AccessControl: Enable RBAC by default (#48813)

* Add RBAC section to settings

* Default to RBAC enabled settings to true

* Update tests to respect RBAC

Co-authored-by: Karl Persson <kalle.persson@grafana.com>

pkg/services/sqlstore/annotation_test.go

@@ -17,7 +17,6 @@ import (
 	"github.com/grafana/grafana/pkg/services/annotations"
 	"github.com/grafana/grafana/pkg/services/dashboards"
 	dashboardstore "github.com/grafana/grafana/pkg/services/dashboards/database"
-	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/grafana/grafana/pkg/services/sqlstore"
 )
 
@@ -25,6 +24,16 @@ func TestAnnotations(t *testing.T) {
 	sql := sqlstore.InitTestDB(t)
 	repo := sqlstore.NewSQLAnnotationRepo(sql)
 
+	testUser := &models.SignedInUser{
+		OrgId: 1,
+		Permissions: map[int64]map[string][]string{
+			1: {
+				accesscontrol.ActionAnnotationsRead: []string{accesscontrol.ScopeAnnotationsAll},
+				dashboards.ActionDashboardsRead:     []string{dashboards.ScopeDashboardsAll},
+			},
+		},
+	}
+
 	t.Run("Testing annotation create, read, update and delete", func(t *testing.T) {
 		t.Cleanup(func() {
 			err := sql.WithDbSession(context.Background(), func(dbSession *sqlstore.DBSession) error {
@@ -38,16 +47,38 @@ func TestAnnotations(t *testing.T) {
 			assert.NoError(t, err)
 		})
 
+		dashboardStore := dashboardstore.ProvideDashboardStore(sql)
+
+		testDashboard1 := models.SaveDashboardCommand{
+			UserId: 1,
+			OrgId:  1,
+			Dashboard: simplejson.NewFromAny(map[string]interface{}{
+				"title": "Dashboard 1",
+			}),
+		}
+		dashboard, err := dashboardStore.SaveDashboard(testDashboard1)
+		require.NoError(t, err)
+
+		testDashboard2 := models.SaveDashboardCommand{
+			UserId: 1,
+			OrgId:  1,
+			Dashboard: simplejson.NewFromAny(map[string]interface{}{
+				"title": "Dashboard 2",
+			}),
+		}
+		dashboard2, err := dashboardStore.SaveDashboard(testDashboard2)
+		require.NoError(t, err)
+
 		annotation := &annotations.Item{
 			OrgId:       1,
 			UserId:      1,
-			DashboardId: 1,
+			DashboardId: dashboard.Id,
 			Text:        "hello",
 			Type:        "alert",
 			Epoch:       10,
 			Tags:        []string{"outage", "error", "type:outage", "server:server-1"},
 		}
-		err := repo.Save(annotation)
+		err = repo.Save(annotation)
 		require.NoError(t, err)
 		assert.Greater(t, annotation.Id, int64(0))
 		assert.Equal(t, annotation.Epoch, annotation.EpochEnd)
@@ -55,7 +86,7 @@ func TestAnnotations(t *testing.T) {
 		annotation2 := &annotations.Item{
 			OrgId:       1,
 			UserId:      1,
-			DashboardId: 2,
+			DashboardId: dashboard2.Id,
 			Text:        "hello",
 			Type:        "alert",
 			Epoch:       21, // Should swap epoch & epochEnd
@@ -93,10 +124,11 @@ func TestAnnotations(t *testing.T) {
 		assert.Greater(t, globalAnnotation2.Id, int64(0))
 		t.Run("Can query for annotation by dashboard id", func(t *testing.T) {
 			items, err := repo.Find(context.Background(), &annotations.ItemQuery{
-				OrgId:       1,
-				DashboardId: 1,
-				From:        0,
-				To:          15,
+				OrgId:        1,
+				DashboardId:  dashboard.Id,
+				From:         0,
+				To:           15,
+				SignedInUser: testUser,
 			})
 
 			require.NoError(t, err)
@@ -113,6 +145,7 @@ func TestAnnotations(t *testing.T) {
 			items, err := repo.Find(context.Background(), &annotations.ItemQuery{
 				OrgId:        1,
 				AnnotationId: annotation2.Id,
+				SignedInUser: testUser,
 			})
 			require.NoError(t, err)
 			assert.Len(t, items, 1)
@@ -121,10 +154,11 @@ func TestAnnotations(t *testing.T) {
 
