AccessControl: Add access control actions and scopes to team update and delete

* AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add tests for AC guards in update/delete * AccessControl: add fixed role for team writer * AccessControl: ensure team related AC is deleted with team * Update pkg/api/team_test.go
2025-08-02 23:53:10 +08:00 · 2022-01-27 15:16:44 +00:00
parent 1a9c293984
commit cb6e5ae8ce
7 changed files with 132 additions and 20 deletions
--- a/pkg/services/sqlstore/team.go
+++ b/pkg/services/sqlstore/team.go
@ -9,6 +9,7 @@ import (

 	"github.com/grafana/grafana/pkg/bus"
 	"github.com/grafana/grafana/pkg/models"
+	ac "github.com/grafana/grafana/pkg/services/accesscontrol"
 )

 func (ss *SQLStore) addTeamQueryAndCommandHandlers() {
@ -147,6 +148,7 @@ func (ss *SQLStore) DeleteTeam(ctx context.Context, cmd *models.DeleteTeamComman
 			"DELETE FROM team_member WHERE org_id=? and team_id = ?",
 			"DELETE FROM team WHERE org_id=? and id = ?",
 			"DELETE FROM dashboard_acl WHERE org_id=? and team_id = ?",
+			"DELETE FROM team_role WHERE org_id=? and team_id = ?",
 		}

 		for _, sql := range deletes {
@ -155,7 +157,10 @@ func (ss *SQLStore) DeleteTeam(ctx context.Context, cmd *models.DeleteTeamComman
 				return err
 			}
 		}
-		return nil
+
+		_, err := sess.Exec("DELETE FROM permission WHERE scope=?", ac.Scope("teams", "id", fmt.Sprint(cmd.Id)))
+
+		return err
 	})
 }