mirror of
https://github.com/grafana/grafana.git
synced 2025-07-30 06:52:37 +08:00
Access Control: Move dashboard actions and create scope provider (#48618)
* Move dashboard actions and create scope provider
This commit is contained in:
Karl Persson
@ -328,7 +328,7 @@ func (hs *HTTPServer) declareFixedRoles() error {
|
||||
Group: "Dashboards",
|
||||
Permissions: []ac.Permission{
|
||||
{Action: dashboards.ActionFoldersRead, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
|
||||
{Action: ac.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
|
||||
{Action: dashboards.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)},
|
||||
},
|
||||
},
|
||||
Grants: []string{"Editor"},
|
||||
@ -342,7 +342,7 @@ func (hs *HTTPServer) declareFixedRoles() error {
|
||||
Description: "Read all dashboards.",
|
||||
Group: "Dashboards",
|
||||
Permissions: []ac.Permission{
|
||||
{Action: ac.ActionDashboardsRead, Scope: ac.ScopeDashboardsAll},
|
||||
{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeDashboardsAll},
|
||||
},
|
||||
},
|
||||
Grants: []string{"Admin"},
|
||||
@ -356,11 +356,11 @@ func (hs *HTTPServer) declareFixedRoles() error {
|
||||
Group: "Dashboards",
|
||||
Description: "Create, read, write or delete all dashboards and their permissions.",
|
||||
Permissions: ac.ConcatPermissions(dashboardsReaderRole.Role.Permissions, []ac.Permission{
|
||||
{Action: ac.ActionDashboardsWrite, Scope: ac.ScopeDashboardsAll},
|
||||
{Action: ac.ActionDashboardsDelete, Scope: ac.ScopeDashboardsAll},
|
||||
{Action: ac.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersAll},
|
||||
{Action: ac.ActionDashboardsPermissionsRead, Scope: ac.ScopeDashboardsAll},
|
||||
{Action: ac.ActionDashboardsPermissionsWrite, Scope: ac.ScopeDashboardsAll},
|
||||
{Action: dashboards.ActionDashboardsWrite, Scope: dashboards.ScopeDashboardsAll},
|
||||
{Action: dashboards.ActionDashboardsDelete, Scope: dashboards.ScopeDashboardsAll},
|
||||
{Action: dashboards.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersAll},
|
||||
{Action: dashboards.ActionDashboardsPermissionsRead, Scope: dashboards.ScopeDashboardsAll},
|
||||
{Action: dashboards.ActionDashboardsPermissionsWrite, Scope: dashboards.ScopeDashboardsAll},
|
||||
}),
|
||||
},
|
||||
Grants: []string{"Admin"},
|
||||
@ -389,7 +389,7 @@ func (hs *HTTPServer) declareFixedRoles() error {
|
||||
Group: "Folders",
|
||||
Permissions: []ac.Permission{
|
||||
{Action: dashboards.ActionFoldersRead, Scope: dashboards.ScopeFoldersAll},
|
||||
{Action: ac.ActionDashboardsRead, Scope: dashboards.ScopeFoldersAll},
|
||||
{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeFoldersAll},
|
||||
},
|
||||
},
|
||||
Grants: []string{"Admin"},
|
||||
@ -408,11 +408,11 @@ func (hs *HTTPServer) declareFixedRoles() error {
|
||||
{Action: dashboards.ActionFoldersCreate},
|
||||
{Action: dashboards.ActionFoldersWrite, Scope: dashboards.ScopeFoldersAll},
|
||||
{Action: dashboards.ActionFoldersDelete, Scope: dashboards.ScopeFoldersAll},
|
||||
{Action: ac.ActionDashboardsWrite, Scope: dashboards.ScopeFoldersAll},
|
||||
{Action: ac.ActionDashboardsDelete, Scope: dashboards.ScopeFoldersAll},
|
||||
{Action: ac.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersAll},
|
||||
{Action: ac.ActionDashboardsPermissionsRead, Scope: dashboards.ScopeFoldersAll},
|
||||
{Action: ac.ActionDashboardsPermissionsWrite, Scope: dashboards.ScopeFoldersAll},
|
||||
{Action: dashboards.ActionDashboardsWrite, Scope: dashboards.ScopeFoldersAll},
|
||||
{Action: dashboards.ActionDashboardsDelete, Scope: dashboards.ScopeFoldersAll},
|
||||
{Action: dashboards.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersAll},
|
||||
{Action: dashboards.ActionDashboardsPermissionsRead, Scope: dashboards.ScopeFoldersAll},
|
||||
{Action: dashboards.ActionDashboardsPermissionsWrite, Scope: dashboards.ScopeFoldersAll},
|
||||
}),
|
||||
},
|
||||
Grants: []string{"Admin"},
|
||||
|
||||
@ -12,6 +12,7 @@ import (
|
||||
"github.com/grafana/grafana/pkg/models"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
"github.com/grafana/grafana/pkg/services/annotations"
|
||||
"github.com/grafana/grafana/pkg/services/dashboards"
|
||||
"github.com/grafana/grafana/pkg/services/guardian"
|
||||
"github.com/grafana/grafana/pkg/util"
|
||||
"github.com/grafana/grafana/pkg/web"
|
||||
@ -456,7 +457,7 @@ func AnnotationTypeScopeResolver() (string, accesscontrol.ScopeAttributeResolver
|
||||
OrgId: orgID,