 		t.Run("Should not find any when item is outside time range", func(t *testing.T) {
 			items, err := repo.Find(context.Background(), &annotations.ItemQuery{
-				OrgId:       1,
-				DashboardId: 1,
-				From:        12,
-				To:          15,
+				OrgId:        1,
+				DashboardId:  1,
+				From:         12,
+				To:           15,
+				SignedInUser: testUser,
 			})
 			require.NoError(t, err)
 			assert.Empty(t, items)
@@ -132,11 +166,12 @@ func TestAnnotations(t *testing.T) {
 
 		t.Run("Should not find one when tag filter does not match", func(t *testing.T) {
 			items, err := repo.Find(context.Background(), &annotations.ItemQuery{
-				OrgId:       1,
-				DashboardId: 1,
-				From:        1,
-				To:          15,
-				Tags:        []string{"asd"},
+				OrgId:        1,
+				DashboardId:  1,
+				From:         1,
+				To:           15,
+				Tags:         []string{"asd"},
+				SignedInUser: testUser,
 			})
 			require.NoError(t, err)
 			assert.Empty(t, items)
@@ -144,11 +179,12 @@ func TestAnnotations(t *testing.T) {
 
 		t.Run("Should not find one when type filter does not match", func(t *testing.T) {
 			items, err := repo.Find(context.Background(), &annotations.ItemQuery{
-				OrgId:       1,
-				DashboardId: 1,
-				From:        1,
-				To:          15,
-				Type:        "alert",
+				OrgId:        1,
+				DashboardId:  1,
+				From:         1,
+				To:           15,
+				Type:         "alert",
+				SignedInUser: testUser,
 			})
 			require.NoError(t, err)
 			assert.Empty(t, items)
@@ -156,11 +192,12 @@ func TestAnnotations(t *testing.T) {
 
 		t.Run("Should find one when all tag filters does match", func(t *testing.T) {
 			items, err := repo.Find(context.Background(), &annotations.ItemQuery{
-				OrgId:       1,
-				DashboardId: 1,
-				From:        1,
-				To:          15, // this will exclude the second test annotation
-				Tags:        []string{"outage", "error"},
+				OrgId:        1,
+				DashboardId:  1,
+				From:         1,
+				To:           15, // this will exclude the second test annotation
+				Tags:         []string{"outage", "error"},
+				SignedInUser: testUser,
 			})
 			require.NoError(t, err)
 			assert.Len(t, items, 1)
@@ -168,11 +205,12 @@ func TestAnnotations(t *testing.T) {
 
 		t.Run("Should find two annotations using partial match", func(t *testing.T) {
 			items, err := repo.Find(context.Background(), &annotations.ItemQuery{
-				OrgId:    1,
-				From:     1,
-				To:       25,
-				MatchAny: true,
-				Tags:     []string{"rollback", "deploy"},
+				OrgId:        1,
+				From:         1,
+				To:           25,
+				MatchAny:     true,
+				Tags:         []string{"rollback", "deploy"},
+				SignedInUser: testUser,
 			})
 			require.NoError(t, err)
 			assert.Len(t, items, 2)
@@ -180,11 +218,12 @@ func TestAnnotations(t *testing.T) {
 
 		t.Run("Should find one when all key value tag filters does match", func(t *testing.T) {
 			items, err := repo.Find(context.Background(), &annotations.ItemQuery{
-				OrgId:       1,
-				DashboardId: 1,
-				From:        1,
-				To:          15,
-				Tags:        []string{"type:outage", "server:server-1"},
+				OrgId:        1,
+				DashboardId:  1,
+				From:         1,
+				To:           15,
+				Tags:         []string{"type:outage", "server:server-1"},
+				SignedInUser: testUser,
 			})
 			require.NoError(t, err)
 			assert.Len(t, items, 1)
@@ -192,10 +231,11 @@ func TestAnnotations(t *testing.T) {
 
 		t.Run("Can update annotation and remove all tags", func(t *testing.T) {
 			query := &annotations.ItemQuery{
-				OrgId:       1,
-				DashboardId: 1,
-				From:        0,
-				To:          15,
+				OrgId:        1,
+				DashboardId:  1,
+				From:         0,
+				To:           15,
+				SignedInUser: testUser,
 			}
 			items, err := repo.Find(context.Background(), query)
 			require.NoError(t, err)
@@ -219,10 +259,11 @@ func TestAnnotations(t *testing.T) {
 
