Access control: endpoint for searching single user permissions (#59669)

* initial commit * clean up * fix a bug and add tests * more tests * undo some unintended changes * undo some unintended changes * linting * PR feedback - add user ID to search options * simplify the query * Apply suggestions from code review Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * remove unneeded formatting changes Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2025-07-31 05:12:12 +08:00 · 2022-12-14 10:53:25 +00:00
parent d9d94ebc56
commit 6aa5a79cad
8 changed files with 363 additions and 21 deletions
--- a/pkg/services/accesscontrol/database/database_test.go
+++ b/pkg/services/accesscontrol/database/database_test.go
@ -412,6 +412,34 @@ func TestIntegrationAccessControlStore_SearchUsersPermissions(t *testing.T) {
 					{Action: "teams:read", Scope: "teams:id:200"}},
 			},
 		},
+		{
+			name: "all assignments for one user by actionPrefix",
+			users: []testUser{
+				{orgRole: org.RoleAdmin, isAdmin: true},
+				{orgRole: org.RoleEditor, isAdmin: false},
+			},
+			permCmds: []rs.SetResourcePermissionsCommand{
+				// User assignments
+				{User: accesscontrol.User{ID: 1, IsExternal: false}, SetResourcePermissionCommand: readTeamPerm("1")},
+				{User: accesscontrol.User{ID: 2, IsExternal: false}, SetResourcePermissionCommand: readTeamPerm("2")},
+				// Team assignments
+				{TeamID: 1, SetResourcePermissionCommand: readTeamPerm("10")},
+				{TeamID: 2, SetResourcePermissionCommand: readTeamPerm("20")},
+				// Basic Assignments
+				{BuiltinRole: string(org.RoleAdmin), SetResourcePermissionCommand: readTeamPerm("100")},
+				{BuiltinRole: string(org.RoleEditor), SetResourcePermissionCommand: readTeamPerm("200")},
+				// Server Admin Assignment
+				{BuiltinRole: accesscontrol.RoleGrafanaAdmin, SetResourcePermissionCommand: readTeamPerm("1000")},
+			},
+			options: accesscontrol.SearchOptions{
+				ActionPrefix: "teams:",
+				UserID:       1,
+			},
+			wantPerm: map[int64][]accesscontrol.Permission{
+				1: {{Action: "teams:read", Scope: "teams:id:1"}, {Action: "teams:read", Scope: "teams:id:10"},
+					{Action: "teams:read", Scope: "teams:id:100"}, {Action: "teams:read", Scope: "teams:id:1000"}},
+			},
+		},
 		{
 			name:  "filter permissions by action prefix",
 			users: []testUser{{orgRole: org.RoleAdmin, isAdmin: true}},
@ -519,10 +547,11 @@ func TestIntegrationAccessControlStore_SearchUsersPermissions(t *testing.T) {
 func TestAccessControlStore_GetUsersBasicRoles(t *testing.T) {
 	ctx := context.Background()
 	tests := []struct {
-		name      string
-		users     []testUser
-		wantRoles map[int64][]string
-		wantErr   bool
+		name       string
+		users      []testUser
+		userFilter []int64
+		wantRoles  map[int64][]string
+		wantErr    bool
 	}{
 		{
 			name:      "user with basic role",
@ -548,6 +577,17 @@ func TestAccessControlStore_GetUsersBasicRoles(t *testing.T) {
 				2: {accesscontrol.RoleGrafanaAdmin},
 			},
 		},
+		{
+			name:       "when filtered to one user, returns results only for that user",
+			userFilter: []int64{2},
+			users: []testUser{
+				{orgRole: org.RoleAdmin, isAdmin: false},
+				{orgRole: org.RoleEditor, isAdmin: true},
+			},
+			wantRoles: map[int64][]string{
+				2: {string(org.RoleEditor), accesscontrol.RoleGrafanaAdmin},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@ -555,7 +595,7 @@ func TestAccessControlStore_GetUsersBasicRoles(t *testing.T) {
 			dbUsers := createUsersAndTeams(t, helperServices{userSvc, teamSvc, orgSvc}, 1, tt.users)

 			// Test
-			dbRoles, err := acStore.GetUsersBasicRoles(ctx, 1)
+			dbRoles, err := acStore.GetUsersBasicRoles(ctx, tt.userFilter, 1)
 			if tt.wantErr {
 				require.NotNil(t, err)
 				return