grafana/pkg/services/sqlstore/dashboard_acl.go

package sqlstore

import (
	"fmt"
	"time"

	"github.com/grafana/grafana/pkg/bus"
	m "github.com/grafana/grafana/pkg/models"
)

func init() {
	bus.AddHandler("sql", SetDashboardAcl)
	bus.AddHandler("sql", UpdateDashboardAcl)
	bus.AddHandler("sql", RemoveDashboardAcl)
	bus.AddHandler("sql", GetDashboardAclInfoList)
}

func UpdateDashboardAcl(cmd *m.UpdateDashboardAclCommand) error {
	return inTransaction(func(sess *DBSession) error {
		// delete existing items
		_, err := sess.Exec("DELETE FROM dashboard_acl WHERE dashboard_id=?", cmd.DashboardId)
		if err != nil {
			return err
		}

		for _, item := range cmd.Items {
			if item.UserId == 0 && item.TeamId == 0 && !item.Role.IsValid() {
				return m.ErrDashboardAclInfoMissing
			}

			if item.DashboardId == 0 {
				return m.ErrDashboardPermissionDashboardEmpty
			}

			sess.Nullable("user_id", "team_id")
			if _, err := sess.Insert(item); err != nil {
				return err
			}
		}

		// Update dashboard HasAcl flag
		dashboard := m.Dashboard{HasAcl: true}
		if _, err := sess.Cols("has_acl").Where("id=? OR folder_id=?", cmd.DashboardId, cmd.DashboardId).Update(&dashboard); err != nil {
			return err
		}
		return nil
	})
}

func SetDashboardAcl(cmd *m.SetDashboardAclCommand) error {
	return inTransaction(func(sess *DBSession) error {
		if cmd.UserId == 0 && cmd.TeamId == 0 {
			return m.ErrDashboardAclInfoMissing
		}

		if cmd.DashboardId == 0 {
			return m.ErrDashboardPermissionDashboardEmpty
		}

		if res, err := sess.Query("SELECT 1 from "+dialect.Quote("dashboard_acl")+" WHERE dashboard_id =? and (team_id=? or user_id=?)", cmd.DashboardId, cmd.TeamId, cmd.UserId); err != nil {
			return err
		} else if len(res) == 1 {

			entity := m.DashboardAcl{
				Permission: cmd.Permission,
				Updated:    time.Now(),
			}

			if _, err := sess.Cols("updated", "permission").Where("dashboard_id =? and (team_id=? or user_id=?)", cmd.DashboardId, cmd.TeamId, cmd.UserId).Update(&entity); err != nil {
				return err
			}

			return nil
		}

		entity := m.DashboardAcl{
			OrgId:       cmd.OrgId,
			TeamId:      cmd.TeamId,
			UserId:      cmd.UserId,
			Created:     time.Now(),
			Updated:     time.Now(),
			DashboardId: cmd.DashboardId,
			Permission:  cmd.Permission,
		}

		cols := []string{"org_id", "created", "updated", "dashboard_id", "permission"}

		if cmd.UserId != 0 {
			cols = append(cols, "user_id")
		}

		if cmd.TeamId != 0 {
			cols = append(cols, "team_id")
		}

		_, err := sess.Cols(cols...).Insert(&entity)
		if err != nil {
			return err
		}

		cmd.Result = entity

		// Update dashboard HasAcl flag
		dashboard := m.Dashboard{
			HasAcl: true,
		}

		if _, err := sess.Cols("has_acl").Where("id=? OR folder_id=?", cmd.DashboardId, cmd.DashboardId).Update(&dashboard); err != nil {
			return err
		}

		return nil
	})
}

// RemoveDashboardAcl removes a specified permission from the dashboard acl
func RemoveDashboardAcl(cmd *m.RemoveDashboardAclCommand) error {
	return inTransaction(func(sess *DBSession) error {
		var rawSQL = "DELETE FROM " + dialect.Quote("dashboard_acl") + " WHERE org_id =? and id=?"
		_, err := sess.Exec(rawSQL, cmd.OrgId, cmd.AclId)
		if err != nil {
			return err
		}

		return err
	})
}

// GetDashboardAclInfoList returns a list of permissions for a dashboard. They can be fetched from three
// different places.
// 1) Permissions for the dashboard
// 2) permissions for its parent folder
// 3) if no specific permissions have been set for the dashboard or its parent folder then get the default permissions
func GetDashboardAclInfoList(query *m.GetDashboardAclInfoListQuery) error {
	var err error

	if query.DashboardId == 0 {
		sql := `SELECT
		da.id,
		da.org_id,
		da.dashboard_id,
		da.user_id,
		da.team_id,
		da.permission,
		da.role,
		da.created,
		da.updated,
		'' as user_login,
		'' as user_email,
		'' as team,
		'' as title,
		'' as slug,
		'' as uid,` +
			dialect.BooleanStr(false) + ` AS is_folder
		FROM dashboard_acl as da
		WHERE da.dashboard_id = -1`
		query.Result = make([]*m.DashboardAclInfoDTO, 0)
		err = x.SQL(sql).Find(&query.Result)

	} else {
		dashboardFilter := fmt.Sprintf(`IN (
			SELECT %d
			UNION
			SELECT folder_id from dashboard where id = %d
		  )`, query.DashboardId, query.DashboardId)

		rawSQL := `
			-- get permissions for the dashboard and its parent folder
			SELECT
				da.id,
				da.org_id,
				da.dashboard_id,
				da.user_id,
				da.team_id,
				da.permission,
				da.role,
				da.created,
				da.updated,
				u.login AS user_login,
				u.email AS user_email,
				ug.name AS team,
				d.title,
				d.slug,
				d.uid,
				d.is_folder
		  FROM` + dialect.Quote("dashboard_acl") + ` as da
				LEFT OUTER JOIN ` + dialect.Quote("user") + ` AS u ON u.id = da.user_id
				LEFT OUTER JOIN team ug on ug.id = da.team_id
				LEFT OUTER JOIN dashboard d on da.dashboard_id = d.id
			WHERE dashboard_id ` + dashboardFilter + ` AND da.org_id = ?