|
||||
Permissions: map[int64]map[string][]string{
|
||||
orgID: {
|
||||
accesscontrol.ActionDashboardsRead: {accesscontrol.ScopeDashboardsAll},
|
||||
dashboards.ActionDashboardsRead: {dashboards.ScopeDashboardsAll},
|
||||
accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsAll},
|
||||
},
|
||||
},
|
||||
|
||||
@ -354,12 +354,12 @@ func (hs *HTTPServer) registerRoutes() {
|
||||
|
||||
// Dashboard
|
||||
apiRoute.Group("/dashboards", func(dashboardRoute routing.RouteRegister) {
|
||||
dashboardRoute.Get("/uid/:uid", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsRead)), routing.Wrap(hs.GetDashboard))
|
||||
dashboardRoute.Delete("/uid/:uid", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsDelete)), routing.Wrap(hs.DeleteDashboardByUID))
|
||||
dashboardRoute.Get("/uid/:uid", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsRead)), routing.Wrap(hs.GetDashboard))
|
||||
dashboardRoute.Delete("/uid/:uid", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsDelete)), routing.Wrap(hs.DeleteDashboardByUID))
|
||||
dashboardRoute.Group("/uid/:uid", func(dashUidRoute routing.RouteRegister) {
|
||||
dashUidRoute.Group("/permissions", func(dashboardPermissionRoute routing.RouteRegister) {
|
||||
dashboardPermissionRoute.Get("/", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsPermissionsRead)), routing.Wrap(hs.GetDashboardPermissionList))
|
||||
dashboardPermissionRoute.Post("/", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsPermissionsWrite)), routing.Wrap(hs.UpdateDashboardPermissions))
|
||||
dashboardPermissionRoute.Get("/", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsPermissionsRead)), routing.Wrap(hs.GetDashboardPermissionList))
|
||||
dashboardPermissionRoute.Post("/", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsPermissionsWrite)), routing.Wrap(hs.UpdateDashboardPermissions))
|
||||
})
|
||||
})
|
||||
|
||||
@ -372,22 +372,22 @@ func (hs *HTTPServer) registerRoutes() {
|
||||
}
|
||||
}
|
||||
|
||||
dashboardRoute.Post("/calculate-diff", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsWrite)), routing.Wrap(hs.CalculateDashboardDiff))
|
||||
dashboardRoute.Post("/calculate-diff", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsWrite)), routing.Wrap(hs.CalculateDashboardDiff))
|
||||
dashboardRoute.Post("/trim", routing.Wrap(hs.TrimDashboard))
|
||||
|
||||
dashboardRoute.Post("/db", authorize(reqSignedIn, ac.EvalAny(ac.EvalPermission(ac.ActionDashboardsCreate), ac.EvalPermission(ac.ActionDashboardsWrite))), routing.Wrap(hs.PostDashboard))
|
||||
dashboardRoute.Post("/db", authorize(reqSignedIn, ac.EvalAny(ac.EvalPermission(dashboards.ActionDashboardsCreate), ac.EvalPermission(dashboards.ActionDashboardsWrite))), routing.Wrap(hs.PostDashboard))
|
||||
dashboardRoute.Get("/home", routing.Wrap(hs.GetHomeDashboard))
|
||||
dashboardRoute.Get("/tags", hs.GetDashboardTags)
|
||||
|
||||
// Deprecated: use /uid/:uid API instead.
|
||||
dashboardRoute.Group("/id/:dashboardId", func(dashIdRoute routing.RouteRegister) {
|
||||
dashIdRoute.Get("/versions", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsWrite)), routing.Wrap(hs.GetDashboardVersions))
|
||||
dashIdRoute.Get("/versions/:id", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsWrite)), routing.Wrap(hs.GetDashboardVersion))
|
||||
dashIdRoute.Post("/restore", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsWrite)), routing.Wrap(hs.RestoreDashboardVersion))
|
||||
dashIdRoute.Get("/versions", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsWrite)), routing.Wrap(hs.GetDashboardVersions))
|
||||
dashIdRoute.Get("/versions/:id", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsWrite)), routing.Wrap(hs.GetDashboardVersion))
|
||||
dashIdRoute.Post("/restore", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsWrite)), routing.Wrap(hs.RestoreDashboardVersion))
|
||||
|
||||
dashIdRoute.Group("/permissions", func(dashboardPermissionRoute routing.RouteRegister) {
|
||||
dashboardPermissionRoute.Get("/", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsPermissionsRead)), routing.Wrap(hs.GetDashboardPermissionList))
|
||||
dashboardPermissionRoute.Post("/", authorize(reqSignedIn, ac.EvalPermission(ac.ActionDashboardsPermissionsWrite)), routing.Wrap(hs.UpdateDashboardPermissions))
|
||||
dashboardPermissionRoute.Get("/", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsPermissionsRead)), routing.Wrap(hs.GetDashboardPermissionList))
|
||||
