diff --git a/pkg/api/accesscontrol.go b/pkg/api/accesscontrol.go index 9f948866810..4d2f33a9516 100644 --- a/pkg/api/accesscontrol.go +++ b/pkg/api/accesscontrol.go @@ -328,7 +328,7 @@ func (hs *HTTPServer) declareFixedRoles() error { Group: "Dashboards", Permissions: []ac.Permission{ {Action: dashboards.ActionFoldersRead, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)}, - {Action: ac.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)}, + {Action: dashboards.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)}, }, }, Grants: []string{"Editor"}, @@ -342,7 +342,7 @@ func (hs *HTTPServer) declareFixedRoles() error { Description: "Read all dashboards.", Group: "Dashboards", Permissions: []ac.Permission{ - {Action: ac.ActionDashboardsRead, Scope: ac.ScopeDashboardsAll}, + {Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeDashboardsAll}, }, }, Grants: []string{"Admin"}, @@ -356,11 +356,11 @@ func (hs *HTTPServer) declareFixedRoles() error { Group: "Dashboards", Description: "Create, read, write or delete all dashboards and their permissions.", Permissions: ac.ConcatPermissions(dashboardsReaderRole.Role.Permissions, []ac.Permission{ - {Action: ac.ActionDashboardsWrite, Scope: ac.ScopeDashboardsAll}, - {Action: ac.ActionDashboardsDelete, Scope: ac.ScopeDashboardsAll}, - {Action: ac.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersAll}, - {Action: ac.ActionDashboardsPermissionsRead, Scope: ac.ScopeDashboardsAll}, - {Action: ac.ActionDashboardsPermissionsWrite, Scope: ac.ScopeDashboardsAll}, + {Action: dashboards.ActionDashboardsWrite, Scope: dashboards.ScopeDashboardsAll}, + {Action: dashboards.ActionDashboardsDelete, Scope: dashboards.ScopeDashboardsAll}, + {Action: dashboards.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersAll}, + {Action: dashboards.ActionDashboardsPermissionsRead, Scope: dashboards.ScopeDashboardsAll}, + {Action: dashboards.ActionDashboardsPermissionsWrite, Scope: dashboards.ScopeDashboardsAll}, }), }, Grants: []string{"Admin"}, @@ -389,7 +389,7 @@ func (hs *HTTPServer) declareFixedRoles() error { Group: "Folders", Permissions: []ac.Permission{ {Action: dashboards.ActionFoldersRead, Scope: dashboards.ScopeFoldersAll}, - {Action: ac.ActionDashboardsRead, Scope: dashboards.ScopeFoldersAll}, + {Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeFoldersAll}, }, }, Grants: []string{"Admin"}, @@ -408,11 +408,11 @@ func (hs *HTTPServer) declareFixedRoles() error { {Action: dashboards.ActionFoldersCreate}, {Action: dashboards.ActionFoldersWrite, Scope: dashboards.ScopeFoldersAll}, {Action: dashboards.ActionFoldersDelete, Scope: dashboards.ScopeFoldersAll}, - {Action: ac.ActionDashboardsWrite, Scope: dashboards.ScopeFoldersAll}, - {Action: ac.ActionDashboardsDelete, Scope: dashboards.ScopeFoldersAll}, - {Action: ac.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersAll}, - {Action: ac.ActionDashboardsPermissionsRead, Scope: dashboards.ScopeFoldersAll}, - {Action: ac.ActionDashboardsPermissionsWrite, Scope: dashboards.ScopeFoldersAll}, + {Action: dashboards.ActionDashboardsWrite, Scope: dashboards.ScopeFoldersAll}, + {Action: dashboards.ActionDashboardsDelete, Scope: dashboards.ScopeFoldersAll}, + {Action: dashboards.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersAll}, + {Action: dashboards.ActionDashboardsPermissionsRead, Scope: dashboards.ScopeFoldersAll}, + {Action: dashboards.ActionDashboardsPermissionsWrite, Scope: dashboards.ScopeFoldersAll}, }), }, Grants: []string{"Admin"}, diff --git a/pkg/api/annotations.go b/pkg/api/annotations.go index 24a34e77e08..d59c6d97583 100644 --- a/pkg/api/annotations.go +++ b/pkg/api/annotations.go @@ -12,6 +12,7 @@ import ( "github.com/grafana/grafana/pkg/models" "github.com/grafana/grafana/pkg/services/accesscontrol" "github.com/grafana/grafana/pkg/services/annotations" + "github.com/grafana/grafana/pkg/services/dashboards" "github.com/grafana/grafana/pkg/services/guardian" "github.com/grafana/grafana/pkg/util" "github.com/grafana/grafana/pkg/web" @@ -456,7 +457,7 @@ func AnnotationTypeScopeResolver() (string, accesscontrol.ScopeAttributeResolver OrgId: orgID, Permissions: map[int64]map[string][]string{ orgID: { - accesscontrol.ActionDashboardsRead: {accesscontrol.ScopeDashboardsAll}, + dashboards.ActionDashboardsRead: {dashboards.ScopeDashboardsAll}, accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsAll}, }, }, diff --git a/pkg/api/api.go