github.com/grafana/grafana/pkg/services/org"
|
||||
@@ -178,9 +177,9 @@ func Test_getTeamMembershipUpdates(t *testing.T) {
|
||||
Admins: []string{"user3"},
|
||||
},
|
||||
expectedUpdates: []accesscontrol.SetResourcePermissionCommand{
|
||||
{UserID: 1, Permission: team.MemberPermissionName},
|
||||
{UserID: 2, Permission: team.MemberPermissionName},
|
||||
{UserID: 3, Permission: team.AdminPermissionName},
|
||||
{UserID: 1, Permission: team.PermissionTypeMember.String()},
|
||||
{UserID: 2, Permission: team.PermissionTypeMember.String()},
|
||||
{UserID: 3, Permission: team.PermissionTypeAdmin.String()},
|
||||
},
|
||||
},
|
||||
{
|
||||
@@ -190,11 +189,11 @@ func Test_getTeamMembershipUpdates(t *testing.T) {
|
||||
Admins: []string{"user3"},
|
||||
},
|
||||
currentMembers: []*team.TeamMemberDTO{
|
||||
{Email: "user1", Permission: 0},
|
||||
{Email: "user3", Permission: dashboardaccess.PERMISSION_ADMIN},
|
||||
{Email: "user1", Permission: team.PermissionTypeMember},
|
||||
{Email: "user3", Permission: team.PermissionTypeAdmin},
|
||||
},
|
||||
expectedUpdates: []accesscontrol.SetResourcePermissionCommand{
|
||||
{UserID: 2, Permission: team.MemberPermissionName},
|
||||
{UserID: 2, Permission: team.PermissionTypeMember.String()},
|
||||
},
|
||||
},
|
||||
{
|
||||
@@ -204,13 +203,13 @@ func Test_getTeamMembershipUpdates(t *testing.T) {
|
||||
Admins: []string{"user3"},
|
||||
},
|
||||
currentMembers: []*team.TeamMemberDTO{
|
||||
{Email: "user1", Permission: 0},
|
||||
{Email: "user2", Permission: dashboardaccess.PERMISSION_ADMIN},
|
||||
{Email: "user3", Permission: 0},
|
||||
{Email: "user1", Permission: team.PermissionTypeMember},
|
||||
{Email: "user2", Permission: team.PermissionTypeAdmin},
|
||||
{Email: "user3", Permission: team.PermissionTypeMember},
|
||||
},
|
||||
expectedUpdates: []accesscontrol.SetResourcePermissionCommand{
|
||||
{UserID: 2, Permission: team.MemberPermissionName},
|
||||
{UserID: 3, Permission: team.AdminPermissionName},
|
||||
{UserID: 2, Permission: team.PermissionTypeMember.String()},
|
||||
{UserID: 3, Permission: team.PermissionTypeAdmin.String()},
|
||||
},
|
||||
},
|
||||
{
|
||||
@@ -220,10 +219,10 @@ func Test_getTeamMembershipUpdates(t *testing.T) {
|
||||
Admins: []string{"user3"},
|
||||
},
|
||||
currentMembers: []*team.TeamMemberDTO{
|
||||
{Email: "user1", UserID: 1, Permission: 0},
|
||||
{Email: "user2", UserID: 2, Permission: 0},
|
||||
{Email: "user3", UserID: 3, Permission: dashboardaccess.PERMISSION_ADMIN},
|
||||
{Email: "user4", UserID: 4, Permission: dashboardaccess.PERMISSION_ADMIN},
|
||||
{Email: "user1", UserID: 1, Permission: team.PermissionTypeMember},
|
||||
{Email: "user2", UserID: 2, Permission: team.PermissionTypeMember},
|
||||
{Email: "user3", UserID: 3, Permission: team.PermissionTypeAdmin},
|
||||
{Email: "user4", UserID: 4, Permission: team.PermissionTypeAdmin},
|
||||
},
|
||||
expectedUpdates: []accesscontrol.SetResourcePermissionCommand{
|
||||
{UserID: 2, Permission: ""},
|
||||
|
||||
@@ -10,7 +10,6 @@ import (
|
||||
"github.com/grafana/grafana/pkg/apimachinery/identity"
|
||||
"github.com/grafana/grafana/pkg/infra/db"
|
||||
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
"github.com/grafana/grafana/pkg/services/dashboards/dashboardaccess"
|
||||
"github.com/grafana/grafana/pkg/services/team"
|
||||
"github.com/grafana/grafana/pkg/setting"
|
||||
"github.com/grafana/grafana/pkg/util"
|
||||
@@ -385,7 +384,7 @@ func isTeamMember(sess *db.Session, orgId int64, teamId int64, userId int64) (bo
|
||||
|
||||
// AddOrUpdateTeamMemberHook is called from team resource permission service
|
||||
// it adds user to a team or updates user permissions in a team within the given transaction session
|
||||
func AddOrUpdateTeamMemberHook(sess *db.Session, userID, orgID, teamID int64, isExternal bool, permission dashboardaccess.PermissionType) error {
|
||||
func AddOrUpdateTeamMemberHook(sess *db.Session, userID, orgID, teamID int64, isExternal bool, permission team.PermissionType) error {
|
||||
isMember, err := isTeamMember(sess, orgID, teamID, userID)
|
||||
if err != nil {
|
||||
return err
|
||||
@@ -400,7 +399,7 @@ func AddOrUpdateTeamMemberHook(sess *db.Session, userID, orgID, teamID int64, is
|
||||
return err
|
||||
}
|
||||
|
||||
func addTeamMember(sess *db.Session, orgID, teamID, userID int64, isExternal bool, permission dashboardaccess.PermissionType) error {
|
||||
func addTeamMember(sess *db.Session, orgID, teamID, userID int64, isExternal bool, permission team.PermissionType) error {