dashboardPermissionRoute.Post("/", authorize(reqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsPermissionsWrite)), routing.Wrap(hs.UpdateDashboardPermissions))
|
||||
})
|
||||
})
|
||||
})
|
||||
|
||||
@ -572,7 +572,7 @@ func (hs *HTTPServer) buildCreateNavLinks(c *models.ReqContext) []*dtos.NavLink
|
||||
hasAccess := ac.HasAccess(hs.AccessControl, c)
|
||||
var children []*dtos.NavLink
|
||||
|
||||
if hasAccess(ac.ReqSignedIn, ac.EvalPermission(ac.ActionDashboardsCreate)) {
|
||||
if hasAccess(ac.ReqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsCreate)) {
|
||||
children = append(children, &dtos.NavLink{Text: "Dashboard", Icon: "apps", Url: hs.Cfg.AppSubURL + "/dashboard/new", Id: "create-dashboard"})
|
||||
}
|
||||
|
||||
@ -583,7 +583,7 @@ func (hs *HTTPServer) buildCreateNavLinks(c *models.ReqContext) []*dtos.NavLink
|
||||
})
|
||||
}
|
||||
|
||||
if hasAccess(ac.ReqSignedIn, ac.EvalPermission(ac.ActionDashboardsCreate)) {
|
||||
if hasAccess(ac.ReqSignedIn, ac.EvalPermission(dashboards.ActionDashboardsCreate)) {
|
||||
children = append(children, &dtos.NavLink{
|
||||
Text: "Import", SubTitle: "Import dashboard from file or Grafana.com", Id: "import", Icon: "import",
|
||||
Url: hs.Cfg.AppSubURL + "/dashboard/import",
|
||||
@ -651,7 +651,7 @@ func (hs *HTTPServer) editorInAnyFolder(c *models.ReqContext) bool {
|
||||
|
||||
func (hs *HTTPServer) setIndexViewData(c *models.ReqContext) (*dtos.IndexViewData, error) {
|
||||
hasAccess := ac.HasAccess(hs.AccessControl, c)
|
||||
hasEditPerm := hasAccess(hs.editorInAnyFolder, ac.EvalAny(ac.EvalPermission(ac.ActionDashboardsCreate), ac.EvalPermission(dashboards.ActionFoldersCreate)))
|
||||
hasEditPerm := hasAccess(hs.editorInAnyFolder, ac.EvalAny(ac.EvalPermission(dashboards.ActionDashboardsCreate), ac.EvalPermission(dashboards.ActionFoldersCreate)))
|
||||
|
||||
settings, err := hs.getFrontendSettingsMap(c)
|
||||
if err != nil {
|
||||
|
||||
@ -359,17 +359,6 @@ const (
|
||||
ActionAnnotationsRead = "annotations:read"
|
||||
ActionAnnotationsWrite = "annotations:write"
|
||||
|
||||
// Dashboard actions
|
||||
ActionDashboardsCreate = "dashboards:create"
|
||||
ActionDashboardsRead = "dashboards:read"
|
||||
ActionDashboardsWrite = "dashboards:write"
|
||||
ActionDashboardsDelete = "dashboards:delete"
|
||||
ActionDashboardsPermissionsRead = "dashboards.permissions:read"
|
||||
ActionDashboardsPermissionsWrite = "dashboards.permissions:write"
|
||||
|
||||
// Dashboard scopes
|
||||
ScopeDashboardsAll = "dashboards:*"
|
||||
|
||||
// Alert scopes are divided into two groups. The internal (to Grafana) and the external ones.
|
||||
// For the Grafana ones, given we have ACID control we're able to provide better granularity by defining CRUD options.
|
||||
// For the external ones, we only have read and write permissions due to the lack of atomicity control of the external system.
|
||||
|
||||
@ -138,9 +138,9 @@ func ProvideTeamPermissions(
|
||||
return resourcepermissions.New(options, cfg, router, ac, store, sql)
|
||||
}
|
||||
|
||||
var DashboardViewActions = []string{accesscontrol.ActionDashboardsRead}
|
||||
var DashboardEditActions = append(DashboardViewActions, []string{accesscontrol.ActionDashboardsWrite, accesscontrol.ActionDashboardsDelete}...)
|
||||
var DashboardAdminActions = append(DashboardEditActions, []string{accesscontrol.ActionDashboardsPermissionsRead, accesscontrol.ActionDashboardsPermissionsWrite}...)
|
||||
var DashboardViewActions = []string{dashboards.ActionDashboardsRead}
|
||||
var DashboardEditActions = append(DashboardViewActions, []string{dashboards.ActionDashboardsWrite, dashboards.ActionDashboardsDelete}...)
|
||||
var DashboardAdminActions = append(DashboardEditActions, []string{dashboards.ActionDashboardsPermissionsRead, dashboards.ActionDashboardsPermissionsWrite}...)
|
||||
|
||||
func ProvideDashboardPermissions(
|
||||
cfg *setting.Cfg, router routing.RouteRegister, sql *sqlstore.SQLStore,
|
||||
@ -203,7 +203,7 @@ func ProvideDashboardPermissions(
|
||||
}
|
||||
|
||||
var FolderViewActions = []string{dashboards.ActionFoldersRead}
|
||||
var FolderEditActions = append(FolderViewActions, []string{dashboards.ActionFoldersWrite, dashboards.ActionFoldersDelete, accesscontrol.ActionDashboardsCreate}...)
|
||||
var FolderEditActions = append(FolderViewActions, []string{dashboards.ActionFoldersWrite, dashboards.ActionFoldersDelete, dashboards.ActionDashboardsCreate}...)
