mirror of
https://github.com/grafana/grafana.git
synced 2024-11-28 11:44:26 -06:00
7ebf4027a7
* add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
76 lines
1.9 KiB
Go
76 lines
1.9 KiB
Go
package api
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
|
|
"github.com/grafana/grafana/pkg/api/response"
|
|
"github.com/grafana/grafana/pkg/bus"
|
|
"github.com/grafana/grafana/pkg/models"
|
|
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
|
|
"github.com/grafana/grafana/pkg/setting"
|
|
)
|
|
|
|
func (hs *HTTPServer) AdminGetSettings(c *models.ReqContext) response.Response {
|
|
settings, err := hs.getAuthorizedSettings(c.Req.Context(), c.SignedInUser, hs.SettingsProvider.Current())
|
|
if err != nil {
|
|
return response.Error(http.StatusForbidden, "Failed to authorize settings", err)
|
|
}
|
|
return response.JSON(http.StatusOK, settings)
|
|
}
|
|
|
|
func AdminGetStats(c *models.ReqContext) response.Response {
|
|
statsQuery := models.GetAdminStatsQuery{}
|
|
|
|
if err := bus.Dispatch(&statsQuery); err != nil {
|
|
return response.Error(500, "Failed to get admin stats from database", err)
|
|
}
|
|
|
|
return response.JSON(200, statsQuery.Result)
|
|
}
|
|
|
|
func (hs *HTTPServer) getAuthorizedSettings(ctx context.Context, user *models.SignedInUser, bag setting.SettingsBag) (setting.SettingsBag, error) {
|
|
if hs.AccessControl.IsDisabled() {
|
|
return bag, nil
|
|
}
|
|
|
|
eval := func(scope string) (bool, error) {
|
|
return hs.AccessControl.Evaluate(ctx, user, ac.EvalPermission(ac.ActionSettingsRead, scope))
|
|
}
|
|
|
|
ok, err := eval(ac.ScopeSettingsAll)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if ok {
|
|
return bag, nil
|
|
}
|
|
|
|
authorizedBag := make(setting.SettingsBag)
|
|
|
|
for section, keys := range bag {
|
|
ok, err := eval(ac.Scope("settings", section, "*"))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if ok {
|
|
authorizedBag[section] = keys
|
|
continue
|
|
}
|
|
|
|
for key := range keys {
|
|
ok, err := eval(ac.Scope("settings", section, key))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if ok {
|
|
if _, exists := authorizedBag[section]; !exists {
|
|
authorizedBag[section] = make(map[string]string)
|
|
}
|
|
authorizedBag[section][key] = bag[section][key]
|
|
}
|
|
}
|
|
}
|
|
return authorizedBag, nil
|
|
}
|