 		t.Run("Can update annotation with new tags", func(t *testing.T) {
 			query := &annotations.ItemQuery{
-				OrgId:       1,
-				DashboardId: 1,
-				From:        0,
-				To:          15,
+				OrgId:        1,
+				DashboardId:  1,
+				From:         0,
+				To:           15,
+				SignedInUser: testUser,
 			}
 			items, err := repo.Find(context.Background(), query)
 			require.NoError(t, err)
@@ -247,10 +288,11 @@ func TestAnnotations(t *testing.T) {
 
 		t.Run("Can delete annotation", func(t *testing.T) {
 			query := &annotations.ItemQuery{
-				OrgId:       1,
-				DashboardId: 1,
-				From:        0,
-				To:          15,
+				OrgId:        1,
+				DashboardId:  1,
+				From:         0,
+				To:           15,
+				SignedInUser: testUser,
 			}
 			items, err := repo.Find(context.Background(), query)
 			require.NoError(t, err)
@@ -268,11 +310,12 @@ func TestAnnotations(t *testing.T) {
 			annotation3 := &annotations.Item{
 				OrgId:       1,
 				UserId:      1,
-				DashboardId: 3,
+				DashboardId: dashboard2.Id,
 				Text:        "toBeDeletedWithPanelId",
 				Type:        "alert",
 				Epoch:       11,
 				Tags:        []string{"test"},
+				PanelId:     20,
 			}
 			err = repo.Save(annotation3)
 			require.NoError(t, err)
@@ -280,6 +323,7 @@ func TestAnnotations(t *testing.T) {
 			query := &annotations.ItemQuery{
 				OrgId:        1,
 				AnnotationId: annotation3.Id,
+				SignedInUser: testUser,
 			}
 			items, err := repo.Find(context.Background(), query)
 			require.NoError(t, err)
@@ -339,7 +383,7 @@ func TestAnnotations(t *testing.T) {
 }
 
 func TestAnnotationListingWithRBAC(t *testing.T) {
-	sql := sqlstore.InitTestDB(t, sqlstore.InitTestDBOpt{FeatureFlags: []string{featuremgmt.FlagAccesscontrol}})
+	sql := sqlstore.InitTestDB(t, sqlstore.InitTestDBOpt{})
 	repo := sqlstore.NewSQLAnnotationRepo(sql)
 	dashboardStore := dashboardstore.ProvideDashboardStore(sql)
 

pkg/services/sqlstore/apikey_test.go

@@ -9,11 +9,11 @@ import (
 	"testing"
 	"time"
 
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
 	"github.com/grafana/grafana/pkg/models"
-	"github.com/grafana/grafana/pkg/services/featuremgmt"
-	"github.com/stretchr/testify/assert"
+	"github.com/grafana/grafana/pkg/services/accesscontrol"
 )
 
 func TestApiKeyDataAccess(t *testing.T) {
@@ -99,7 +99,13 @@ func TestApiKeyDataAccess(t *testing.T) {
 			// advance mocked getTime by 1s
 			timeNow()
 
-			query := models.GetApiKeysQuery{OrgId: 1, IncludeExpired: false}
+			testUser := &models.SignedInUser{
+				OrgId: 1,
+				Permissions: map[int64]map[string][]string{
+					1: {accesscontrol.ActionAPIKeyRead: []string{accesscontrol.ScopeAPIKeysAll}},
+				},
+			}
+			query := models.GetApiKeysQuery{OrgId: 1, IncludeExpired: false, User: testUser}
 			err = ss.GetAPIKeys(context.Background(), &query)
 			assert.Nil(t, err)
 
@@ -109,7 +115,7 @@ func TestApiKeyDataAccess(t *testing.T) {
 				}
 			}
 
-			query = models.GetApiKeysQuery{OrgId: 1, IncludeExpired: true}
+			query = models.GetApiKeysQuery{OrgId: 1, IncludeExpired: true, User: testUser}
 			err = ss.GetAPIKeys(context.Background(), &query)
 			assert.Nil(t, err)
 
