mirror of
https://github.com/grafana/grafana.git
synced 2025-08-01 05:21:50 +08:00
Team access changes for editors when editorsCanAdmin is enabled (#45405)
* filter teams for editors to only show the teams that they are members of * frontend changes to only allow clicking on teams that the user can edit * update frontend test snapshots * extend docs * reword * remove the comment for now * Update backend tests * reword the warning, and add it back in * docs feedback Co-authored-by: gamab <gabi.mabs@gmail.com>
This commit is contained in:
Ieva
@ -133,7 +133,7 @@ func (hs *HTTPServer) SearchTeams(c *models.ReqContext) response.Response {
|
||||
// Using accesscontrol the filtering is done based on user permissions
|
||||
userIdFilter := models.FilterIgnoreUser
|
||||
if !hs.Features.IsEnabled(featuremgmt.FlagAccesscontrol) {
|
||||
userIdFilter = userFilter(hs.Cfg.EditorsCanAdmin, c)
|
||||
userIdFilter = userFilter(c)
|
||||
}
|
||||
|
||||
query := models.SearchTeamsQuery{
|
||||
@ -189,14 +189,12 @@ func (hs *HTTPServer) getTeamAccessControlMetadata(c *models.ReqContext, teamID
|
||||
|
||||
// UserFilter returns the user ID used in a filter when querying a team
|
||||
// 1. If the user is a viewer or editor, this will return the user's ID.
|
||||
// 2. If EditorsCanAdmin is enabled and the user is an editor, this will return models.FilterIgnoreUser (0)
|
||||
// 3. If the user is an admin, this will return models.FilterIgnoreUser (0)
|
||||
func userFilter(editorsCanAdmin bool, c *models.ReqContext) int64 {
|
||||
// 2. If the user is an admin, this will return models.FilterIgnoreUser (0)
|
||||
func userFilter(c *models.ReqContext) int64 {
|
||||
userIdFilter := c.SignedInUser.UserId
|
||||
if (editorsCanAdmin && c.OrgRole == models.ROLE_EDITOR) || c.OrgRole == models.ROLE_ADMIN {
|
||||
if c.OrgRole == models.ROLE_ADMIN {
|
||||
userIdFilter = models.FilterIgnoreUser
|
||||
}
|
||||
|
||||
return userIdFilter
|
||||
}
|
||||
|
||||
@ -210,7 +208,7 @@ func (hs *HTTPServer) GetTeamByID(c *models.ReqContext) response.Response {
|
||||
// Using accesscontrol the filtering has already been performed at middleware layer
|
||||
userIdFilter := models.FilterIgnoreUser
|
||||
if !hs.Features.IsEnabled(featuremgmt.FlagAccesscontrol) {
|
||||
userIdFilter = userFilter(hs.Cfg.EditorsCanAdmin, c)
|
||||
userIdFilter = userFilter(c)
|
||||
}
|
||||
|
||||
query := models.GetTeamByIdQuery{
|
||||
|
||||
@ -40,39 +40,69 @@ func TestTeamAPIEndpoint(t *testing.T) {
|
||||
hs.SQLStore = store
|
||||
mock := &mockstore.SQLStoreMock{}
|
||||
|
||||
loggedInUserScenario(t, "When calling GET on", "/api/teams/search", "/api/teams/search", func(sc *scenarioContext) {
|
||||
_, err := hs.SQLStore.CreateTeam("team1", "", 1)
|
||||
require.NoError(t, err)
|
||||
_, err = hs.SQLStore.CreateTeam("team2", "", 1)
|
||||
require.NoError(t, err)
|
||||
loggedInUserScenarioWithRole(t, "When admin is calling GET on", "GET", "/api/teams/search", "/api/teams/search",
|
||||
models.ROLE_ADMIN, func(sc *scenarioContext) {
|
||||
_, err := hs.SQLStore.CreateTeam("team1", "", 1)
|
||||
require.NoError(t, err)
|
||||
_, err = hs.SQLStore.CreateTeam("team2", "", 1)
|
||||
require.NoError(t, err)
|
||||
|
||||
sc.handlerFunc = hs.SearchTeams
|
||||
sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()
|
||||
require.Equal(t, http.StatusOK, sc.resp.Code)
|
||||
var resp models.SearchTeamQueryResult
|
||||
err = json.Unmarshal(sc.resp.Body.Bytes(), &resp)
|
