23 Commits

Author SHA1 Message Date
694b9dfe50 Chore: Replace xorm.io/xorm imports (#104458)
* replace xorm.io/xorm imports

* replace xorm from other go.mod files

* clean up workspace

* nolint does not make sense anymore as it is not a module

* try if nolint directive helps

* use nolint:all for xorm

* add more nolints

* try to skip xorm in linter config

* exclude xorm differently

* retrigger ci
2025-05-02 17:13:01 +02:00
12605bfed2 Alerting: Update fixed roles to include silences permissions (#85826)
* update fixed roles to include silences
* add silence actions to managed permissions
* update documentation
2024-04-12 12:37:34 -04:00
65534e62a6 RBAC: add kind, attribute and identifier to annotation permissions during the migration (#83299)
add kind, attribute and identifier to annotation permissions during the migration
2024-02-23 16:03:23 +00:00
048d1e7c86 RBAC: Annotation permission migration (#78899)
* add annotation permissions to dashboard managed role and add migrations for annotation permissions

* fix a bug with conditional access level definitions

* add tests

* Update pkg/services/sqlstore/migrations/accesscontrol/dashboard_permissions.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* apply feedback

* add batching, fix tests and a typo

* add one more test

* undo unneeded change

* undo unwanted change

* only check the default basic permissions for non-OSS instances

* account for all wildcards and simplify the check a bit

* error handling and extra conditionals to avoid test failures

* fix a bug with admin permissions not appearing for folders

* fix the OSS check

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2024-01-26 17:17:29 +00:00
Jo
0de66a8099 Authz: Remove use of SignedInUser copy for permission evaluation (#78448)
* remove use of SignedInUserCopies

* add extra safety to not cross assign permissions

unwind circular dependency

dashboardacl->dashboardaccess

fix missing import

* correctly set teams for permissions

* fix missing inits

* nit: check err

* exit early for api keys
2023-11-22 14:20:22 +01:00
a12cb8cbf3 LibraryPanels: Add RBAC support (#73475) 2023-10-12 00:30:50 +01:00
025b2f3011 Chore: use any rather than interface{} (#74066) 2023-08-30 18:46:47 +03:00
3abaf32cf2 Chore: Upgrade golangci-lint to v1.51.2 (#63630)
Co-authored-by: Sofia Papagiannaki <1632407+papagian@users.noreply.github.com>
2023-02-23 15:10:03 +01:00
e8b8a9e276 chore: move dashboard_acl models into dashboard service (#62151) 2023-01-26 08:46:30 -05:00
68445a7c77 Chore: Remove dashboard ACL from models (#61749)
* Remove dashboard ACL from models

* Remove unused comment
2023-01-20 14:58:47 +01:00
6aaf36776b RBAC: Handle edge case where there is duplicated acl entries for a role on a single dashboard (#58079)
* RBAC: Handle edge case where there is duplicated acl entries for a role
on a single dashboard
2022-11-30 10:29:21 +01:00
fc1b647474 Auth: Add fixed repeat migration w. checks for subset of permissions (#58054)
* add: added a repeat migration w. fixed checks for permissions

* add: migration to migrations

* refactor: fix migration instead of making a new one

* fix: removed the old id

* fix: keep old name but change id

* add: migration for patched previous migration

* add: migration from missing file
2022-11-03 08:57:20 +00:00
6d5bdf12e8 resolve merge conflicts (#55503) 2022-09-20 13:31:08 -04:00
39025bb4cd add logs to debug failing migration (#52447) 2022-07-19 09:34:49 -04:00
f5cace8bbd Rename Acl to ACL (#52342)
* Rename Acl to ACL

* Fix yaml files

* Add xorm tags and fix test
2022-07-18 15:14:58 +02:00
c851907fc3 Access Control: Fix missing folder permissions (#52153)
* add the migration

* Update pkg/services/sqlstore/migrations/accesscontrol/dashboard_permissions.go

Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com>

Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com>
2022-07-14 12:01:21 -04:00
bdff63d4a8 RBAC: Include alert.rules action when setting folder permissions (#49946)
* Generate additional actions when setting folder permissions in acl list

* Add migration for managed folder permissions to include alert rule
actions
2022-06-01 15:29:37 +02:00
f4f25d911b add migrator to drop folder create actions that was set fromt he folder (#49878) 2022-05-31 12:45:22 +02:00
2738d1c557 Access Control: Move dashboard actions and create scope provider (#48618)
* Move dashboard actions and create scope provider
2022-05-04 16:12:09 +02:00
a5e4a533fa Access control: use uid for dashboard and folder scopes (#46807)
* use uid:s for folder and dashboard permissions

* evaluate folder and dashboard permissions based on uids

* add dashboard.uid to accept list

* Check for exact suffix

* Check parent folder on create

* update test

* drop dashboard:create actions with dashboard scope

* fix typo

* AccessControl: test id 0 scope conversion

* AccessControl: store only parent folder UID

* AccessControl: extract general as a constant

* FolderServices: Prevent creation of a folder uid'd general

* FolderServices: Test folder creation prevention

* Update pkg/services/guardian/accesscontrol_guardian.go

* FolderServices: fix mock call expect

* FolderServices: remove uneeded mocks

Co-authored-by: jguer <joao.guerreiro@grafana.com>
2022-03-30 15:14:26 +02:00
9dc06cd21f simplify bulkAssignRoles (#46891) 2022-03-24 18:06:44 +01:00
314be36a7c Move datasource scopes and actions to access control package (#46334)
* create scope provider
* move datasource actions and scopes to datasource package + add provider
* change usages to use datasource scopes and update data source name resolver to use provider
* move folder permissions to dashboard package and update usages
2022-03-09 11:57:50 -05:00
4982ca3b1d Access control: Use access control for dashboard and folder (#44702)
* Add actions and scopes

* add resource service for dashboard and folder

* Add dashboard guardian with fgac permission evaluation

* Add CanDelete function to guardian interface

* Add CanDelete property to folder and dashboard dto and set values

* change to correct function name

* Add accesscontrol to folder endpoints

* add access control to dashboard endpoints

* check access for nav links

* Add fixed roles for dashboard and folders

* use correct package

* add hack to override guardian Constructor if accesscontrol is enabled

* Add services

* Add function to handle api backward compatability

* Add permissionServices to HttpServer

* Set permission when new dashboard is created

* Add default permission when creating new dashboard

* Set default permission when creating folder and dashboard

* Add access control filter for dashboard search

* Add to accept list

* Add accesscontrol to dashboardimport

* Disable access control in tests

* Add check to see if user is allow to create a dashboard

* Use SetPermissions

* Use function to set several permissions at once

* remove permissions for folder and dashboard on delete

* update required permission

* set permission for provisioning

* Add CanCreate to dashboard guardian and set correct permisisons for
provisioning

* Dont set admin on folder / dashboard creation

* Add dashboard and folder permission migrations

* Add tests for CanCreate

* Add roles and update descriptions

* Solve uid to id for dashboard and folder permissions

* Add folder and dashboard actions to permission filter

* Handle viewer_can_edit flag

* set folder and dashboard permissions services

* Add dashboard permissions when importing a new dashboard

* Set access control permissions on provisioning

* Pass feature flags and only set permissions if access control is enabled

* only add default permissions for folders and dashboards without folders

* Batch create permissions in migrations


* Remove `dashboards:edit` action

* Remove unused function from interface

* Update pkg/services/guardian/accesscontrol_guardian_test.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 15:05:47 +01:00