@@ -187,7 +193,7 @@ func TestSQLStore_GetAPIKeys(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.desc, func(t *testing.T) {
-			store := InitTestDB(t, InitTestDBOpt{FeatureFlags: []string{featuremgmt.FlagAccesscontrol}})
+			store := InitTestDB(t, InitTestDBOpt{})
 			seedApiKeys(t, store, 10)
 
 			query := &models.GetApiKeysQuery{OrgId: 1, User: tt.user}

pkg/services/sqlstore/migrations/migrations.go

@@ -77,7 +77,7 @@ func (*OSSMigrations) AddMigration(mg *Migrator) {
 	addQueryHistoryMigrations(mg)
 
 	if mg.Cfg != nil && mg.Cfg.IsFeatureToggleEnabled != nil {
-		if mg.Cfg.IsFeatureToggleEnabled(featuremgmt.FlagAccesscontrol) {
+		if mg.Cfg.RBACEnabled {
 			accesscontrol.AddTeamMembershipMigrations(mg)
 			accesscontrol.AddDashboardPermissionsMigrator(mg)
 		}

pkg/services/sqlstore/org_test.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/grafana/grafana/pkg/components/simplejson"
 	"github.com/grafana/grafana/pkg/models"
+	"github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/util"
 	"github.com/stretchr/testify/require"
@@ -19,6 +20,11 @@ import (
 func TestAccountDataAccess(t *testing.T) {
 	t.Run("Testing Account DB Access", func(t *testing.T) {
 		sqlStore := InitTestDB(t)
+		testUser := &models.SignedInUser{
+			Permissions: map[int64]map[string][]string{
+				1: {accesscontrol.ActionOrgUsersRead: []string{accesscontrol.ScopeUsersAll}},
+			},
+		}
 
 		t.Run("Given we have organizations, we can query them by IDs", func(t *testing.T) {
 			var err error
@@ -109,6 +115,7 @@ func TestAccountDataAccess(t *testing.T) {
 			ac2cmd := models.CreateUserCommand{Login: "ac2", Email: "ac2@test.com", Name: "ac2 name"}
 
 			ac1, err := sqlStore.CreateUser(context.Background(), ac1cmd)
+			testUser.OrgId = ac1.OrgId
 			require.NoError(t, err)
 			_, err = sqlStore.CreateUser(context.Background(), ac2cmd)
 			require.NoError(t, err)
@@ -117,6 +124,7 @@ func TestAccountDataAccess(t *testing.T) {
 				query := models.SearchOrgUsersQuery{
 					OrgID: ac1.OrgId,
 					Page:  1,
+					User:  testUser,
 				}
 				err = sqlStore.SearchOrgUsers(context.Background(), &query)
 
@@ -129,6 +137,7 @@ func TestAccountDataAccess(t *testing.T) {
 					OrgID: ac1.OrgId,
 					Limit: 1,
 					Page:  1,
+					User:  testUser,
 				}
 				err = sqlStore.SearchOrgUsers(context.Background(), &query)
 
@@ -163,7 +172,12 @@ func TestAccountDataAccess(t *testing.T) {
 			})
 
 			t.Run("Can search users", func(t *testing.T) {
-				query := models.SearchUsersQuery{Query: ""}
+				query := models.SearchUsersQuery{Query: "", SignedInUser: &models.SignedInUser{
+					OrgId: 1,
+					Permissions: map[int64]map[string][]string{
+						1: {accesscontrol.ActionUsersRead: {accesscontrol.ScopeGlobalUsersAll}},
+					},
+				}}
 				err := sqlStore.SearchUsers(context.Background(), &query)
 
 				require.NoError(t, err)

pkg/services/sqlstore/org_users_test.go

@@ -11,7 +11,6 @@ import (
 
 	"github.com/grafana/grafana/pkg/models"
 	ac "github.com/grafana/grafana/pkg/services/accesscontrol"
-	"github.com/grafana/grafana/pkg/services/featuremgmt"
 )
 
 type getOrgUsersTestCase struct {
@@ -61,7 +60,7 @@ func TestSQLStore_GetOrgUsers(t *testing.T) {
 		},
 	}
 
-	store := InitTestDB(t, InitTestDBOpt{FeatureFlags: []string{featuremgmt.FlagAccesscontrol}})
+	store := InitTestDB(t, InitTestDBOpt{})
 	store.Cfg.IsEnterprise = true
 	defer func() {
 		store.Cfg.IsEnterprise = false
@@ -130,7 +129,7 @@ func TestSQLStore_SearchOrgUsers(t *testing.T) {
 		},
 	}
 
