mirror of
https://github.com/grafana/grafana.git
synced 2025-07-30 20:52:34 +08:00
Nested folders: Fix search query for empty self-contained permissions (#72727)
* Add tests * Fix query for nested folders with zero self-contained permissions * Fix query behind permissionsFilterRemoveSubquery flag * Apply suggestion from code review
This commit is contained in:
Sofia Papagiannaki
committed by
GitHub
GitHub
parent
dbef9899ac
commit
8a24e891fe
@ -194,17 +194,22 @@ func (f *accessControlDashboardPermissionFilter) buildClauses() {
|
||||
|
||||
switch f.features.IsEnabled(featuremgmt.FlagNestedFolders) {
|
||||
case true:
|
||||
switch f.recursiveQueriesAreSupported {
|
||||
case true:
|
||||
recQueryName := fmt.Sprintf("RecQry%d", len(f.recQueries))
|
||||
f.addRecQry(recQueryName, permSelector.String(), permSelectorArgs)
|
||||
if len(permSelectorArgs) > 0 {
|
||||
switch f.recursiveQueriesAreSupported {
|
||||
case true:
|
||||
builder.WriteString("(dashboard.folder_id IN (SELECT d.id FROM dashboard as d ")
|
||||
recQueryName := fmt.Sprintf("RecQry%d", len(f.recQueries))
|
||||
f.addRecQry(recQueryName, permSelector.String(), permSelectorArgs)
|
||||
builder.WriteString(fmt.Sprintf("WHERE d.uid IN (SELECT uid FROM %s)", recQueryName))
|
||||
default:
|
||||
nestedFoldersSelectors, nestedFoldersArgs := f.nestedFoldersSelectors(permSelector.String(), permSelectorArgs, "dashboard.folder_id", "d.id")
|
||||
builder.WriteRune('(')
|
||||
builder.WriteString(nestedFoldersSelectors)
|
||||
args = append(args, nestedFoldersArgs...)
|
||||
}
|
||||
} else {
|
||||
builder.WriteString("(dashboard.folder_id IN (SELECT d.id FROM dashboard as d ")
|
||||
builder.WriteString(fmt.Sprintf("WHERE d.uid IN (SELECT uid FROM %s)", recQueryName))
|
||||
default:
|
||||
nestedFoldersSelectors, nestedFoldersArgs := f.nestedFoldersSelectors(permSelector.String(), permSelectorArgs, "dashboard.folder_id", "d.id")
|
||||
builder.WriteRune('(')
|
||||
builder.WriteString(nestedFoldersSelectors)
|
||||
args = append(args, nestedFoldersArgs...)
|
||||
builder.WriteString("WHERE 1 = 0")
|
||||
}
|
||||
default:
|
||||
builder.WriteString("(dashboard.folder_id IN (SELECT d.id FROM dashboard as d ")
|
||||
@ -261,18 +266,22 @@ func (f *accessControlDashboardPermissionFilter) buildClauses() {
|
||||
|
||||
switch f.features.IsEnabled(featuremgmt.FlagNestedFolders) {
|
||||
case true:
|
||||
switch f.recursiveQueriesAreSupported {
|
||||
case true:
|
||||
recQueryName := fmt.Sprintf("RecQry%d", len(f.recQueries))
|
||||
f.addRecQry(recQueryName, permSelector.String(), permSelectorArgs)
|
||||
builder.WriteString("(dashboard.uid IN ")
|
||||
builder.WriteString(fmt.Sprintf("(SELECT uid FROM %s)", recQueryName))
|
||||
default:
|
||||
nestedFoldersSelectors, nestedFoldersArgs := f.nestedFoldersSelectors(permSelector.String(), permSelectorArgs, "dashboard.uid", "d.uid")
|
||||
builder.WriteRune('(')
|
||||
builder.WriteString(nestedFoldersSelectors)
|
||||
builder.WriteRune(')')
|
||||
args = append(args, nestedFoldersArgs...)
|
||||
if len(permSelectorArgs) > 0 {
|
||||
switch f.recursiveQueriesAreSupported {
|
||||
case true:
|
||||
recQueryName := fmt.Sprintf("RecQry%d", len(f.recQueries))
|
||||
f.addRecQry(recQueryName, permSelector.String(), permSelectorArgs)
|
||||
builder.WriteString("(dashboard.uid IN ")
|
||||
builder.WriteString(fmt.Sprintf("(SELECT uid FROM %s)", recQueryName))
|
||||
default:
|
||||
nestedFoldersSelectors, nestedFoldersArgs := f.nestedFoldersSelectors(permSelector.String(), permSelectorArgs, "dashboard.uid", "d.uid")
|
||||
builder.WriteRune('(')
|
||||
builder.WriteString(nestedFoldersSelectors)
|
||||
builder.WriteRune(')')
|
||||
args = append(args, nestedFoldersArgs...)