b/pkg/api/api.go index 595a8faa6d4..3ebbb720dc8 100644 --- a/pkg/api/api.go +++ b/pkg/api/api.go @@ -354,12 +354,12 @@ func (hs *HTTPServer) registerRoutes() { // Dashboard apiRoute.Group("/dashboards", func(dashboardRoute routing.RouteRegister) { - dashboardRoute.Get("/uid/:uid", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsRead)), routing.Wrap(hs.GetDashboard)) - dashboardRoute.Delete("/uid/:uid", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsDelete)), routing.Wrap(hs.DeleteDashboardByUID)) + dashboardRoute.Get("/uid/:uid", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsRead)), routing.Wrap(hs.GetDashboard)) + dashboardRoute.Delete("/uid/:uid", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsDelete)), routing.Wrap(hs.DeleteDashboardByUID)) dashboardRoute.Group("/uid/:uid", func(dashUidRoute routing.RouteRegister) { dashUidRoute.Group("/permissions", func(dashboardPermissionRoute routing.RouteRegister) { - dashboardPermissionRoute.Get("/", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsPermissionsRead)), routing.Wrap(hs.GetDashboardPermissionList)) - dashboardPermissionRoute.Post("/", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsPermissionsWrite)), routing.Wrap(hs.UpdateDashboardPermissions)) + dashboardPermissionRoute.Get("/", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsPermissionsRead)), routing.Wrap(hs.GetDashboardPermissionList)) + dashboardPermissionRoute.Post("/", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsPermissionsWrite)), routing.Wrap(hs.UpdateDashboardPermissions)) }) }) @@ -372,22 +372,22 @@ func (hs *HTTPServer) registerRoutes() { } } - dashboardRoute.Post("/calculate-diff", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsWrite)), routing.Wrap(hs.CalculateDashboardDiff)) + dashboardRoute.Post("/calculate-diff", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsWrite)), routing.Wrap(hs.CalculateDashboardDiff)) dashboardRoute.Post("/trim", routing.Wrap(hs.TrimDashboard)) - dashboardRoute.Post("/db", authorize(reqSignedIn, ac.EvalAny(ac.EvalPermission(ac.ActionDashboardsCreate), ac.EvalPermission(ac.ActionDashboardsWrite))), routing.Wrap(hs.PostDashboard)) + dashboardRoute.Post("/db", authorize(reqSignedIn, ac.EvalAny(ac.EvalPermission(dashboards.ActionDashboardsCreate), ac.EvalPermission(dashboards.ActionDashboardsWrite))), routing.Wrap(hs.PostDashboard)) dashboardRoute.Get("/home", routing.Wrap(hs.GetHomeDashboard)) dashboardRoute.Get("/tags", hs.GetDashboardTags) // Deprecated: use /uid/:uid API instead. dashboardRoute.Group("/id/:dashboardId", func(dashIdRoute routing.RouteRegister) { - dashIdRoute.Get("/versions", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsWrite)), routing.Wrap(hs.GetDashboardVersions)) - dashIdRoute.Get("/versions/:id", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsWrite)), routing.Wrap(hs.GetDashboardVersion)) - dashIdRoute.Post("/restore", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsWrite)), routing.Wrap(hs.RestoreDashboardVersion)) + dashIdRoute.Get("/versions", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsWrite)), routing.Wrap(hs.GetDashboardVersions)) + dashIdRoute.Get("/versions/:id", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsWrite)), routing.Wrap(hs.GetDashboardVersion)) + dashIdRoute.Post("/restore", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsWrite)), routing.Wrap(hs.RestoreDashboardVersion)) dashIdRoute.Group("/permissions", func(dashboardPermissionRoute routing.RouteRegister) { - dashboardPermissionRoute.Get("/", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsPermissionsRead)), routing.Wrap(hs.GetDashboardPermissionList)) - dashboardPermissionRoute.Post("/", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsPermissionsWrite)), routing.Wrap(hs.UpdateDashboardPermissions)) + dashboardPermissionRoute.Get("/", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsPermissionsRead)), routing.Wrap(hs.GetDashboardPermissionList)) + dashboardPermissionRoute.Post("/", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsPermissionsWrite)), routing.Wrap(hs.UpdateDashboardPermissions)) }) }) }) diff --git a/pkg/api/index.go b/pkg/api/index.go index 7df72ac4b67..1e3ad32d444 100644 --- a/pkg/api/index.go +++ b/pkg/api/index.go @@ -572,7 +572,7 @@ func (hs *HTTPServer) buildCreateNavLinks(c *models.ReqContext) []*dtos.NavLink hasAccess := ac.HasAccess(hs.AccessControl, c) var children []*dtos.NavLink - if hasAccess(ac.ReqSignedIn, ac.EvalPermission(ac.ActionDashboardsCreate)) { + if hasAccess(ac.ReqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsCreate)) { children = append(children, &dtos.NavLink{Text: "Dashboard", Icon: "apps", Url: hs.Cfg.AppSubURL + "/dashboard/new", Id: "create-dashboard"}) } @@ -583,7 +583,7 @@ func (hs *HTTPServer) buildCreateNavLinks(c *models.ReqContext) []*dtos.NavLink }) } - if hasAccess(ac.ReqSignedIn, ac.EvalPermission(ac.ActionDashboardsCreate)) { + if hasAccess(ac.ReqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsCreate)) { children = append(children, &dtos.NavLink{ Text: "Import", SubTitle: "Import dashboard from file or Grafana.com", Id: "import", Icon: "import", Url: hs.Cfg.AppSubURL + "/dashboard/import", @@ -651,7 +651,7 @@ func (hs *HTTPServer) editorInAnyFolder(c *models.ReqContext) bool { func (hs *HTTPServer) setIndexViewData(c *models.ReqContext) (*dtos.IndexViewData, error) { hasAccess := ac.HasAccess(hs.AccessControl, c) - hasEditPerm := hasAccess(hs.editorInAnyFolder, ac.EvalAny(ac.EvalPermission(ac.ActionDashboardsCreate), ac.EvalPermission(dashboards.ActionFoldersCreate))) + hasEditPerm := hasAccess(hs.editorInAnyFolder, ac.EvalAny(ac.EvalPermission(dashboards.ActionDashboardsCreate), ac.EvalPermission(dashboards.ActionFoldersCreate))) settings, err := hs.getFrontendSettingsMap(c) if err != nil { diff --git a/pkg/services/accesscontrol/models.go b/pkg/services/accesscontrol/models.go index 26222da0baa..2552a1eb17f 100644 --- a/pkg/services/accesscontrol/models.go +++ b/pkg/services/accesscontrol/models.go @@ -359,17 +359,6 @@ const ( ActionAnnotationsRead = "annotations:read" ActionAnnotationsWrite = "annotations:write" - // Dashboard actions - ActionDashboardsCreate = "dashboards:create" - ActionDashboardsRead = "dashboards:read" - ActionDashboardsWrite = "dashboards:write" - ActionDashboardsDelete = "dashboards:delete" - ActionDashboardsPermissionsRead = "dashboards.permissions:read" - ActionDashboardsPermissionsWrite = "dashboards.permissions:write" - - // Dashboard scopes - ScopeDashboardsAll = "dashboards:*" - // Alert scopes are divided into two groups. The internal (to Grafana) and the external ones. // For the Grafana ones, given we have ACID control we're able to provide better granularity by defining CRUD options. // For the external ones, we only have read and write permissions due to the lack of atomicity control of the external system. diff --git a/pkg/services/accesscontrol/ossaccesscontrol/permissions_services.go b/pkg/services/accesscontrol/ossaccesscontrol/permissions_services.go index 217812cea9f..a1208cb90fc 100644 --- a/pkg/services/accesscontrol/ossaccesscontrol/permissions_services.go +++ b/pkg/services/accesscontrol/ossaccesscontrol/permissions_services.go @@ -138,9 +138,9 @@ func ProvideTeamPermissions( return resourcepermissions.New(options, cfg, router, ac, store, sql) } -var DashboardViewActions = []string{accesscontrol.ActionDashboardsRead} -var DashboardEditActions = append(DashboardViewActions, []string{accesscontrol.ActionDashboardsWrite, accesscontrol.ActionDashboardsDelete}...) -var DashboardAdminActions = append(DashboardEditActions, []string{accesscontrol.ActionDashboardsPermissionsRead, accesscontrol.ActionDashboardsPermissionsWrite}...) +var DashboardViewActions = []string{dashboards.ActionDashboardsRead} +var DashboardEditActions = append(DashboardViewActions, []string{dashboards.ActionDashboardsWrite, dashboards.ActionDashboardsDelete}...) +var DashboardAdminActions = append(DashboardEditActions, []string{dashboards.ActionDashboardsPermissionsRead, dashboards.ActionDashboardsPermissionsWrite}...) func ProvideDashboardPermissions( cfg *setting.Cfg, router routing.RouteRegister, sql *sqlstore.SQLStore, @@ -203,7 +203,7 @@ func ProvideDashboardPermissions( } var FolderViewActions = []string{dashboards.ActionFoldersRead} -var FolderEditActions = append(FolderViewActions, []string{dashboards.ActionFoldersWrite, dashboards.ActionFoldersDelete, accesscontrol.ActionDashboardsCreate}...) +var FolderEditActions = append(FolderViewActions, []string{dashboards.ActionFoldersWrite, dashboards.ActionFoldersDelete, dashboards.ActionDashboardsCreate}...) var FolderAdminActions = append(FolderEditActions, []string{dashboards.ActionFoldersPermissionsRead, dashboards.ActionFoldersPermissionsWrite}...) func ProvideFolderPermissions( diff --git