-	store := InitTestDB(t, InitTestDBOpt{FeatureFlags: []string{featuremgmt.FlagAccesscontrol}})
+	store := InitTestDB(t, InitTestDBOpt{})
 	seedOrgUsers(t, store, 10)
 
 	for _, tt := range tests {

pkg/services/sqlstore/sqlstore.go

@@ -487,6 +487,7 @@ func initTestDB(migration registry.DatabaseMigrator, opts ...InitTestDBOpt) (*SQ
 
 		// set test db config
 		cfg := setting.NewCfg()
+		cfg.RBACEnabled = true
 		cfg.IsFeatureToggleEnabled = func(key string) bool {
 			for _, enabledFeature := range features {
 				if enabledFeature == key {

pkg/services/sqlstore/team_test.go

@@ -13,12 +13,20 @@ import (
 
 	"github.com/grafana/grafana/pkg/models"
 	ac "github.com/grafana/grafana/pkg/services/accesscontrol"
-	"github.com/grafana/grafana/pkg/services/featuremgmt"
 )
 
 func TestTeamCommandsAndQueries(t *testing.T) {
 	t.Run("Testing Team commands & queries", func(t *testing.T) {
 		sqlStore := InitTestDB(t)
+		testUser := &models.SignedInUser{
+			OrgId: 1,
+			Permissions: map[int64]map[string][]string{
+				1: {
+					ac.ActionTeamsRead:    []string{ac.ScopeTeamsAll},
+					ac.ActionOrgUsersRead: []string{ac.ScopeUsersAll},
+				},
+			},
+		}
 
 		t.Run("Given saved users and two teams", func(t *testing.T) {
 			var userIds []int64
@@ -47,7 +55,7 @@ func TestTeamCommandsAndQueries(t *testing.T) {
 			setup()
 
 			t.Run("Should be able to create teams and add users", func(t *testing.T) {
-				query := &models.SearchTeamsQuery{OrgId: testOrgID, Name: "group1 name", Page: 1, Limit: 10}
+				query := &models.SearchTeamsQuery{OrgId: testOrgID, Name: "group1 name", Page: 1, Limit: 10, SignedInUser: testUser}
 				err = sqlStore.SearchTeams(context.Background(), query)
 				require.NoError(t, err)
 				require.Equal(t, query.Page, 1)
@@ -63,7 +71,7 @@ func TestTeamCommandsAndQueries(t *testing.T) {
 				err = sqlStore.AddTeamMember(userIds[1], testOrgID, team1.Id, true, 0)
 				require.NoError(t, err)
 
-				q1 := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team1.Id}
+				q1 := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team1.Id, SignedInUser: testUser}
 				err = sqlStore.GetTeamMembers(context.Background(), q1)
 				require.NoError(t, err)
 				require.Equal(t, len(q1.Result), 2)
@@ -75,7 +83,7 @@ func TestTeamCommandsAndQueries(t *testing.T) {
 				require.Equal(t, q1.Result[1].OrgId, testOrgID)
 				require.Equal(t, q1.Result[1].External, true)
 
-				q2 := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team1.Id, External: true}
+				q2 := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team1.Id, External: true, SignedInUser: testUser}
 				err = sqlStore.GetTeamMembers(context.Background(), q2)
 				require.NoError(t, err)
 				require.Equal(t, len(q2.Result), 1)
@@ -89,7 +97,7 @@ func TestTeamCommandsAndQueries(t *testing.T) {
 				team1 = query.Result.Teams[0]
 				require.EqualValues(t, team1.MemberCount, 2)
 
-				getTeamQuery := &models.GetTeamByIdQuery{OrgId: testOrgID, Id: team1.Id}
+				getTeamQuery := &models.GetTeamByIdQuery{OrgId: testOrgID, Id: team1.Id, SignedInUser: testUser}
 				err = sqlStore.GetTeamById(context.Background(), getTeamQuery)
 				require.NoError(t, err)
 				team1 = getTeamQuery.Result
@@ -104,7 +112,7 @@ func TestTeamCommandsAndQueries(t *testing.T) {
 				setup()
 				userId := userIds[1]
 
-				teamQuery := &models.SearchTeamsQuery{OrgId: testOrgID, Name: "group1 name", Page: 1, Limit: 10}
+				teamQuery := &models.SearchTeamsQuery{OrgId: testOrgID, Name: "group1 name", Page: 1, Limit: 10, SignedInUser: testUser}
 				err = sqlStore.SearchTeams(context.Background(), teamQuery)
 				require.NoError(t, err)
 				require.Equal(t, teamQuery.Page, 1)
@@ -114,7 +122,7 @@ func TestTeamCommandsAndQueries(t *testing.T) {
 				err = sqlStore.AddTeamMember(userId, testOrgID, team1.Id, true, 0)
 				require.NoError(t, err)
 
