Access Control: Add scope type prefix (#40076)

* prefix runtime scopes with key type
2025-02-25 18:55:37 -06:00 · 2021-10-07 11:54:43 +02:00 · 2021-10-07 11:54:43 +02:00 · efbb4c890f
commit efbb4c890f
parent ff9ad7ad20
2 changed files with 5 additions and 5 deletions
--- a/docs/sources/enterprise/access-control/permissions.md
+++ b/docs/sources/enterprise/access-control/permissions.md
@ -89,7 +89,7 @@ The following list contains fine-grained access control scopes.
 | ------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | `roles:*`                                                                            | Restrict an action to a set of roles. For example, `roles:*` matches any role, `roles:randomuid` matches only the role with UID `randomuid` and `roles:custom:reports:{editor,viewer}` matches both `custom:reports:editor` and `custom:reports:viewer` roles. |
 | `permissions:delegate`                                                               | The scope is only applicable for roles associated with the Access Control itself and indicates that you can delegate your permissions only, or a subset of it, by creating a new role or making an assignment.                                                 |
-| `reports:*`                                                                          | Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:1` matches the report with id `1`.                                                                                                                            |
+| `reports:*`                                                                          | Restrict an action to a set of reports. For example, `reports:*` matches any report and `reports:id:1` matches the report with id `1`.                                                                                                                         |
 | `services:accesscontrol`                                                             | Restrict an action to target only the fine-grained access control service. You can use this in conjunction with the `status:accesscontrol` actions.                                                                                                            |
 | `global:users:*`                                                                     | Restrict an action to a set of global users.                                                                                                                                                                                                                   |
 | `users:*`                                                                            | Restrict an action to a set of users from an organization.                                                                                                                                                                                                     |
--- a/pkg/api/api.go
+++ b/pkg/api/api.go
@ -167,7 +167,7 @@ func (hs *HTTPServer) registerRoutes() {

 		// users (admin permission required)
 		apiRoute.Group("/users", func(usersRoute routing.RouteRegister) {
-			userIDScope := ac.Scope("global", "users", ac.Parameter(":id"))
+			userIDScope := ac.Scope("global", "users", "id", ac.Parameter(":id"))
 			usersRoute.Get("/", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionUsersRead, ac.ScopeGlobalUsersAll)), routing.Wrap(hs.searchUsersService.SearchUsers))
 			usersRoute.Get("/search", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionUsersRead, ac.ScopeGlobalUsersAll)), routing.Wrap(hs.searchUsersService.SearchUsersWithPaging))
 			usersRoute.Get("/:id", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionUsersRead, userIDScope)), routing.Wrap(GetUserByID))
@ -206,7 +206,7 @@ func (hs *HTTPServer) registerRoutes() {

 		// current org
 		apiRoute.Group("/org", func(orgRoute routing.RouteRegister) {
-			userIDScope := ac.Scope("users", ac.Parameter(":userId"))
+			userIDScope := ac.Scope("users", "id", ac.Parameter(":userId"))
 			orgRoute.Put("/", reqOrgAdmin, bind(dtos.UpdateOrgForm{}), routing.Wrap(UpdateOrgCurrent))
 			orgRoute.Put("/address", reqOrgAdmin, bind(dtos.UpdateOrgAddressForm{}), routing.Wrap(UpdateOrgAddressCurrent))
 			orgRoute.Get("/users", authorize(reqOrgAdmin, ac.EvalPermission(ac.ActionOrgUsersRead, ac.ScopeUsersAll)), routing.Wrap(hs.GetOrgUsersForCurrentOrg))
@ -238,7 +238,7 @@ func (hs *HTTPServer) registerRoutes() {

 		// orgs (admin routes)
 		apiRoute.Group("/orgs/:orgId", func(orgsRoute routing.RouteRegister) {
-			userIDScope := ac.Scope("users", ac.Parameter(":userId"))
+			userIDScope := ac.Scope("users", "id", ac.Parameter(":userId"))
 			orgsRoute.Get("/", reqGrafanaAdmin, routing.Wrap(GetOrgByID))
 			orgsRoute.Put("/", reqGrafanaAdmin, bind(dtos.UpdateOrgForm{}), routing.Wrap(UpdateOrg))
 			orgsRoute.Put("/address", reqGrafanaAdmin, bind(dtos.UpdateOrgAddressForm{}), routing.Wrap(UpdateOrgAddress))
@ -470,7 +470,7 @@ func (hs *HTTPServer) registerRoutes() {

 	// Administering users
 	r.Group("/api/admin/users", func(adminUserRoute routing.RouteRegister) {
-		userIDScope := ac.Scope("global", "users", ac.Parameter(":id"))
+		userIDScope := ac.Scope("global", "users", "id", ac.Parameter(":id"))

 		adminUserRoute.Post("/", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionUsersCreate)), bind(dtos.AdminCreateUserForm{}), routing.Wrap(hs.AdminCreateUser))
 		adminUserRoute.Put("/:id/password", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionUsersPasswordUpdate, userIDScope)), bind(dtos.AdminUpdateUserPasswordForm{}), routing.Wrap(AdminUpdateUserPassword))