a/pkg/services/dashboardimport/api/api.go b/pkg/services/dashboardimport/api/api.go index 9c64d2b512a..95b05e52ddc 100644 --- a/pkg/services/dashboardimport/api/api.go +++ b/pkg/services/dashboardimport/api/api.go @@ -12,6 +12,7 @@ import ( "github.com/grafana/grafana/pkg/plugins" "github.com/grafana/grafana/pkg/services/accesscontrol" "github.com/grafana/grafana/pkg/services/dashboardimport" + "github.com/grafana/grafana/pkg/services/dashboards" "github.com/grafana/grafana/pkg/web" ) @@ -39,7 +40,7 @@ func (api *ImportDashboardAPI) RegisterAPIEndpoints(routeRegister routing.RouteR routeRegister.Group("/api/dashboards", func(route routing.RouteRegister) { route.Post( "/import", - authorize(middleware.ReqSignedIn, accesscontrol.EvalPermission(accesscontrol.ActionDashboardsCreate)), + authorize(middleware.ReqSignedIn, accesscontrol.EvalPermission(dashboards.ActionDashboardsCreate)), routing.Wrap(api.ImportDashboard), ) }, middleware.ReqSignedIn) diff --git a/pkg/services/dashboards/accesscontrol.go b/pkg/services/dashboards/accesscontrol.go index aa6f1db6971..ae2fb0cd4e2 100644 --- a/pkg/services/dashboards/accesscontrol.go +++ b/pkg/services/dashboards/accesscontrol.go @@ -21,11 +21,20 @@ const ( ScopeDashboardsRoot = "dashboards" ScopeDashboardsPrefix = "dashboards:uid:" + + ActionDashboardsCreate = "dashboards:create" + ActionDashboardsRead = "dashboards:read" + ActionDashboardsWrite = "dashboards:write" + ActionDashboardsDelete = "dashboards:delete" + ActionDashboardsPermissionsRead = "dashboards.permissions:read" + ActionDashboardsPermissionsWrite = "dashboards.permissions:write" ) var ( - ScopeFoldersAll = ac.GetResourceAllScope(ScopeFoldersRoot) - ScopeFoldersProvider = ac.NewScopeProvider(ScopeFoldersRoot) + ScopeFoldersProvider = ac.NewScopeProvider(ScopeFoldersRoot) + ScopeFoldersAll = ScopeFoldersProvider.GetResourceAllScope() + ScopeDashboardsProvider = ac.NewScopeProvider(ScopeDashboardsRoot) + ScopeDashboardsAll = ScopeDashboardsProvider.GetResourceAllScope() ) // NewFolderNameScopeResolver provides an ScopeAttributeResolver that is able to convert a scope prefixed with "folders:name:" into an uid based scope. diff --git a/pkg/services/dashboards/manager/dashboard_service.go b/pkg/services/dashboards/manager/dashboard_service.go index d23bf6fce8a..56c41c3568c 100644 --- a/pkg/services/dashboards/manager/dashboard_service.go +++ b/pkg/services/dashboards/manager/dashboard_service.go @@ -22,10 +22,10 @@ import ( var ( provisionerPermissions = map[string][]string{ - m.ActionFoldersCreate: {}, - m.ActionFoldersWrite: {m.ScopeFoldersAll}, - accesscontrol.ActionDashboardsCreate: {m.ScopeFoldersAll}, - accesscontrol.ActionDashboardsWrite: {m.ScopeFoldersAll}, + m.ActionFoldersCreate: {}, + m.ActionFoldersWrite: {m.ScopeFoldersAll}, + m.ActionDashboardsCreate: {m.ScopeFoldersAll}, + m.ActionDashboardsWrite: {m.ScopeFoldersAll}, } ) diff --git a/pkg/services/guardian/accesscontrol_guardian.go b/pkg/services/guardian/accesscontrol_guardian.go index 80f4d71e9de..5e3dd3b33ff 100644 --- a/pkg/services/guardian/accesscontrol_guardian.go +++ b/pkg/services/guardian/accesscontrol_guardian.go @@ -53,12 +53,12 @@ func (a *AccessControlDashboardGuardian) CanSave() (bool, error) { } if a.dashboard.IsFolder { - return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, folderScope(a.dashboard.Uid))) + return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid))) } return a.evaluate(accesscontrol.EvalAny( - accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, dashboardScope(a.dashboard.Uid)), - accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, folderScope(a.parentFolderUID)), + accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)), + accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)), )) } @@ -71,12 +71,12 @@ func (a *AccessControlDashboardGuardian) CanEdit() (bool, error) { } if a.dashboard.IsFolder { - return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, folderScope(a.dashboard.Uid))) + return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid))) } return a.evaluate(accesscontrol.EvalAny( - accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, dashboardScope(a.dashboard.Uid)), - accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, folderScope(a.parentFolderUID)), + accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)), + accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)), )) } @@ -86,12 +86,12 @@ func (a *AccessControlDashboardGuardian) CanView() (bool, error) { } if a.dashboard.IsFolder { - return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersRead, folderScope(a.dashboard.Uid))) + return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersRead, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid))) } return a.evaluate(accesscontrol.EvalAny( - accesscontrol.EvalPermission(accesscontrol.ActionDashboardsRead, dashboardScope(a.dashboard.Uid)), - accesscontrol.EvalPermission(accesscontrol.ActionDashboardsRead, folderScope(a.parentFolderUID)), + accesscontrol.EvalPermission(dashboards.ActionDashboardsRead, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)), + accesscontrol.EvalPermission(dashboards.ActionDashboardsRead, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)), )) } @@ -102,19 +102,19 @@ func (a *AccessControlDashboardGuardian) CanAdmin() (bool, error) { if a.dashboard.IsFolder { return a.evaluate(accesscontrol.EvalAll( - accesscontrol.EvalPermission(dashboards.ActionFoldersPermissionsRead, folderScope(a.dashboard.Uid)), - accesscontrol.EvalPermission(dashboards.ActionFoldersPermissionsWrite, folderScope(a.dashboard.Uid)), + accesscontrol.EvalPermission(dashboards.ActionFoldersPermissionsRead, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid)), + accesscontrol.EvalPermission(dashboards.ActionFoldersPermissionsWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid)), )) } return a.evaluate(accesscontrol.EvalAny( accesscontrol.EvalAll( - accesscontrol.EvalPermission(accesscontrol.ActionDashboardsPermissionsRead, dashboardScope(a.dashboard.Uid)), - accesscontrol.EvalPermission(accesscontrol.ActionDashboardsPermissionsWrite, dashboardScope(a.dashboard.Uid)), + accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsRead, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)), + accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsWrite, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)), ), accesscontrol.EvalAll( - accesscontrol.EvalPermission(accesscontrol.ActionDashboardsPermissionsRead, folderScope(a.parentFolderUID)), - accesscontrol.EvalPermission(accesscontrol.ActionDashboardsPermissionsWrite, folderScope(a.parentFolderUID)), + accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsRead, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)), + accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)), ), )) } @@ -125,12 +125,12 @@ func (a *AccessControlDashboardGuardian) CanDelete() (bool, error) { } if a.dashboard.IsFolder { - return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersDelete, folderScope(a.dashboard.Uid))) + return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersDelete, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid))) } return a.evaluate(accesscontrol.EvalAny( - accesscontrol.EvalPermission(accesscontrol.ActionDashboardsDelete, dashboardScope(a.dashboard.Uid)), - accesscontrol.EvalPermission(accesscontrol.ActionDashboardsDelete, folderScope(a.parentFolderUID)), + accesscontrol.EvalPermission(dashboards.ActionDashboardsDelete, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)), + accesscontrol.EvalPermission(dashboards.ActionDashboardsDelete, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)), )) } @@ -142,7 +142,7 @@ func (a *AccessControlDashboardGuardian) CanCreate(folderID int64, isFolder bool if err != nil { return false, err } - return a.evaluate(accesscontrol.EvalPermission(accesscontrol.ActionDashboardsCreate, folderScope(folder.Uid))) + return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionDashboardsCreate, dashboards.ScopeFoldersProvider.GetResourceScopeUID(folder.Uid))) } func (a *AccessControlDashboardGuardian) evaluate(evaluator accesscontrol.Evaluator) (bool, error) { @@ -283,11 +283,3 @@ func (a *AccessControlDashboardGuardian) loadParentFolder(folderID int64) (*mode } return folderQuery.Result, nil } - -func dashboardScope(uid string) string { - return accesscontrol.GetResourceScopeUID("dashboards", uid) -} - -func folderScope(uid string) string { - return dashboards.ScopeFoldersProvider.GetResourceScopeUID(uid) -} diff --git a/pkg/services/guardian/accesscontrol_guardian_test.go b/pkg/services/guardian/accesscontrol_guardian_test.go index b38672d8fcc..c780df1cd17 100644 --- a/pkg/services/guardian/accesscontrol_guardian_test.go +++ b/pkg/services/guardian/accesscontrol_guardian_test.go @@ -36,7 +36,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsWrite, + Action: dashboards.ActionDashboardsWrite, Scope: "dashboards:*", }, }, @@ -47,7 +47,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsWrite, + Action: dashboards.ActionDashboardsWrite, Scope: "folders:*", }, }, @@ -58,7 +58,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsWrite, + Action: dashboards.ActionDashboardsWrite, Scope: "dashboards:uid:1", }, }, @@ -69,7 +69,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsWrite, + Action: dashboards.ActionDashboardsWrite, Scope: "folders:uid:general", }, }, @@ -80,7 +80,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsWrite, + Action: dashboards.ActionDashboardsWrite, Scope: "dashboards:uid:10", }, }, @@ -91,7 +91,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsWrite, + Action: dashboards.ActionDashboardsWrite, Scope: "folders:uid:100", }, }, @@ -116,7 +116,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsWrite, + Action: dashboards.ActionDashboardsWrite, Scope: "dashboards:*", }, }, @@ -127,7 +127,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsWrite, + Action: dashboards.ActionDashboardsWrite, Scope: "folders:*", }, }, @@ -138,7 +138,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsWrite, + Action: dashboards.ActionDashboardsWrite, Scope: "dashboards:uid:1", }, }, @@ -149,7 +149,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsWrite, + Action: dashboards.ActionDashboardsWrite, Scope: "folders:uid:general", }, }, @@ -160,7 +160,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsWrite, + Action: dashboards.ActionDashboardsWrite, Scope: "dashboards:uid:10", }, }, @@ -171,7 +171,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsWrite, + Action: dashboards.ActionDashboardsWrite, Scope: "folders:uid:10", }, }, @@ -182,7 +182,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsRead, + Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:1", }, }, @@ -212,7 +212,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsRead, + Action: dashboards.ActionDashboardsRead, Scope: "dashboards:*", }, }, @@ -223,7 +223,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsRead, + Action: dashboards.ActionDashboardsRead, Scope: "folders:*", }, }, @@ -234,7 +234,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsRead, + Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:1", }, }, @@ -245,7 +245,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsRead, + Action: dashboards.ActionDashboardsRead, Scope: "folders:uid:general", }, }, @@ -256,7 +256,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsRead, + Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:10", }, }, @@ -267,7 +267,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsRead, + Action: dashboards.ActionDashboardsRead, Scope: "folders:uid:10", }, }, @@ -292,11 +292,11 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsPermissionsRead, + Action: dashboards.ActionDashboardsPermissionsRead, Scope: "dashboards:*", }, { - Action: accesscontrol.ActionDashboardsPermissionsWrite, + Action: dashboards.ActionDashboardsPermissionsWrite, Scope: "dashboards:*", }, }, @@ -307,11 +307,11 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsPermissionsRead, + Action: dashboards.ActionDashboardsPermissionsRead, Scope: "folders:*", }, { - Action: accesscontrol.ActionDashboardsPermissionsWrite, + Action: dashboards.ActionDashboardsPermissionsWrite, Scope: "folders:*", }, }, @@ -322,11 +322,11 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsPermissionsRead, + Action: dashboards.ActionDashboardsPermissionsRead, Scope: "dashboards:uid:1", }, { - Action: accesscontrol.ActionDashboardsPermissionsWrite, + Action: dashboards.ActionDashboardsPermissionsWrite, Scope: "dashboards:uid:1", }, }, @@ -337,11 +337,11 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsPermissionsRead, + Action: dashboards.ActionDashboardsPermissionsRead, Scope: "folders:uid:general", }, { - Action: accesscontrol.ActionDashboardsPermissionsWrite, + Action: dashboards.ActionDashboardsPermissionsWrite, Scope: "folders:uid:general", }, }, @@ -352,11 +352,11 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsPermissionsRead, + Action: dashboards.ActionDashboardsPermissionsRead, Scope: "dashboards:uid:10", }, { - Action: accesscontrol.ActionDashboardsPermissionsWrite, + Action: dashboards.ActionDashboardsPermissionsWrite, Scope: "dashboards:uid:10", }, }, @@ -367,11 +367,11 