-				memberQuery := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team1.Id, External: true}
+				memberQuery := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team1.Id, External: true, SignedInUser: testUser}
 				err = sqlStore.GetTeamMembers(context.Background(), memberQuery)
 				require.NoError(t, err)
 				require.Equal(t, len(memberQuery.Result), 1)
@@ -130,7 +138,7 @@ func TestTeamCommandsAndQueries(t *testing.T) {
 				err = sqlStore.AddTeamMember(userId, testOrgID, team.Id, false, 0)
 				require.NoError(t, err)
 
-				qBeforeUpdate := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team.Id}
+				qBeforeUpdate := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team.Id, SignedInUser: testUser}
 				err = sqlStore.GetTeamMembers(context.Background(), qBeforeUpdate)
 				require.NoError(t, err)
 				require.EqualValues(t, qBeforeUpdate.Result[0].Permission, 0)
@@ -144,7 +152,7 @@ func TestTeamCommandsAndQueries(t *testing.T) {
 
 				require.NoError(t, err)
 
-				qAfterUpdate := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team.Id}
+				qAfterUpdate := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team.Id, SignedInUser: testUser}
 				err = sqlStore.GetTeamMembers(context.Background(), qAfterUpdate)
 				require.NoError(t, err)
 				require.Equal(t, qAfterUpdate.Result[0].Permission, models.PERMISSION_ADMIN)
@@ -158,7 +166,7 @@ func TestTeamCommandsAndQueries(t *testing.T) {
 				err = sqlStore.AddTeamMember(userID, testOrgID, team.Id, false, 0)
 				require.NoError(t, err)
 
-				qBeforeUpdate := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team.Id}
+				qBeforeUpdate := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team.Id, SignedInUser: testUser}
 				err = sqlStore.GetTeamMembers(context.Background(), qBeforeUpdate)
 				require.NoError(t, err)
 				require.EqualValues(t, qBeforeUpdate.Result[0].Permission, 0)
@@ -173,7 +181,7 @@ func TestTeamCommandsAndQueries(t *testing.T) {
 
 				require.NoError(t, err)
 
-				qAfterUpdate := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team.Id}
+				qAfterUpdate := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team.Id, SignedInUser: testUser}
 				err = sqlStore.GetTeamMembers(context.Background(), qAfterUpdate)
 				require.NoError(t, err)
 				require.EqualValues(t, qAfterUpdate.Result[0].Permission, 0)
@@ -193,13 +201,13 @@ func TestTeamCommandsAndQueries(t *testing.T) {
 			})
 
 			t.Run("Should be able to search for teams", func(t *testing.T) {
-				query := &models.SearchTeamsQuery{OrgId: testOrgID, Query: "group", Page: 1}
+				query := &models.SearchTeamsQuery{OrgId: testOrgID, Query: "group", Page: 1, SignedInUser: testUser}
 				err = sqlStore.SearchTeams(context.Background(), query)
 				require.NoError(t, err)
 				require.Equal(t, len(query.Result.Teams), 2)
 				require.EqualValues(t, query.Result.TotalCount, 2)
 
-				query2 := &models.SearchTeamsQuery{OrgId: testOrgID, Query: ""}
+				query2 := &models.SearchTeamsQuery{OrgId: testOrgID, Query: "", SignedInUser: testUser}
 				err = sqlStore.SearchTeams(context.Background(), query2)
 				require.NoError(t, err)
 				require.Equal(t, len(query2.Result.Teams), 2)
@@ -227,7 +235,7 @@ func TestTeamCommandsAndQueries(t *testing.T) {
 				err = sqlStore.RemoveTeamMember(context.Background(), &models.RemoveTeamMemberCommand{OrgId: testOrgID, TeamId: team1.Id, UserId: userIds[0]})
 				require.NoError(t, err)
 