|
||||
var FolderAdminActions = append(FolderEditActions, []string{dashboards.ActionFoldersPermissionsRead, dashboards.ActionFoldersPermissionsWrite}...)
|
||||
|
||||
func ProvideFolderPermissions(
|
||||
|
||||
@ -12,6 +12,7 @@ import (
|
||||
"github.com/grafana/grafana/pkg/plugins"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
"github.com/grafana/grafana/pkg/services/dashboardimport"
|
||||
"github.com/grafana/grafana/pkg/services/dashboards"
|
||||
"github.com/grafana/grafana/pkg/web"
|
||||
)
|
||||
|
||||
@ -39,7 +40,7 @@ func (api *ImportDashboardAPI) RegisterAPIEndpoints(routeRegister routing.RouteR
|
||||
routeRegister.Group("/api/dashboards", func(route routing.RouteRegister) {
|
||||
route.Post(
|
||||
"/import",
|
||||
authorize(middleware.ReqSignedIn, accesscontrol.EvalPermission(accesscontrol.ActionDashboardsCreate)),
|
||||
authorize(middleware.ReqSignedIn, accesscontrol.EvalPermission(dashboards.ActionDashboardsCreate)),
|
||||
routing.Wrap(api.ImportDashboard),
|
||||
)
|
||||
}, middleware.ReqSignedIn)
|
||||
|
||||
@ -21,11 +21,20 @@ const (
|
||||
|
||||
ScopeDashboardsRoot = "dashboards"
|
||||
ScopeDashboardsPrefix = "dashboards:uid:"
|
||||
|
||||
ActionDashboardsCreate = "dashboards:create"
|
||||
ActionDashboardsRead = "dashboards:read"
|
||||
ActionDashboardsWrite = "dashboards:write"
|
||||
ActionDashboardsDelete = "dashboards:delete"
|
||||
ActionDashboardsPermissionsRead = "dashboards.permissions:read"
|
||||
ActionDashboardsPermissionsWrite = "dashboards.permissions:write"
|
||||
)
|
||||
|
||||
var (
|
||||
ScopeFoldersAll = ac.GetResourceAllScope(ScopeFoldersRoot)
|
||||
ScopeFoldersProvider = ac.NewScopeProvider(ScopeFoldersRoot)
|
||||
ScopeFoldersAll = ScopeFoldersProvider.GetResourceAllScope()
|
||||
ScopeDashboardsProvider = ac.NewScopeProvider(ScopeDashboardsRoot)
|
||||
ScopeDashboardsAll = ScopeDashboardsProvider.GetResourceAllScope()
|
||||
)
|
||||
|
||||
// NewFolderNameScopeResolver provides an ScopeAttributeResolver that is able to convert a scope prefixed with "folders:name:" into an uid based scope.
|
||||
|
||||
@ -24,8 +24,8 @@ var (
|
||||
provisionerPermissions = map[string][]string{
|
||||
m.ActionFoldersCreate: {},
|
||||
m.ActionFoldersWrite: {m.ScopeFoldersAll},
|
||||
accesscontrol.ActionDashboardsCreate: {m.ScopeFoldersAll},
|
||||
accesscontrol.ActionDashboardsWrite: {m.ScopeFoldersAll},
|
||||
m.ActionDashboardsCreate: {m.ScopeFoldersAll},
|
||||
m.ActionDashboardsWrite: {m.ScopeFoldersAll},
|
||||
}
|
||||
)
|
||||
|
||||
|
||||
@ -53,12 +53,12 @@ func (a *AccessControlDashboardGuardian) CanSave() (bool, error) {
|
||||
}
|
||||
|
||||
if a.dashboard.IsFolder {
|
||||
return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, folderScope(a.dashboard.Uid)))
|
||||
return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid)))
|
||||
}
|
||||
|
||||
return a.evaluate(accesscontrol.EvalAny(
|
||||
accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, dashboardScope(a.dashboard.Uid)),
|
||||
accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, folderScope(a.parentFolderUID)),
|
||||
accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
|
||||
accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)),
|
||||
))
|
||||
}
|
||||
|
||||
@ -71,12 +71,12 @@ func (a *AccessControlDashboardGuardian) CanEdit() (bool, error) {
|
||||
}
|
||||
|
||||
if a.dashboard.IsFolder {
|
||||
return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, folderScope(a.dashboard.Uid)))
|
||||
return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid)))
|
||||
}
|
||||
|
||||
return a.evaluate(accesscontrol.EvalAny(
|
||||
accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, dashboardScope(a.dashboard.Uid)),
|
||||
accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, folderScope(a.parentFolderUID)),
|
||||
accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
|
||||
accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)),
|
||||
))
|
||||
}
|
||||
|
||||
@ -86,12 +86,12 @@ func (a *AccessControlDashboardGuardian) CanView() (bool, error) {
|
||||
}
|
||||
|
||||
if a.dashboard.IsFolder {
|
||||
return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersRead, folderScope(a.dashboard.Uid)))
|
||||
return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersRead, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid)))
|
||||
}
|
||||
|
||||
return a.evaluate(accesscontrol.EvalAny(
|
||||
accesscontrol.EvalPermission(accesscontrol.ActionDashboardsRead, dashboardScope(a.dashboard.Uid)),
|
||||
accesscontrol.EvalPermission(accesscontrol.ActionDashboardsRead, folderScope(a.parentFolderUID)),
