Auth: Add fixed repeat migration w. checks for subset of permissions (#58054)

* add: added a repeat migration w. fixed checks for permissions * add: migration to migrations * refactor: fix migration instead of making a new one * fix: removed the old id * fix: keep old name but change id * add: migration for patched previous migration * add: migration from missing file
2024-11-26 02:40:26 -06:00 · 2022-11-03 08:57:20 +00:00 · 2022-11-03 08:57:20 +00:00 · fc1b647474
commit fc1b647474
parent a83dee6031
2 changed files with 23 additions and 4 deletions
--- a/pkg/services/sqlstore/migrations/accesscontrol/dashboard_permissions.go
+++ b/pkg/services/sqlstore/migrations/accesscontrol/dashboard_permissions.go
@ -408,6 +408,15 @@ func AddManagedFolderAlertActionsRepeatMigration(mg *migrator.Migrator) {
 	mg.AddMigration(managedFolderAlertActionsRepeatMigratorID, &managedFolderAlertActionsRepeatMigrator{})
 }

+const managedFolderAlertActionsRepeatMigratorFixedID = "managed folder permissions alert actions repeated fixed migration"
+
+/*
+AddManagedFolderAlertActionsRepeatFixedMigration is a fixed version of AddManagedFolderAlertActionsRepeatMigration.
+*/
+func AddManagedFolderAlertActionsRepeatFixedMigration(mg *migrator.Migrator) {
+	mg.AddMigration(managedFolderAlertActionsRepeatMigratorFixedID, &managedFolderAlertActionsRepeatMigrator{})
+}
+
 type managedFolderAlertActionsRepeatMigrator struct {
 	migrator.MigrationBase
 }
@ -444,8 +453,17 @@ func (m *managedFolderAlertActionsRepeatMigrator) Exec(sess *xorm.Session, mg *m

 	for id, a := range mapped {
 		for scope, p := range a {
+			// previous migration added this permission, but it was not added to the toAdd slice
+			// because we were checking all permissions on top of folders, not just the scoped ones
+			//
+			// what we had:
+			// if !hasAction(ac.<Action>, permissions) {
+			// should have been:
+			// if !hasAction(ac.<Action>, p) {
+			//
+			// see PR for explanation: https://github.com/grafana/grafana/pull/58054
 			if hasFolderView(p) {
-				if !hasAction(ac.ActionAlertingRuleRead, permissions) {
+				if !hasAction(ac.ActionAlertingRuleRead, p) {
 					toAdd = append(toAdd, ac.Permission{
 						RoleID:  id,
 						Updated: now,
@ -457,7 +475,7 @@ func (m *managedFolderAlertActionsRepeatMigrator) Exec(sess *xorm.Session, mg *m
 			}

 			if hasFolderAdmin(p) || hasFolderEdit(p) {
-				if !hasAction(ac.ActionAlertingRuleCreate, permissions) {
+				if !hasAction(ac.ActionAlertingRuleCreate, p) {
 					toAdd = append(toAdd, ac.Permission{
 						RoleID:  id,
 						Updated: now,
@ -466,7 +484,7 @@ func (m *managedFolderAlertActionsRepeatMigrator) Exec(sess *xorm.Session, mg *m
 						Action:  ac.ActionAlertingRuleCreate,
 					})
 				}
-				if !hasAction(ac.ActionAlertingRuleDelete, permissions) {
+				if !hasAction(ac.ActionAlertingRuleDelete, p) {
 					toAdd = append(toAdd, ac.Permission{
 						RoleID:  id,
 						Updated: now,
@ -475,7 +493,7 @@ func (m *managedFolderAlertActionsRepeatMigrator) Exec(sess *xorm.Session, mg *m
 						Action:  ac.ActionAlertingRuleDelete,
 					})
 				}
-				if !hasAction(ac.ActionAlertingRuleUpdate, permissions) {
+				if !hasAction(ac.ActionAlertingRuleUpdate, p) {
 					toAdd = append(toAdd, ac.Permission{
 						RoleID:  id,
 						Updated: now,
--- a/pkg/services/sqlstore/migrations/migrations.go
+++ b/pkg/services/sqlstore/migrations/migrations.go
@ -103,6 +103,7 @@ func (*OSSMigrations) AddMigration(mg *Migrator) {
 	accesscontrol.AddManagedFolderAlertActionsRepeatMigration(mg)
 	accesscontrol.AddAdminOnlyMigration(mg)
 	accesscontrol.AddSeedAssignmentMigrations(mg)
+	accesscontrol.AddManagedFolderAlertActionsRepeatFixedMigration(mg)

 	// TODO: This migration will be enabled later in the nested folder feature
 	// implementation process. It is on hold so we can continue working on the