||||
require.NoError(t, err)
|
||||
sc.handlerFunc = hs.SearchTeams
|
||||
sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()
|
||||
require.Equal(t, http.StatusOK, sc.resp.Code)
|
||||
var resp models.SearchTeamQueryResult
|
||||
err = json.Unmarshal(sc.resp.Body.Bytes(), &resp)
|
||||
require.NoError(t, err)
|
||||
|
||||
assert.EqualValues(t, 2, resp.TotalCount)
|
||||
assert.Equal(t, 2, len(resp.Teams))
|
||||
}, mock)
|
||||
assert.EqualValues(t, 2, resp.TotalCount)
|
||||
assert.Equal(t, 2, len(resp.Teams))
|
||||
}, mock)
|
||||
|
||||
loggedInUserScenario(t, "When calling GET on", "/api/teams/search", "/api/teams/search", func(sc *scenarioContext) {
|
||||
_, err := hs.SQLStore.CreateTeam("team1", "", 1)
|
||||
require.NoError(t, err)
|
||||
_, err = hs.SQLStore.CreateTeam("team2", "", 1)
|
||||
require.NoError(t, err)
|
||||
loggedInUserScenario(t, "When editor (with editors_can_admin) is calling GET on", "/api/teams/search",
|
||||
"/api/teams/search", func(sc *scenarioContext) {
|
||||
team1, err := hs.SQLStore.CreateTeam("team1", "", 1)
|
||||
require.NoError(t, err)
|
||||
_, err = hs.SQLStore.CreateTeam("team2", "", 1)
|
||||
require.NoError(t, err)
|
||||
|
||||
sc.handlerFunc = hs.SearchTeams
|
||||
sc.fakeReqWithParams("GET", sc.url, map[string]string{"perpage": "10", "page": "2"}).exec()
|
||||
require.Equal(t, http.StatusOK, sc.resp.Code)
|
||||
var resp models.SearchTeamQueryResult
|
||||
err = json.Unmarshal(sc.resp.Body.Bytes(), &resp)
|
||||
require.NoError(t, err)
|
||||
// Adding the test user to the teams in order for him to list them
|
||||
err = hs.SQLStore.AddTeamMember(testUserID, testOrgID, team1.Id, false, 0)
|
||||
require.NoError(t, err)
|
||||
|
||||
assert.EqualValues(t, 2, resp.TotalCount)
|
||||
assert.Equal(t, 0, len(resp.Teams))
|
||||
}, mock)
|
||||
sc.handlerFunc = hs.SearchTeams
|
||||
sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()
|
||||
require.Equal(t, http.StatusOK, sc.resp.Code)
|
||||
var resp models.SearchTeamQueryResult
|
||||
err = json.Unmarshal(sc.resp.Body.Bytes(), &resp)
|
||||
require.NoError(t, err)
|
||||
|
||||
assert.EqualValues(t, 1, resp.TotalCount)
|
||||
assert.Equal(t, 1, len(resp.Teams))
|
||||
}, mock)
|
||||
|
||||
loggedInUserScenario(t, "When editor (with editors_can_admin) calling GET with pagination on",
|
||||
"/api/teams/search", "/api/teams/search", func(sc *scenarioContext) {
|
||||
team1, err := hs.SQLStore.CreateTeam("team1", "", 1)
|
||||
require.NoError(t, err)
|
||||
team2, err := hs.SQLStore.CreateTeam("team2", "", 1)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Adding the test user to the teams in order for him to list them
|
||||
err = hs.SQLStore.AddTeamMember(testUserID, testOrgID, team1.Id, false, 0)
|
||||
require.NoError(t, err)
|
||||
err = hs.SQLStore.AddTeamMember(testUserID, testOrgID, team2.Id, false, 0)
|
||||
require.NoError(t, err)
|
||||
|
||||
sc.handlerFunc = hs.SearchTeams
|
||||
sc.fakeReqWithParams("GET", sc.url, map[string]string{"perpage": "10", "page": "2"}).exec()
|
||||
require.Equal(t, http.StatusOK, sc.resp.Code)
|
||||
var resp models.SearchTeamQueryResult
|
||||
err = json.Unmarshal(sc.resp.Body.Bytes(), &resp)
|
||||
require.NoError(t, err)
|
||||
|
||||
assert.EqualValues(t, 2, resp.TotalCount)
|
||||
assert.Equal(t, 0, len(resp.Teams))
|
||||
}, mock)
|
||||
})
|
||||
|
||||
t.Run("When creating team with API key", func(t *testing.T) {
|
||||
|
||||
Reference in New Issue
Block a user