|
||||
accesscontrol.EvalPermission(dashboards.ActionDashboardsRead, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
|
||||
accesscontrol.EvalPermission(dashboards.ActionDashboardsRead, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)),
|
||||
))
|
||||
}
|
||||
|
||||
@ -102,19 +102,19 @@ func (a *AccessControlDashboardGuardian) CanAdmin() (bool, error) {
|
||||
|
||||
if a.dashboard.IsFolder {
|
||||
return a.evaluate(accesscontrol.EvalAll(
|
||||
accesscontrol.EvalPermission(dashboards.ActionFoldersPermissionsRead, folderScope(a.dashboard.Uid)),
|
||||
accesscontrol.EvalPermission(dashboards.ActionFoldersPermissionsWrite, folderScope(a.dashboard.Uid)),
|
||||
accesscontrol.EvalPermission(dashboards.ActionFoldersPermissionsRead, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid)),
|
||||
accesscontrol.EvalPermission(dashboards.ActionFoldersPermissionsWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid)),
|
||||
))
|
||||
}
|
||||
|
||||
return a.evaluate(accesscontrol.EvalAny(
|
||||
accesscontrol.EvalAll(
|
||||
accesscontrol.EvalPermission(accesscontrol.ActionDashboardsPermissionsRead, dashboardScope(a.dashboard.Uid)),
|
||||
accesscontrol.EvalPermission(accesscontrol.ActionDashboardsPermissionsWrite, dashboardScope(a.dashboard.Uid)),
|
||||
accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsRead, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
|
||||
accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsWrite, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
|
||||
),
|
||||
accesscontrol.EvalAll(
|
||||
accesscontrol.EvalPermission(accesscontrol.ActionDashboardsPermissionsRead, folderScope(a.parentFolderUID)),
|
||||
accesscontrol.EvalPermission(accesscontrol.ActionDashboardsPermissionsWrite, folderScope(a.parentFolderUID)),
|
||||
accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsRead, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)),
|
||||
accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)),
|
||||
),
|
||||
))
|
||||
}
|
||||
@ -125,12 +125,12 @@ func (a *AccessControlDashboardGuardian) CanDelete() (bool, error) {
|
||||
}
|
||||
|
||||
if a.dashboard.IsFolder {
|
||||
return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersDelete, folderScope(a.dashboard.Uid)))
|
||||
return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersDelete, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid)))
|
||||
}
|
||||
|
||||
return a.evaluate(accesscontrol.EvalAny(
|
||||
accesscontrol.EvalPermission(accesscontrol.ActionDashboardsDelete, dashboardScope(a.dashboard.Uid)),
|
||||
accesscontrol.EvalPermission(accesscontrol.ActionDashboardsDelete, folderScope(a.parentFolderUID)),
|
||||
accesscontrol.EvalPermission(dashboards.ActionDashboardsDelete, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
|
||||
accesscontrol.EvalPermission(dashboards.ActionDashboardsDelete, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)),
|
||||
))
|
||||
}
|
||||
|
||||
@ -142,7 +142,7 @@ func (a *AccessControlDashboardGuardian) CanCreate(folderID int64, isFolder bool
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
return a.evaluate(accesscontrol.EvalPermission(accesscontrol.ActionDashboardsCreate, folderScope(folder.Uid)))
|
||||
return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionDashboardsCreate, dashboards.ScopeFoldersProvider.GetResourceScopeUID(folder.Uid)))
|
||||
}
|
||||
|
||||
func (a *AccessControlDashboardGuardian) evaluate(evaluator accesscontrol.Evaluator) (bool, error) {
|
||||
@ -283,11 +283,3 @@ func (a *AccessControlDashboardGuardian) loadParentFolder(folderID int64) (*mode
|
||||
}
|
||||
return folderQuery.Result, nil
|
||||
}
|
||||
|
||||
func dashboardScope(uid string) string {
|
||||
return accesscontrol.GetResourceScopeUID("dashboards", uid)
|
||||
}
|
||||
|
||||
func folderScope(uid string) string {
|
||||
return dashboards.ScopeFoldersProvider.GetResourceScopeUID(uid)
|
||||
}
|
||||
|
||||
@ -36,7 +36,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsWrite,
|
||||
Action: dashboards.ActionDashboardsWrite,
|
||||
Scope: "dashboards:*",
|
||||
},
|
||||
},
|
||||
@ -47,7 +47,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsWrite,
|
||||
Action: dashboards.ActionDashboardsWrite,
|
||||
Scope: "folders:*",
|
||||
},
|
||||
},
|
||||
@ -58,7 +58,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsWrite,
|
||||
Action: dashboards.ActionDashboardsWrite,
|
||||
Scope: "dashboards:uid:1",
|
||||
},
|
||||
},
|
||||
@ -69,7 +69,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsWrite,
|
||||