|
||||
}
|
||||
} else {
|
||||
builder.WriteString("(1 = 0")
|
||||
}
|
||||
default:
|
||||
if len(permSelectorArgs) > 0 {
|
||||
|
||||
@ -109,19 +109,23 @@ func (f *accessControlDashboardPermissionFilterNoFolderSubquery) buildClauses()
|
||||
|
||||
switch f.features.IsEnabled(featuremgmt.FlagNestedFolders) {
|
||||
case true:
|
||||
switch f.recursiveQueriesAreSupported {
|
||||
case true:
|
||||
recQueryName := fmt.Sprintf("RecQry%d", len(f.recQueries))
|
||||
f.addRecQry(recQueryName, permSelector.String(), permSelectorArgs)
|
||||
builder.WriteString("(folder.uid IN (SELECT uid FROM " + recQueryName)
|
||||
default:
|
||||
nestedFoldersSelectors, nestedFoldersArgs := f.nestedFoldersSelectors(permSelector.String(), permSelectorArgs, "folder.uid", "")
|
||||
builder.WriteRune('(')
|
||||
builder.WriteString(nestedFoldersSelectors)
|
||||
args = append(args, nestedFoldersArgs...)
|
||||
if len(permSelectorArgs) > 0 {
|
||||
switch f.recursiveQueriesAreSupported {
|
||||
case true:
|
||||
recQueryName := fmt.Sprintf("RecQry%d", len(f.recQueries))
|
||||
f.addRecQry(recQueryName, permSelector.String(), permSelectorArgs)
|
||||
builder.WriteString("(folder.uid IN (SELECT uid FROM " + recQueryName)
|
||||
default:
|
||||
nestedFoldersSelectors, nestedFoldersArgs := f.nestedFoldersSelectors(permSelector.String(), permSelectorArgs, "folder.uid", "")
|
||||
builder.WriteRune('(')
|
||||
builder.WriteString(nestedFoldersSelectors)
|
||||
args = append(args, nestedFoldersArgs...)
|
||||
}
|
||||
f.folderIsRequired = true
|
||||
builder.WriteString(") AND NOT dashboard.is_folder)")
|
||||
} else {
|
||||
builder.WriteString("( 1 = 0 AND NOT dashboard.is_folder)")
|
||||
}
|
||||
f.folderIsRequired = true
|
||||
builder.WriteString(") AND NOT dashboard.is_folder)")
|
||||
default:
|
||||
builder.WriteString("(")
|
||||
if len(permSelectorArgs) > 0 {
|
||||
@ -177,18 +181,22 @@ func (f *accessControlDashboardPermissionFilterNoFolderSubquery) buildClauses()
|
||||
|
||||
switch f.features.IsEnabled(featuremgmt.FlagNestedFolders) {
|
||||
case true:
|
||||
switch f.recursiveQueriesAreSupported {
|
||||
case true:
|
||||
recQueryName := fmt.Sprintf("RecQry%d", len(f.recQueries))
|
||||
f.addRecQry(recQueryName, permSelector.String(), permSelectorArgs)
|
||||
builder.WriteString("(dashboard.uid IN ")
|
||||
builder.WriteString(fmt.Sprintf("(SELECT uid FROM %s)", recQueryName))
|
||||
default:
|
||||
nestedFoldersSelectors, nestedFoldersArgs := f.nestedFoldersSelectors(permSelector.String(), permSelectorArgs, "dashboard.uid", "")
|
||||
builder.WriteRune('(')
|
||||
builder.WriteString(nestedFoldersSelectors)
|
||||
builder.WriteRune(')')
|
||||
args = append(args, nestedFoldersArgs...)
|
||||
if len(permSelectorArgs) > 0 {
|
||||
switch f.recursiveQueriesAreSupported {
|
||||
case true:
|
||||
recQueryName := fmt.Sprintf("RecQry%d", len(f.recQueries))
|
||||
f.addRecQry(recQueryName, permSelector.String(), permSelectorArgs)
|
||||
builder.WriteString("(dashboard.uid IN ")
|
||||
builder.WriteString(fmt.Sprintf("(SELECT uid FROM %s)", recQueryName))
|
||||
default:
|
||||
nestedFoldersSelectors, nestedFoldersArgs := f.nestedFoldersSelectors(permSelector.String(), permSelectorArgs, "dashboard.uid", "")
|
||||
builder.WriteRune('(')
|
||||
builder.WriteString(nestedFoldersSelectors)
|
||||
builder.WriteRune(')')
|
||||
args = append(args, nestedFoldersArgs...)