-				q2 := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team1.Id}
+				q2 := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team1.Id, SignedInUser: testUser}
 				err = sqlStore.GetTeamMembers(context.Background(), q2)
 				require.NoError(t, err)
 				require.Equal(t, len(q2.Result), 0)
@@ -315,7 +323,16 @@ func TestTeamCommandsAndQueries(t *testing.T) {
 			t.Run("Should not return hidden users in team member count", func(t *testing.T) {
 				sqlStore = InitTestDB(t)
 				setup()
-				signedInUser := &models.SignedInUser{Login: "loginuser0"}
+				signedInUser := &models.SignedInUser{
+					Login: "loginuser0",
+					OrgId: testOrgID,
+					Permissions: map[int64]map[string][]string{
+						testOrgID: {
+							ac.ActionTeamsRead:    []string{ac.ScopeTeamsAll},
+							ac.ActionOrgUsersRead: []string{ac.ScopeUsersAll},
+						},
+					},
+				}
 				hiddenUsers := map[string]struct{}{"loginuser0": {}, "loginuser1": {}}
 
 				teamId := team1.Id
@@ -396,7 +413,7 @@ func TestSQLStore_SearchTeams(t *testing.T) {
 		},
 	}
 
-	store := InitTestDB(t, InitTestDBOpt{FeatureFlags: []string{featuremgmt.FlagAccesscontrol}})
+	store := InitTestDB(t, InitTestDBOpt{})
 
 	// Seed 10 teams
 	for i := 1; i <= 10; i++ {
@@ -455,7 +472,7 @@ func TestSQLStore_GetTeamMembers_ACFilter(t *testing.T) {
 		require.NoError(t, errAddMember)
 	}
 
-	store := InitTestDB(t, InitTestDBOpt{FeatureFlags: []string{featuremgmt.FlagAccesscontrol}})
+	store := InitTestDB(t, InitTestDBOpt{})
 	setup(store)
 
 	type getTeamMembersTestCase struct {

pkg/services/sqlstore/user_test.go

@@ -9,7 +9,6 @@ import (
 	"testing"
 
 	"github.com/grafana/grafana/pkg/models"
-	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/grafana/grafana/pkg/setting"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -18,6 +17,10 @@ import (
 func TestUserDataAccess(t *testing.T) {
 
 	ss := InitTestDB(t)
+	user := &models.SignedInUser{
+		OrgId:       1,
+		Permissions: map[int64]map[string][]string{1: {"users:read": {"global.users:*"}}},
+	}
 
 	t.Run("Testing DB - creates and loads user", func(t *testing.T) {
 		cmd := models.CreateUserCommand{
@@ -131,7 +134,7 @@ func TestUserDataAccess(t *testing.T) {
 		})
 
 		// Return the first page of users and a total count
-		query := models.SearchUsersQuery{Query: "", Page: 1, Limit: 3}
+		query := models.SearchUsersQuery{Query: "", Page: 1, Limit: 3, SignedInUser: user}
 		err := ss.SearchUsers(context.Background(), &query)
 
 		require.Nil(t, err)
@@ -139,7 +142,7 @@ func TestUserDataAccess(t *testing.T) {
 		require.EqualValues(t, query.Result.TotalCount, 5)
 
 		// Return the second page of users and a total count
-		query = models.SearchUsersQuery{Query: "", Page: 2, Limit: 3}
+		query = models.SearchUsersQuery{Query: "", Page: 2, Limit: 3, SignedInUser: user}
 		err = ss.SearchUsers(context.Background(), &query)
 
 		require.Nil(t, err)
@@ -147,28 +150,28 @@ func TestUserDataAccess(t *testing.T) {
 		require.EqualValues(t, query.Result.TotalCount, 5)
 
 		// Return list of users matching query on user name
-		query = models.SearchUsersQuery{Query: "use", Page: 1, Limit: 3}
+		query = models.SearchUsersQuery{Query: "use", Page: 1, Limit: 3, SignedInUser: user}
 		err = ss.SearchUsers(context.Background(), &query)
 
 		require.Nil(t, err)
 		require.Len(t, query.Result.Users, 3)
 		require.EqualValues(t, query.Result.TotalCount, 5)
 
-		query = models.SearchUsersQuery{Query: "ser1", Page: 1, Limit: 3}
+		query = models.SearchUsersQuery{Query: "ser1", Page: 1, Limit: 3, SignedInUser: user}
 		err = ss.SearchUsers(context.Background(), &query)
 
 		require.Nil(t, err)
 		require.Len(t, query.Result.Users, 1)
 		require.EqualValues(t, query.Result.TotalCount, 1)
 