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsPermissionsRead, + Action: dashboards.ActionDashboardsPermissionsRead, Scope: "folders:uid:10", }, { - Action: accesscontrol.ActionDashboardsPermissionsWrite, + Action: dashboards.ActionDashboardsPermissionsWrite, Scope: "folders:uid:10", }, }, @@ -396,7 +396,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsDelete, + Action: dashboards.ActionDashboardsDelete, Scope: "dashboards:*", }, }, @@ -407,7 +407,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsDelete, + Action: dashboards.ActionDashboardsDelete, Scope: "folders:*", }, }, @@ -418,7 +418,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsDelete, + Action: dashboards.ActionDashboardsDelete, Scope: "dashboards:uid:1", }, }, @@ -429,7 +429,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsDelete, + Action: dashboards.ActionDashboardsDelete, Scope: "folders:uid:general", }, }, @@ -440,7 +440,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsDelete, + Action: dashboards.ActionDashboardsDelete, Scope: "dashboards:uid:10", }, }, @@ -451,7 +451,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) { dashUID: "1", permissions: []*accesscontrol.Permission{ { - Action: accesscontrol.ActionDashboardsDelete, + Action: dashboards.ActionDashboardsDelete, Scope: "folders:uid:10", }, }, @@ -485,7 +485,7 @@ func TestAccessControlDashboardGuardian_CanCreate(t *testing.T) { isFolder: false, folderID: 0, permissions: []*accesscontrol.Permission{ - {Action: accesscontrol.ActionDashboardsCreate, Scope: "folders:uid:general"}, + {Action: dashboards.ActionDashboardsCreate, Scope: "folders:uid:general"}, }, expected: true, }, @@ -494,7 +494,7 @@ func TestAccessControlDashboardGuardian_CanCreate(t *testing.T) { isFolder: false, folderID: 0, permissions: []*accesscontrol.Permission{ - {Action: accesscontrol.ActionDashboardsCreate, Scope: "folders:*"}, + {Action: dashboards.ActionDashboardsCreate, Scope: "folders:*"}, }, expected: true, }, diff --git a/pkg/services/sqlstore/annotation_test.go b/pkg/services/sqlstore/annotation_test.go index e5362d49c06..52d57374a6d 100644 --- a/pkg/services/sqlstore/annotation_test.go +++ b/pkg/services/sqlstore/annotation_test.go @@ -15,6 +15,7 @@ import ( "github.com/grafana/grafana/pkg/models" "github.com/grafana/grafana/pkg/services/accesscontrol" "github.com/grafana/grafana/pkg/services/annotations" + "github.com/grafana/grafana/pkg/services/dashboards" dashboardstore "github.com/grafana/grafana/pkg/services/dashboards/database" "github.com/grafana/grafana/pkg/services/featuremgmt" "github.com/grafana/grafana/pkg/services/sqlstore" @@ -406,7 +407,7 @@ func TestAnnotationListingWithRBAC(t *testing.T) { description: "Should find all annotations when has permissions to list all annotations and read all dashboards", permissions: map[string][]string{ accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsAll}, - accesscontrol.ActionDashboardsRead: {accesscontrol.ScopeDashboardsAll}, + dashboards.ActionDashboardsRead: {dashboards.ScopeDashboardsAll}, }, expectedAnnotationIds: []int64{dash1Annotation.Id, dash2Annotation.Id, organizationAnnotation.Id}, }, @@ -414,7 +415,7 @@ func TestAnnotationListingWithRBAC(t *testing.T) { description: "Should find all dashboard annotations", permissions: map[string][]string{ accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsTypeDashboard}, - accesscontrol.ActionDashboardsRead: {accesscontrol.ScopeDashboardsAll}, + dashboards.ActionDashboardsRead: {dashboards.ScopeDashboardsAll}, }, expectedAnnotationIds: []int64{dash1Annotation.Id, dash2Annotation.Id}, }, @@ -422,7 +423,7 @@ func TestAnnotationListingWithRBAC(t *testing.T) { description: "Should find only annotations from dashboards that user can read", permissions: map[string][]string{ accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsTypeDashboard}, - accesscontrol.ActionDashboardsRead: {fmt.Sprintf("dashboards:uid:%s", dash1UID)}, + dashboards.ActionDashboardsRead: {fmt.Sprintf("dashboards:uid:%s", dash1UID)}, }, expectedAnnotationIds: []int64{dash1Annotation.Id}, }, @@ -437,14 +438,14 @@ func TestAnnotationListingWithRBAC(t *testing.T) { description: "Should find only organization annotations", permissions: map[string][]string{ accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsTypeOrganization}, - accesscontrol.ActionDashboardsRead: {accesscontrol.ScopeDashboardsAll}, + dashboards.ActionDashboardsRead: {dashboards.ScopeDashboardsAll}, }, expectedAnnotationIds: []int64{organizationAnnotation.Id}, }, { description: "Should error if user doesn't have annotation read permissions", permissions: map[string][]string{ - accesscontrol.ActionDashboardsRead: {accesscontrol.ScopeDashboardsAll}, + dashboards.ActionDashboardsRead: {dashboards.ScopeDashboardsAll}, }, expectedError: true, }, diff --git a/pkg/services/sqlstore/migrations/accesscontrol/dashboard_permissions.go b/pkg/services/sqlstore/migrations/accesscontrol/dashboard_permissions.go index ea76bb15232..409af398583 100644 --- a/pkg/services/sqlstore/migrations/accesscontrol/dashboard_permissions.go +++ b/pkg/services/sqlstore/migrations/accesscontrol/dashboard_permissions.go @@ -16,20 +16,20 @@ import ( var dashboardPermissionTranslation = map[models.PermissionType][]string{ models.PERMISSION_VIEW: { - ac.ActionDashboardsRead, + dashboards.ActionDashboardsRead, }, models.PERMISSION_EDIT: { - ac.ActionDashboardsRead, - ac.ActionDashboardsWrite, - ac.ActionDashboardsDelete, + dashboards.ActionDashboardsRead, + dashboards.ActionDashboardsWrite, + dashboards.ActionDashboardsDelete, }, models.PERMISSION_ADMIN: { - ac.ActionDashboardsRead, - ac.ActionDashboardsWrite, - ac.ActionDashboardsCreate, - ac.ActionDashboardsDelete, - ac.ActionDashboardsPermissionsRead, - ac.ActionDashboardsPermissionsWrite, + dashboards.ActionDashboardsRead, + dashboards.ActionDashboardsWrite, + dashboards.ActionDashboardsCreate, + dashboards.ActionDashboardsDelete, + dashboards.ActionDashboardsPermissionsRead, + dashboards.ActionDashboardsPermissionsWrite, }, } @@ -38,7 +38,7 @@ var folderPermissionTranslation = map[models.PermissionType][]string{ dashboards.ActionFoldersRead, }...), models.PERMISSION_EDIT: append(dashboardPermissionTranslation[models.PERMISSION_EDIT], []string{ - ac.ActionDashboardsCreate, + dashboards.ActionDashboardsCreate, dashboards.ActionFoldersRead, dashboards.ActionFoldersWrite, dashboards.ActionFoldersCreate, diff --git a/pkg/services/sqlstore/permissions/dashboard.go b/pkg/services/sqlstore/permissions/dashboard.go index 21751538381..f67f22e9099 100644 --- a/pkg/services/sqlstore/permissions/dashboard.go +++ b/pkg/services/sqlstore/permissions/dashboard.go @@ -94,10 +94,10 @@ func NewAccessControlDashboardPermissionFilter(user *models.SignedInUser, permis folderActions = append(folderActions, accesscontrol.ActionAlertingRuleCreate) } } else { - dashboardActions = append(dashboardActions, accesscontrol.ActionDashboardsRead) + dashboardActions = append(dashboardActions, dashboards.ActionDashboardsRead) if needEdit { - folderActions = append(folderActions, accesscontrol.ActionDashboardsCreate) - dashboardActions = append(dashboardActions, accesscontrol.ActionDashboardsWrite) + folderActions = append(folderActions, dashboards.ActionDashboardsCreate) + dashboardActions = append(dashboardActions, dashboards.ActionDashboardsWrite) } } return AccessControlDashboardPermissionFilter{User: user, folderActions: folderActions, dashboardActions: dashboardActions} diff --git a/pkg/services/sqlstore/permissions/dashboard_test.go b/pkg/services/sqlstore/permissions/dashboard_test.go index 264954d2739..3645eb4a968 100644 --- a/pkg/services/sqlstore/permissions/dashboard_test.go +++ b/pkg/services/sqlstore/permissions/dashboard_test.go @@ -55,31 +55,31 @@ func TestNewAccessControlDashboardPermissionFilter(t *testing.T) { queryType: randomType, permission: models.PERMISSION_ADMIN, expectedDashboardActions: []string{ - accesscontrol.ActionDashboardsRead, - accesscontrol.ActionDashboardsWrite, + dashboards.ActionDashboardsRead, + dashboards.ActionDashboardsWrite, }, expectedFolderActions: []string{ dashboards.ActionFoldersRead, - accesscontrol.ActionDashboardsCreate, + dashboards.ActionDashboardsCreate, }, }, { queryType: randomType, permission: models.PERMISSION_EDIT, expectedDashboardActions: []string{ - accesscontrol.ActionDashboardsRead, - accesscontrol.ActionDashboardsWrite, + dashboards.ActionDashboardsRead, + dashboards.ActionDashboardsWrite, }, expectedFolderActions: []string{ dashboards.ActionFoldersRead, - accesscontrol.ActionDashboardsCreate, + dashboards.ActionDashboardsCreate, }, }, { queryType: randomType, permission: models.PERMISSION_VIEW, expectedDashboardActions: []string{ - accesscontrol.ActionDashboardsRead, + dashboards.ActionDashboardsRead, }, expectedFolderActions: []string{ dashboards.ActionFoldersRead,