Action: dashboards.ActionDashboardsWrite,
|
||||
Scope: "folders:uid:general",
|
||||
},
|
||||
},
|
||||
@ -80,7 +80,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsWrite,
|
||||
Action: dashboards.ActionDashboardsWrite,
|
||||
Scope: "dashboards:uid:10",
|
||||
},
|
||||
},
|
||||
@ -91,7 +91,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsWrite,
|
||||
Action: dashboards.ActionDashboardsWrite,
|
||||
Scope: "folders:uid:100",
|
||||
},
|
||||
},
|
||||
@ -116,7 +116,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsWrite,
|
||||
Action: dashboards.ActionDashboardsWrite,
|
||||
Scope: "dashboards:*",
|
||||
},
|
||||
},
|
||||
@ -127,7 +127,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsWrite,
|
||||
Action: dashboards.ActionDashboardsWrite,
|
||||
Scope: "folders:*",
|
||||
},
|
||||
},
|
||||
@ -138,7 +138,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsWrite,
|
||||
Action: dashboards.ActionDashboardsWrite,
|
||||
Scope: "dashboards:uid:1",
|
||||
},
|
||||
},
|
||||
@ -149,7 +149,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsWrite,
|
||||
Action: dashboards.ActionDashboardsWrite,
|
||||
Scope: "folders:uid:general",
|
||||
},
|
||||
},
|
||||
@ -160,7 +160,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsWrite,
|
||||
Action: dashboards.ActionDashboardsWrite,
|
||||
Scope: "dashboards:uid:10",
|
||||
},
|
||||
},
|
||||
@ -171,7 +171,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsWrite,
|
||||
Action: dashboards.ActionDashboardsWrite,
|
||||
Scope: "folders:uid:10",
|
||||
},
|
||||
},
|
||||
@ -182,7 +182,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsRead,
|
||||
Action: dashboards.ActionDashboardsRead,
|
||||
Scope: "dashboards:uid:1",
|
||||
},
|
||||
},
|
||||
@ -212,7 +212,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsRead,
|
||||
Action: dashboards.ActionDashboardsRead,
|
||||
Scope: "dashboards:*",
|
||||
},
|
||||
},
|
||||
@ -223,7 +223,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsRead,
|
||||
Action: dashboards.ActionDashboardsRead,
|
||||
Scope: "folders:*",
|
||||
},
|
||||
},
|
||||
@ -234,7 +234,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsRead,
|
||||
Action: dashboards.ActionDashboardsRead,
|
||||
Scope: "dashboards:uid:1",
|
||||
},
|
||||
},
|
||||
@ -245,7 +245,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsRead,
|
||||
Action: dashboards.ActionDashboardsRead,
|
||||
Scope: "folders:uid:general",
|
||||
},
|
||||
},
|
||||
@ -256,7 +256,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsRead,
|
||||
Action: dashboards.ActionDashboardsRead,
|
||||
Scope: "dashboards:uid:10",
|
||||
},
|
||||
},
|
||||
@ -267,7 +267,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsRead,
|
||||
Action: dashboards.ActionDashboardsRead,
|
||||
Scope: "folders:uid:10",
|
||||
},
|
||||
},
|
||||
@ -292,11 +292,11 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsPermissionsRead,
|
||||
Action: dashboards.ActionDashboardsPermissionsRead,
|
||||
Scope: "dashboards:*",
|
||||
},
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsPermissionsWrite,
|
||||
Action: dashboards.ActionDashboardsPermissionsWrite,
|
||||
Scope: "dashboards:*",
|
||||
},
|
||||
},
|
||||
@ -307,11 +307,11 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsPermissionsRead,
|
||||
Action: dashboards.ActionDashboardsPermissionsRead,
|
||||
Scope: "folders:*",
|
||||
},
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsPermissionsWrite,
|
||||
Action: dashboards.ActionDashboardsPermissionsWrite,
|
||||
Scope: "folders:*",
|
||||
},
|
||||
},
|
||||
@ -322,11 +322,11 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsPermissionsRead,
|
||||
Action: dashboards.ActionDashboardsPermissionsRead,
|
||||
Scope: "dashboards:uid:1",
|
||||
},
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsPermissionsWrite,
|
||||
Action: dashboards.ActionDashboardsPermissionsWrite,
|
||||
Scope: "dashboards:uid:1",
|
||||
},
|
||||
},
|
||||
@ -337,11 +337,11 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsPermissionsRead,
|
||||
Action: dashboards.ActionDashboardsPermissionsRead,
|
||||
Scope: "folders:uid:general",
|
||||
},
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsPermissionsWrite,
|
||||
Action: dashboards.ActionDashboardsPermissionsWrite,
|
||||
Scope: "folders:uid:general",
|
||||
},
|
||||
},
|
||||
@ -352,11 +352,11 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsPermissionsRead,
|
||||
Action: dashboards.ActionDashboardsPermissionsRead,
|
||||
Scope: "dashboards:uid:10",
|
||||
},
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsPermissionsWrite,