-		query = models.SearchUsersQuery{Query: "USER1", Page: 1, Limit: 3}
+		query = models.SearchUsersQuery{Query: "USER1", Page: 1, Limit: 3, SignedInUser: user}
 		err = ss.SearchUsers(context.Background(), &query)
 
 		require.Nil(t, err)
 		require.Len(t, query.Result.Users, 1)
 		require.EqualValues(t, query.Result.TotalCount, 1)
 
-		query = models.SearchUsersQuery{Query: "idontexist", Page: 1, Limit: 3}
+		query = models.SearchUsersQuery{Query: "idontexist", Page: 1, Limit: 3, SignedInUser: user}
 		err = ss.SearchUsers(context.Background(), &query)
 
 		require.Nil(t, err)
@@ -176,7 +179,7 @@ func TestUserDataAccess(t *testing.T) {
 		require.EqualValues(t, query.Result.TotalCount, 0)
 
 		// Return list of users matching query on email
-		query = models.SearchUsersQuery{Query: "ser1@test.com", Page: 1, Limit: 3}
+		query = models.SearchUsersQuery{Query: "ser1@test.com", Page: 1, Limit: 3, SignedInUser: user}
 		err = ss.SearchUsers(context.Background(), &query)
 
 		require.Nil(t, err)
@@ -184,7 +187,7 @@ func TestUserDataAccess(t *testing.T) {
 		require.EqualValues(t, query.Result.TotalCount, 1)
 
 		// Return list of users matching query on login name
-		query = models.SearchUsersQuery{Query: "loginuser1", Page: 1, Limit: 3}
+		query = models.SearchUsersQuery{Query: "loginuser1", Page: 1, Limit: 3, SignedInUser: user}
 		err = ss.SearchUsers(context.Background(), &query)
 
 		require.Nil(t, err)
@@ -204,7 +207,7 @@ func TestUserDataAccess(t *testing.T) {
 		})
 
 		isDisabled := false
-		query := models.SearchUsersQuery{IsDisabled: &isDisabled}
+		query := models.SearchUsersQuery{IsDisabled: &isDisabled, SignedInUser: user}
 		err := ss.SearchUsers(context.Background(), &query)
 		require.Nil(t, err)
 
@@ -251,7 +254,7 @@ func TestUserDataAccess(t *testing.T) {
 		err = ss.DeleteUser(context.Background(), &models.DeleteUserCommand{UserId: users[1].Id})
 		require.Nil(t, err)
 
-		query1 := &models.GetOrgUsersQuery{OrgId: users[0].OrgId}
+		query1 := &models.GetOrgUsersQuery{OrgId: users[0].OrgId, User: user}
 		err = ss.GetOrgUsersForTest(context.Background(), query1)
 		require.Nil(t, err)
 
@@ -314,7 +317,7 @@ func TestUserDataAccess(t *testing.T) {
 		require.Nil(t, err)
 
 		isDisabled = true
-		query5 := &models.SearchUsersQuery{IsDisabled: &isDisabled}
+		query5 := &models.SearchUsersQuery{IsDisabled: &isDisabled, SignedInUser: user}
 		err = ss.SearchUsers(context.Background(), query5)
 
 		require.Nil(t, err)
@@ -339,7 +342,7 @@ func TestUserDataAccess(t *testing.T) {
 	})
 
 	t.Run("Testing DB - return list of users that the SignedInUser has permission to read", func(t *testing.T) {
-		ss := InitTestDB(t, InitTestDBOpt{FeatureFlags: []string{featuremgmt.FlagAccesscontrol}})
+		ss := InitTestDB(t)
 		createFiveTestUsers(t, ss, func(i int) *models.CreateUserCommand {
 			return &models.CreateUserCommand{
 				Email: fmt.Sprint("user", i, "@test.com"),
@@ -380,7 +383,7 @@ func TestUserDataAccess(t *testing.T) {
 		require.Nil(t, err)
 
 		isDisabled := false
-		query := &models.SearchUsersQuery{IsDisabled: &isDisabled}
+		query := &models.SearchUsersQuery{IsDisabled: &isDisabled, SignedInUser: user}
 		err = ss.SearchUsers(context.Background(), query)
 
 		require.Nil(t, err)
@@ -411,7 +414,7 @@ func TestUserDataAccess(t *testing.T) {
 		err := ss.BatchDisableUsers(context.Background(), &disableCmd)
 		require.Nil(t, err)
 
-		query := models.SearchUsersQuery{}
+		query := models.SearchUsersQuery{SignedInUser: user}
 		err = ss.SearchUsers(context.Background(), &query)
 
 		require.Nil(t, err)