|
||||
if _, err := teamExists(orgID, teamID, sess); err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -419,14 +418,14 @@ func addTeamMember(sess *db.Session, orgID, teamID, userID int64, isExternal boo
|
||||
return err
|
||||
}
|
||||
|
||||
func updateTeamMember(sess *db.Session, orgID, teamID, userID int64, permission dashboardaccess.PermissionType) error {
|
||||
func updateTeamMember(sess *db.Session, orgID, teamID, userID int64, permission team.PermissionType) error {
|
||||
member, err := getTeamMember(sess, orgID, teamID, userID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if permission != dashboardaccess.PERMISSION_ADMIN {
|
||||
permission = 0 // make sure we don't get invalid permission levels in store
|
||||
if permission != team.PermissionTypeAdmin {
|
||||
permission = team.PermissionTypeMember // make sure we don't get invalid permission levels in store
|
||||
}
|
||||
|
||||
member.Permission = permission
|
||||
|
||||
@@ -13,7 +13,6 @@ import (
|
||||
"github.com/grafana/grafana/pkg/infra/db"
|
||||
"github.com/grafana/grafana/pkg/infra/tracing"
|
||||
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
"github.com/grafana/grafana/pkg/services/dashboards/dashboardaccess"
|
||||
"github.com/grafana/grafana/pkg/services/org/orgimpl"
|
||||
"github.com/grafana/grafana/pkg/services/quota/quotaimpl"
|
||||
"github.com/grafana/grafana/pkg/services/serviceaccounts"
|
||||
@@ -189,14 +188,14 @@ func TestIntegrationTeamCommandsAndQueries(t *testing.T) {
|
||||
require.EqualValues(t, qBeforeUpdateResult[0].Permission, 0)
|
||||
|
||||
err = sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
|
||||
return AddOrUpdateTeamMemberHook(sess, userId, testOrgID, team1.ID, false, dashboardaccess.PERMISSION_ADMIN)
|
||||
return AddOrUpdateTeamMemberHook(sess, userId, testOrgID, team1.ID, false, team.PermissionTypeAdmin)
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
qAfterUpdate := &team.GetTeamMembersQuery{OrgID: testOrgID, TeamID: team1.ID, SignedInUser: testUser}
|
||||
qAfterUpdateResult, err := teamSvc.GetTeamMembers(context.Background(), qAfterUpdate)
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, qAfterUpdateResult[0].Permission, dashboardaccess.PERMISSION_ADMIN)
|
||||
require.Equal(t, qAfterUpdateResult[0].Permission, team.PermissionTypeAdmin)
|
||||
})
|
||||
|
||||
t.Run("Should default to member permission level when updating a user with invalid permission level", func(t *testing.T) {
|
||||
@@ -214,9 +213,9 @@ func TestIntegrationTeamCommandsAndQueries(t *testing.T) {
|
||||
require.NoError(t, err)
|
||||
require.EqualValues(t, qBeforeUpdateResult[0].Permission, 0)
|
||||
|
||||
invalidPermissionLevel := dashboardaccess.PERMISSION_EDIT
|
||||
invalidPermissionLevel := 2
|
||||
err = sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
|
||||
return AddOrUpdateTeamMemberHook(sess, userID, testOrgID, team1.ID, false, invalidPermissionLevel)
|
||||
return AddOrUpdateTeamMemberHook(sess, userID, testOrgID, team1.ID, false, team.PermissionType(invalidPermissionLevel))
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
@@ -356,7 +355,7 @@ func TestIntegrationTeamCommandsAndQueries(t *testing.T) {
|
||||
|
||||
t.Run("Should have empty teams", func(t *testing.T) {
|
||||
err = sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
|
||||
return AddOrUpdateTeamMemberHook(sess, userIds[0], testOrgID, team1.ID, false, dashboardaccess.PERMISSION_ADMIN)
|
||||
return AddOrUpdateTeamMemberHook(sess, userIds[0], testOrgID, team1.ID, false, team.PermissionTypeAdmin)
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
@@ -379,11 +378,11 @@ func TestIntegrationTeamCommandsAndQueries(t *testing.T) {
|
||||
setup()
|
||||
|
||||
err = sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
|
||||
err := AddOrUpdateTeamMemberHook(sess, userIds[0], testOrgID, team1.ID, false, dashboardaccess.PERMISSION_ADMIN)
|
||||
err := AddOrUpdateTeamMemberHook(sess, userIds[0], testOrgID, team1.ID, false, team.PermissionTypeAdmin)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return AddOrUpdateTeamMemberHook(sess, userIds[1], testOrgID, team1.ID, false, dashboardaccess.PERMISSION_ADMIN)
|
||||
return AddOrUpdateTeamMemberHook(sess, userIds[1], testOrgID, team1.ID, false, team.PermissionTypeAdmin)
|
||||
})
|
||||
require.NoError(t, err)
|
||||
err = sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
|
||||
|
||||
Reference in New Issue
Block a user