* Add actions and scopes
* add resource service for dashboard and folder
* Add dashboard guardian with fgac permission evaluation
* Add CanDelete function to guardian interface
* Add CanDelete property to folder and dashboard dto and set values
* change to correct function name
* Add accesscontrol to folder endpoints
* add access control to dashboard endpoints
* check access for nav links
* Add fixed roles for dashboard and folders
* use correct package
* add hack to override guardian Constructor if accesscontrol is enabled
* Add services
* Add function to handle api backward compatability
* Add permissionServices to HttpServer
* Set permission when new dashboard is created
* Add default permission when creating new dashboard
* Set default permission when creating folder and dashboard
* Add access control filter for dashboard search
* Add to accept list
* Add accesscontrol to dashboardimport
* Disable access control in tests
* Add check to see if user is allow to create a dashboard
* Use SetPermissions
* Use function to set several permissions at once
* remove permissions for folder and dashboard on delete
* update required permission
* set permission for provisioning
* Add CanCreate to dashboard guardian and set correct permisisons for
provisioning
* Dont set admin on folder / dashboard creation
* Add dashboard and folder permission migrations
* Add tests for CanCreate
* Add roles and update descriptions
* Solve uid to id for dashboard and folder permissions
* Add folder and dashboard actions to permission filter
* Handle viewer_can_edit flag
* set folder and dashboard permissions services
* Add dashboard permissions when importing a new dashboard
* Set access control permissions on provisioning
* Pass feature flags and only set permissions if access control is enabled
* only add default permissions for folders and dashboards without folders
* Batch create permissions in migrations
* Remove `dashboards:edit` action
* Remove unused function from interface
* Update pkg/services/guardian/accesscontrol_guardian_test.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
* AccessControl: Add endpoint to get user permissions
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com>
Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>
* Fix SA tests
* Linter is wrong :p
* Wait I was wrong
* Adding the route for teams:creator too
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com>
Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>
* AccessControl: Filter team members
* Modify GetTeamMembersByUser comment
* Fix postgres failing test due to quoting
* Rename GetTeamMembersByUser to GetUserTeamMemberships
* Update TeamStore interface
* add actions for team group sync
* extend the hook to allow specifying whether the user is external
* move user struct to type package
* interface for permission service to allow mocking it
* reuse existing permissions
* test fix
* refactor
* linting
* AccessControl: Add access control actions and scopes to team update and delete
* AccessControl: Add tests for AC guards in update/delete
* AccessControl: add fixed role for team writer
* AccessControl: ensure team related AC is deleted with team
* Update pkg/api/team_test.go
* AccessControl: cover team permissions
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Add background service as a consumer to resource_services
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Define actions in roles.go
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Remove action from accesscontrol model
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* As suggested by kalle
* move some changes from branch to the skeleton PR
* Add background service as a consumer to resource_services
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* moving resourceservice to the main wire file pt2
* move team related actions so that they can be reused
* PR feedback
* fix
* typo
* Access Control: adding hooks for team member endpoints (#43991)
* AccessControl: cover team permissions
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Add background service as a consumer to resource_services
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Define actions in roles.go
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Remove action from accesscontrol model
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* As suggested by kalle
* add access control to list and add team member endpoint, and hooks for adding team members
* member permission type is 0
* add ID scope for team permission checks
* add more team actions, use Member for member permission name
* protect team member update endpoint with FGAC permissions
* update SQL functions for teams and the corresponding tests
* also protect team member removal endpoint with FGAC permissions and add a hook to permission service
* a few small fixes, provide team permission service to test setup
* AccessControl: cover team permissions
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Add background service as a consumer to resource_services
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Define actions in roles.go
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Remove action from accesscontrol model
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* As suggested by kalle
* move some changes from branch to the skeleton PR
* remove resource services from wireexts
* remove unneeded actions
* linting fix
* remove comments
* feedback fixes
* feedback
* simplifying
* remove team member within the same transaction
* fix a mistake with the error
* call the correct sql fction
* linting
* Access control: tests for team member endpoints (#44177)
* tests for team member endpoints
* clean up and fix the tests
* fixing tests take 2
* don't import enterprise test license
* don't import enterprise test license
* remove unused variable
Co-authored-by: gamab <gabi.mabs@gmail.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Refactor: Change sqlstore.inTransaction to SQLStore.WithTransactionalDBSession in misc files
* Refactor: Change .inTransaction in org.go file
* Refactor: Update init() to proper SQLStore handlers
* Refactor: Update funcs in tests to be sqlStore methods
* Refactor: Update API funcs to receive HTTPServer
* Fix: define methods on sqlstore
* Adjust GetSignedInUser calls
* Refactor: Add sqlStore to Service struct
* Chore: Add back black spaces to remove file from PR
Co-authored-by: Ida Furjesova <ida.furjesova@grafana.com>
* AccessControl: POC scope attribute resolution
Refactor based on ScopeMutators
test errors and calls to cache
Add comments to tests
Rename logger
Create keywordMutator only once
* AccessControl: Add AttributeScopeResolver registration
Co-authored-by: gamab <gabriel.mabille@grafana.com>
* AccessControl: Add AttributeScopeResolver to datasources
Co-authored-by: gamab <gabriel.mabille@grafana.com>
* Test evaluation with translation
* fix imports
* AccessControl: Test attribute resolver
* Fix trailing white space
* Make ScopeResolver public for enterprise redefine
* Handle wildcard
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
Co-authored-by: jguer <joao.guerreiro@grafana.com>
* AccessControl: Provide scope to frontend
* Covering datasources with accesscontrol metadata
* Write benchmark tests for GetResourcesMetadata
* Add accesscontrol util and interface
* Add the hasPermissionInMetadata function in the frontend access control code
* Use IsDisabled rather that performing a feature toggle check
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
* add permission structure to signedinuser
* add middleware to load user permissions into signedinuser struct
* apply LoadPermissionsMiddleware to http server
* check for permissions in signedinuser struct
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* AccessControl: FGAC permissions for orgs endpoint on frontend
Protect org update endpoints
add or refactor missing right messages
cover org page
* removing scopes from orgs
* Perform permission control with global org
* Perform the error handling in case of 403
* Simplify frontend code by requiring read access for sure
* Remove roles I added to decrease the number of changes
* Remove the check for server admin to reduce the number of changes
* change error message
* Cleaning todos
* Remove unecessary changes
* Fix tests
* Update test snapshot
* Update pkg/api/roles.go
Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
* Update public/app/features/admin/AdminEditOrgPage.tsx
Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
* Format AdminEditOrgPage for linting
* Update public/app/features/admin/AdminEditOrgPage.tsx
Co-authored-by: Vardan Torosyan <vardants@gmail.com>
* Update public/app/features/admin/AdminEditOrgPage.tsx
Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>
* Update public/app/features/admin/AdminListOrgsPage.tsx
Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>
* Commit suggestions
* Commit suggestion canRead canWrite
* fix typo
Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
Co-authored-by: Vardan Torosyan <vardants@gmail.com>
Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>
