RBAC: Fix dashboard filter in SQLBuilder (#53379)

* Reuse DasbhoardPermissionFilter * Use rbac dashboard filter if enabled
2025-09-22 16:03:09 +08:00 · 2022-08-10 10:32:03 +02:00
parent 6d495a6a8e
commit aa484a60c9
7 changed files with 48 additions and 69 deletions
--- a/pkg/services/sqlstore/sqlbuilder.go
+++ b/pkg/services/sqlstore/sqlbuilder.go
@ -2,12 +2,19 @@ package sqlstore

 import (
 	"bytes"
-	"strings"

 	"github.com/grafana/grafana/pkg/models"
+	ac "github.com/grafana/grafana/pkg/services/accesscontrol"
+	"github.com/grafana/grafana/pkg/services/sqlstore/permissions"
+	"github.com/grafana/grafana/pkg/setting"
 )

+func NewSqlBuilder(cfg *setting.Cfg) SQLBuilder {
+	return SQLBuilder{cfg: cfg}
+}
+
 type SQLBuilder struct {
+	cfg    *setting.Cfg
 	sql    bytes.Buffer
 	params []interface{}
 }
@ -33,61 +40,22 @@ func (sb *SQLBuilder) AddParams(params ...interface{}) {
 }

 func (sb *SQLBuilder) WriteDashboardPermissionFilter(user *models.SignedInUser, permission models.PermissionType) {
-	if user.OrgRole == models.ROLE_ADMIN {
-		return
+	var (
+		sql    string
+		params []interface{}
+	)
+	if !ac.IsDisabled(sb.cfg) {
+		sql, params = permissions.NewAccessControlDashboardPermissionFilter(user, permission, "").Where()
+	} else {
+		sql, params = permissions.DashboardPermissionFilter{
+			OrgRole:         user.OrgRole,
+			Dialect:         dialect,
+			UserId:          user.UserId,
+			OrgId:           user.OrgId,
+			PermissionLevel: permission,
+		}.Where()
 	}

-	okRoles := []interface{}{user.OrgRole}
-
-	if user.OrgRole == models.ROLE_EDITOR {
-		okRoles = append(okRoles, models.ROLE_VIEWER)
-	}
-
-	falseStr := dialect.BooleanStr(false)
-
-	sb.sql.WriteString(` AND
-	(
-		dashboard.id IN (
-			SELECT distinct DashboardId from (
-				SELECT d.id AS DashboardId
-					FROM dashboard AS d
-					LEFT JOIN dashboard_acl AS da ON
-						da.dashboard_id = d.id OR
-						da.dashboard_id = d.folder_id
-					WHERE
-						d.org_id = ? AND
-						da.permission >= ? AND
-						(
-							da.user_id = ? OR
-							da.team_id IN (SELECT team_id from team_member AS tm WHERE tm.user_id = ?) OR
-							da.role IN (?` + strings.Repeat(",?", len(okRoles)-1) + `)
-						)
-				UNION
-				SELECT d.id AS DashboardId
-					FROM dashboard AS d
-					LEFT JOIN dashboard AS folder on folder.id = d.folder_id
-					LEFT JOIN dashboard_acl AS da ON
-						(
-							-- include default permissions -->
-							da.org_id = -1 AND (
-							  (folder.id IS NOT NULL AND folder.has_acl = ` + falseStr + `) OR
-							  (folder.id IS NULL AND d.has_acl = ` + falseStr + `)
-							)
-						)
-					WHERE
-						d.org_id = ? AND
-						da.permission >= ? AND
-						(
-							da.user_id = ? OR
-							da.role IN (?` + strings.Repeat(",?", len(okRoles)-1) + `)
-						)
-			) AS a
-		)
-	)`)
-
-	sb.params = append(sb.params, user.OrgId, permission, user.UserId, user.UserId)
-	sb.params = append(sb.params, okRoles...)
-
-	sb.params = append(sb.params, user.OrgId, permission, user.UserId)
-	sb.params = append(sb.params, okRoles...)
+	sb.sql.WriteString(" AND " + sql)
+	sb.params = append(sb.params, params...)
 }