|
||||
Action: dashboards.ActionDashboardsPermissionsWrite,
|
||||
Scope: "dashboards:uid:10",
|
||||
},
|
||||
},
|
||||
@ -367,11 +367,11 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsPermissionsRead,
|
||||
Action: dashboards.ActionDashboardsPermissionsRead,
|
||||
Scope: "folders:uid:10",
|
||||
},
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsPermissionsWrite,
|
||||
Action: dashboards.ActionDashboardsPermissionsWrite,
|
||||
Scope: "folders:uid:10",
|
||||
},
|
||||
},
|
||||
@ -396,7 +396,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsDelete,
|
||||
Action: dashboards.ActionDashboardsDelete,
|
||||
Scope: "dashboards:*",
|
||||
},
|
||||
},
|
||||
@ -407,7 +407,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsDelete,
|
||||
Action: dashboards.ActionDashboardsDelete,
|
||||
Scope: "folders:*",
|
||||
},
|
||||
},
|
||||
@ -418,7 +418,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsDelete,
|
||||
Action: dashboards.ActionDashboardsDelete,
|
||||
Scope: "dashboards:uid:1",
|
||||
},
|
||||
},
|
||||
@ -429,7 +429,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsDelete,
|
||||
Action: dashboards.ActionDashboardsDelete,
|
||||
Scope: "folders:uid:general",
|
||||
},
|
||||
},
|
||||
@ -440,7 +440,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsDelete,
|
||||
Action: dashboards.ActionDashboardsDelete,
|
||||
Scope: "dashboards:uid:10",
|
||||
},
|
||||
},
|
||||
@ -451,7 +451,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
|
||||
dashUID: "1",
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{
|
||||
Action: accesscontrol.ActionDashboardsDelete,
|
||||
Action: dashboards.ActionDashboardsDelete,
|
||||
Scope: "folders:uid:10",
|
||||
},
|
||||
},
|
||||
@ -485,7 +485,7 @@ func TestAccessControlDashboardGuardian_CanCreate(t *testing.T) {
|
||||
isFolder: false,
|
||||
folderID: 0,
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{Action: accesscontrol.ActionDashboardsCreate, Scope: "folders:uid:general"},
|
||||
{Action: dashboards.ActionDashboardsCreate, Scope: "folders:uid:general"},
|
||||
},
|
||||
expected: true,
|
||||
},
|
||||
@ -494,7 +494,7 @@ func TestAccessControlDashboardGuardian_CanCreate(t *testing.T) {
|
||||
isFolder: false,
|
||||
folderID: 0,
|
||||
permissions: []*accesscontrol.Permission{
|
||||
{Action: accesscontrol.ActionDashboardsCreate, Scope: "folders:*"},
|
||||
{Action: dashboards.ActionDashboardsCreate, Scope: "folders:*"},
|
||||
},
|
||||
expected: true,
|
||||
},
|
||||
|
||||
@ -15,6 +15,7 @@ import (
|
||||
"github.com/grafana/grafana/pkg/models"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
"github.com/grafana/grafana/pkg/services/annotations"
|
||||
"github.com/grafana/grafana/pkg/services/dashboards"
|
||||
dashboardstore "github.com/grafana/grafana/pkg/services/dashboards/database"
|
||||
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
||||
"github.com/grafana/grafana/pkg/services/sqlstore"
|
||||
@ -406,7 +407,7 @@ func TestAnnotationListingWithRBAC(t *testing.T) {
|
||||
description: "Should find all annotations when has permissions to list all annotations and read all dashboards",
|
||||
permissions: map[string][]string{
|
||||
accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsAll},
|
||||
accesscontrol.ActionDashboardsRead: {accesscontrol.ScopeDashboardsAll},
|
||||
dashboards.ActionDashboardsRead: {dashboards.ScopeDashboardsAll},
|
||||
},
|
||||
expectedAnnotationIds: []int64{dash1Annotation.Id, dash2Annotation.Id, organizationAnnotation.Id},
|
||||
},
|
||||
@ -414,7 +415,7 @@ func TestAnnotationListingWithRBAC(t *testing.T) {
|
||||
description: "Should find all dashboard annotations",
|
||||
permissions: map[string][]string{
|
||||
accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsTypeDashboard},
|
||||
accesscontrol.ActionDashboardsRead: {accesscontrol.ScopeDashboardsAll},
|
||||
dashboards.ActionDashboardsRead: {dashboards.ScopeDashboardsAll},
|
||||
},
|
||||
expectedAnnotationIds: []int64{dash1Annotation.Id, dash2Annotation.Id},
|
||||
},
|
||||
@ -422,7 +423,7 @@ func TestAnnotationListingWithRBAC(t *testing.T) {
|
||||
description: "Should find only annotations from dashboards that user can read",
|
||||
permissions: map[string][]string{
|
||||
accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsTypeDashboard},
|
||||
accesscontrol.ActionDashboardsRead: {fmt.Sprintf("dashboards:uid:%s", dash1UID)},
|
||||
dashboards.ActionDashboardsRead: {fmt.Sprintf("dashboards:uid:%s", dash1UID)},
|
||||
},
|
||||
expectedAnnotationIds: []int64{dash1Annotation.Id},
|
||||
},
|
||||
