RBAC: use scope reduction for user permission listing (#61583)

use scope reduction for user permission listing

pkg/services/accesscontrol/accesscontrol_test.go

@@ -42,6 +42,17 @@ func TestReduce(t *testing.T) {
 				"teams:write": {"teams:id:1"},
 			},
 		},
+		{
+			name: "specific permissions with repeated scope",
+			ps: []Permission{
+				{Action: "teams:read", Scope: "teams:id:1"},
+				{Action: "teams:read", Scope: "teams:id:2"},
+				{Action: "teams:read", Scope: "teams:id:1"},
+			},
+			want: map[string][]string{
+				"teams:read": {"teams:id:1", "teams:id:2"},
+			},
+		},
 		{
 			name: "wildcard permission",
 			ps: []Permission{
@@ -88,6 +99,16 @@ func TestReduce(t *testing.T) {
 				"dashboards:read": {"*"},
 			},
 		},
+		{
+			name: "non-wilcard scopes with * in them",
+			ps: []Permission{
+				{Action: "dashboards:read", Scope: "dashboards:uid:123"},
+				{Action: "dashboards:read", Scope: "dashboards:uid:1*"},
+			},
+			want: map[string][]string{
+				"dashboards:read": {"dashboards:uid:123", "dashboards:uid:1*"},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/services/accesscontrol/api/api.go

@@ -91,7 +91,7 @@ func (api *AccessControlAPI) searchUsersPermissions(c *models.ReqContext) respon
 
 	permsByAction := map[int64]map[string][]string{}
 	for userID, userPerms := range permissions {
-		permsByAction[userID] = ac.GroupScopesByAction(userPerms)
+		permsByAction[userID] = ac.Reduce(userPerms)
 	}
 
 	return response.JSON(http.StatusOK, permsByAction)
@@ -121,5 +121,5 @@ func (api *AccessControlAPI) searchUserPermissions(c *models.ReqContext) respons
 		response.Error(http.StatusInternalServerError, "could not search user permissions", err)
 	}
 
-	return response.JSON(http.StatusOK, ac.GroupScopesByAction(permissions))
+	return response.JSON(http.StatusOK, ac.Reduce(permissions))
 }