|
||||
}
|
||||
} else {
|
||||
builder.WriteString("(1 = 0")
|
||||
}
|
||||
default:
|
||||
if len(permSelectorArgs) > 0 {
|
||||
|
||||
@ -382,6 +382,39 @@ func TestIntegration_DashboardNestedPermissionFilter(t *testing.T) {
|
||||
expectedResult []string
|
||||
features []interface{}
|
||||
}{
|
||||
{
|
||||
desc: "Should not be able to view dashboards under inherited folders with no permissions if nested folders are enabled",
|
||||
queryType: searchstore.TypeDashboard,
|
||||
permission: dashboards.PERMISSION_VIEW,
|
||||
permissions: nil,
|
||||
features: []interface{}{featuremgmt.FlagNestedFolders},
|
||||
expectedResult: nil,
|
||||
},
|
||||
{
|
||||
desc: "Should not be able to view inherited folders with no permissions if nested folders are enabled",
|
||||
queryType: searchstore.TypeFolder,
|
||||
permission: dashboards.PERMISSION_VIEW,
|
||||
permissions: nil,
|
||||
features: []interface{}{featuremgmt.FlagNestedFolders},
|
||||
expectedResult: nil,
|
||||
},
|
||||
{
|
||||
desc: "Should not be able to view inherited dashboards and folders with no permissions if nested folders are enabled",
|
||||
permission: dashboards.PERMISSION_VIEW,
|
||||
permissions: nil,
|
||||
features: []interface{}{featuremgmt.FlagNestedFolders},
|
||||
expectedResult: nil,
|
||||
},
|
||||
{
|
||||
desc: "Should be able to view dashboards under inherited folders with wildcard scope if nested folders are enabled",
|
||||
queryType: searchstore.TypeDashboard,
|
||||
permission: dashboards.PERMISSION_VIEW,
|
||||
permissions: []accesscontrol.Permission{
|
||||
{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeFoldersAll},
|
||||
},
|
||||
features: []interface{}{featuremgmt.FlagNestedFolders},
|
||||
expectedResult: []string{"dashboard under parent folder", "dashboard under subfolder"},
|
||||
},
|
||||
{
|
||||
desc: "Should be able to view dashboards under inherited folders if nested folders are enabled",
|
||||
queryType: searchstore.TypeDashboard,
|
||||
@ -502,6 +535,39 @@ func TestIntegration_DashboardNestedPermissionFilter_WithSelfContainedPermission
|
||||
expectedResult []string
|
||||
features []interface{}
|
||||
}{
|
||||
{
|
||||
desc: "Should not be able to view dashboards under inherited folders with no permissions if nested folders are enabled",
|
||||
queryType: searchstore.TypeDashboard,
|
||||
permission: dashboards.PERMISSION_VIEW,
|
||||
signedInUserPermissions: nil,
|
||||
features: []interface{}{featuremgmt.FlagNestedFolders},
|
||||
expectedResult: nil,
|
||||
},
|
||||
{
|
||||
desc: "Should not be able to view inherited folders with no permissions if nested folders are enabled",
|
||||
queryType: searchstore.TypeFolder,
|
||||
permission: dashboards.PERMISSION_VIEW,
|
||||
signedInUserPermissions: nil,
|
||||
features: []interface{}{featuremgmt.FlagNestedFolders},
|
||||
expectedResult: nil,
|
||||
},
|
||||
{
|
||||
desc: "Should not be able to view inherited dashboards and folders with no permissions if nested folders are enabled",
|
||||
permission: dashboards.PERMISSION_VIEW,
|
||||
signedInUserPermissions: nil,
|
||||
features: []interface{}{featuremgmt.FlagNestedFolders},
|
||||
expectedResult: nil,
|
||||
},
|
||||
{
|
||||
desc: "Should be able to view dashboards under inherited folders with wildcard scope if nested folders are enabled",
|
||||
queryType: searchstore.TypeDashboard,
|
||||
permission: dashboards.PERMISSION_VIEW,
|
||||
signedInUserPermissions: []accesscontrol.Permission{
|
||||
{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeFoldersAll},
|
||||
},
|
||||
features: []interface{}{featuremgmt.FlagNestedFolders},
|
||||
expectedResult: []string{"dashboard under parent folder", "dashboard under subfolder"},
|
||||
},
|
||||
{
|
||||
desc: "Should be able to view dashboards under inherited folders if nested folders are enabled",
|
||||
queryType: searchstore.TypeDashboard,
|
||||
|
||||
Reference in New Issue
Block a user