@ -437,14 +438,14 @@ func TestAnnotationListingWithRBAC(t *testing.T) {
|
||||
description: "Should find only organization annotations",
|
||||
permissions: map[string][]string{
|
||||
accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsTypeOrganization},
|
||||
accesscontrol.ActionDashboardsRead: {accesscontrol.ScopeDashboardsAll},
|
||||
dashboards.ActionDashboardsRead: {dashboards.ScopeDashboardsAll},
|
||||
},
|
||||
expectedAnnotationIds: []int64{organizationAnnotation.Id},
|
||||
},
|
||||
{
|
||||
description: "Should error if user doesn't have annotation read permissions",
|
||||
permissions: map[string][]string{
|
||||
accesscontrol.ActionDashboardsRead: {accesscontrol.ScopeDashboardsAll},
|
||||
dashboards.ActionDashboardsRead: {dashboards.ScopeDashboardsAll},
|
||||
},
|
||||
expectedError: true,
|
||||
},
|
||||
|
||||
@ -16,20 +16,20 @@ import (
|
||||
|
||||
var dashboardPermissionTranslation = map[models.PermissionType][]string{
|
||||
models.PERMISSION_VIEW: {
|
||||
ac.ActionDashboardsRead,
|
||||
dashboards.ActionDashboardsRead,
|
||||
},
|
||||
models.PERMISSION_EDIT: {
|
||||
ac.ActionDashboardsRead,
|
||||
ac.ActionDashboardsWrite,
|
||||
ac.ActionDashboardsDelete,
|
||||
dashboards.ActionDashboardsRead,
|
||||
dashboards.ActionDashboardsWrite,
|
||||
dashboards.ActionDashboardsDelete,
|
||||
},
|
||||
models.PERMISSION_ADMIN: {
|
||||
ac.ActionDashboardsRead,
|
||||
ac.ActionDashboardsWrite,
|
||||
ac.ActionDashboardsCreate,
|
||||
ac.ActionDashboardsDelete,
|
||||
ac.ActionDashboardsPermissionsRead,
|
||||
ac.ActionDashboardsPermissionsWrite,
|
||||
dashboards.ActionDashboardsRead,
|
||||
dashboards.ActionDashboardsWrite,
|
||||
dashboards.ActionDashboardsCreate,
|
||||
dashboards.ActionDashboardsDelete,
|
||||
dashboards.ActionDashboardsPermissionsRead,
|
||||
dashboards.ActionDashboardsPermissionsWrite,
|
||||
},
|
||||
}
|
||||
|
||||
@ -38,7 +38,7 @@ var folderPermissionTranslation = map[models.PermissionType][]string{
|
||||
dashboards.ActionFoldersRead,
|
||||
}...),
|
||||
models.PERMISSION_EDIT: append(dashboardPermissionTranslation[models.PERMISSION_EDIT], []string{
|
||||
ac.ActionDashboardsCreate,
|
||||
dashboards.ActionDashboardsCreate,
|
||||
dashboards.ActionFoldersRead,
|
||||
dashboards.ActionFoldersWrite,
|
||||
dashboards.ActionFoldersCreate,
|
||||
|
||||
@ -94,10 +94,10 @@ func NewAccessControlDashboardPermissionFilter(user *models.SignedInUser, permis
|
||||
folderActions = append(folderActions, accesscontrol.ActionAlertingRuleCreate)
|
||||
}
|
||||
} else {
|
||||
dashboardActions = append(dashboardActions, accesscontrol.ActionDashboardsRead)
|
||||
dashboardActions = append(dashboardActions, dashboards.ActionDashboardsRead)
|
||||
if needEdit {
|
||||
folderActions = append(folderActions, accesscontrol.ActionDashboardsCreate)
|
||||
dashboardActions = append(dashboardActions, accesscontrol.ActionDashboardsWrite)
|
||||
folderActions = append(folderActions, dashboards.ActionDashboardsCreate)
|
||||
dashboardActions = append(dashboardActions, dashboards.ActionDashboardsWrite)
|
||||
}
|
||||
}
|
||||
return AccessControlDashboardPermissionFilter{User: user, folderActions: folderActions, dashboardActions: dashboardActions}
|
||||
|
||||
@ -55,31 +55,31 @@ func TestNewAccessControlDashboardPermissionFilter(t *testing.T) {
|
||||
queryType: randomType,
|
||||
permission: models.PERMISSION_ADMIN,
|
||||
expectedDashboardActions: []string{
|
||||
accesscontrol.ActionDashboardsRead,
|
||||
accesscontrol.ActionDashboardsWrite,
|
||||
dashboards.ActionDashboardsRead,
|
||||
dashboards.ActionDashboardsWrite,
|
||||
},
|
||||
expectedFolderActions: []string{
|
||||
dashboards.ActionFoldersRead,
|
||||
accesscontrol.ActionDashboardsCreate,
|
||||
dashboards.ActionDashboardsCreate,
|
||||
},
|
||||
},
|
||||
{
|
||||
queryType: randomType,
|
||||
permission: models.PERMISSION_EDIT,
|
||||
expectedDashboardActions: []string{
|
||||
accesscontrol.ActionDashboardsRead,
|
||||
accesscontrol.ActionDashboardsWrite,
|
||||
dashboards.ActionDashboardsRead,
|
||||
dashboards.ActionDashboardsWrite,
|
||||
},
|
||||
expectedFolderActions: []string{
|
||||
dashboards.ActionFoldersRead,
|
||||
accesscontrol.ActionDashboardsCreate,
|
||||
dashboards.ActionDashboardsCreate,
|
||||
},
|
||||
},
|
||||
{
|
||||
queryType: randomType,
|
||||
permission: models.PERMISSION_VIEW,
|
||||
expectedDashboardActions: []string{
|
||||
accesscontrol.ActionDashboardsRead,
|
||||
dashboards.ActionDashboardsRead,
|
||||
},
|
||||
expectedFolderActions: []string{
|
||||
dashboards.ActionFoldersRead,
|
||||
|
||||
Reference in New Issue
Block a user