			-- Also include default permissions if folder or dashboard field "has_acl" is false

			UNION
				SELECT
					da.id,
					da.org_id,
					da.dashboard_id,
					da.user_id,
					da.team_id,
					da.permission,
					da.role,
					da.created,
					da.updated,
					'' as user_login,
					'' as user_email,
					'' as team,
					folder.title,
					folder.slug,
					folder.uid,
					folder.is_folder
				FROM dashboard_acl as da,
				dashboard as dash
				LEFT OUTER JOIN dashboard folder on dash.folder_id = folder.id
					WHERE
						dash.id = ? AND (
							dash.has_acl = ` + dialect.BooleanStr(false) + ` or
							folder.has_acl = ` + dialect.BooleanStr(false) + `
						) AND
						da.dashboard_id = -1
			ORDER BY 1 ASC
			`

		query.Result = make([]*m.DashboardAclInfoDTO, 0)
		err = x.SQL(rawSQL, query.OrgId, query.DashboardId).Find(&query.Result)
	}

	for _, p := range query.Result {
		p.PermissionName = p.Permission.String()
	}

	return err
}
WIP: Add or update Dashboard ACL SQL Integration Tests for the guardian class too. 2017-04-29 03:22:53 +08:00			`package sqlstore`

			`import (`
acl: more acl work 2017-06-23 03:16:41 +08:00			`"fmt"`
WIP: Add or update Dashboard ACL SQL Integration Tests for the guardian class too. 2017-04-29 03:22:53 +08:00			`"time"`

			`"github.com/grafana/grafana/pkg/bus"`
			`m "github.com/grafana/grafana/pkg/models"`
			`)`

			`func init() {`
refactoring renaming dashboard folder operations 2017-06-20 05:15:25 +08:00			`bus.AddHandler("sql", SetDashboardAcl)`
dashboard acl work 2017-06-22 07:02:03 +08:00			`bus.AddHandler("sql", UpdateDashboardAcl)`
refactoring renaming dashboard folder operations 2017-06-20 05:15:25 +08:00			`bus.AddHandler("sql", RemoveDashboardAcl)`
refactoring more renaming 2017-06-20 05:30:54 +08:00			`bus.AddHandler("sql", GetDashboardAclInfoList)`
WIP: Add or update Dashboard ACL SQL Integration Tests for the guardian class too. 2017-04-29 03:22:53 +08:00			`}`

dashboard acl work 2017-06-22 07:02:03 +08:00			`func UpdateDashboardAcl(cmd *m.UpdateDashboardAclCommand) error {`
			`return inTransaction(func(sess *DBSession) error {`
			`// delete existing items`
			`_, err := sess.Exec("DELETE FROM dashboard_acl WHERE dashboard_id=?", cmd.DashboardId)`
			`if err != nil {`
			`return err`
			`}`

			`for _, item := range cmd.Items {`
refactor: rename User Groups to Teams 2017-12-08 23:25:45 +08:00			`if item.UserId == 0 && item.TeamId == 0 && !item.Role.IsValid() {`
dashboard acl work 2017-06-22 07:02:03 +08:00			`return m.ErrDashboardAclInfoMissing`
			`}`

			`if item.DashboardId == 0 {`
			`return m.ErrDashboardPermissionDashboardEmpty`
			`}`

refactor: rename User Groups to Teams 2017-12-08 23:25:45 +08:00			`sess.Nullable("user_id", "team_id")`
dashboard acl work 2017-06-22 07:02:03 +08:00			`if _, err := sess.Insert(item); err != nil {`
			`return err`
			`}`
			`}`

			`// Update dashboard HasAcl flag`
			`dashboard := m.Dashboard{HasAcl: true}`
dashboard folder search fix 2017-06-24 04:00:26 +08:00			`if _, err := sess.Cols("has_acl").Where("id=? OR folder_id=?", cmd.DashboardId, cmd.DashboardId).Update(&dashboard); err != nil {`
dashboard acl work 2017-06-22 07:02:03 +08:00			`return err`
			`}`
			`return nil`
			`})`
			`}`

refactoring renaming dashboard folder operations 2017-06-20 05:15:25 +08:00			`func SetDashboardAcl(cmd *m.SetDashboardAclCommand) error {`
WIP: fix after upstream sqlstore refactoring 2017-05-24 22:19:21 +08:00			`return inTransaction(func(sess *DBSession) error {`
refactor: rename User Groups to Teams 2017-12-08 23:25:45 +08:00			`if cmd.UserId == 0 && cmd.TeamId == 0 {`
refactoring: renaming 2017-06-20 06:19:58 +08:00			`return m.ErrDashboardAclInfoMissing`
WIP: remove permissions when deleting global user 2017-06-15 05:45:30 +08:00			`}`

WIP: fix acl route 2017-06-20 06:34:25 +08:00			`if cmd.DashboardId == 0 {`
			`return m.ErrDashboardPermissionDashboardEmpty`
			`}`

refactor: rename User Groups to Teams 2017-12-08 23:25:45 +08:00			`if res, err := sess.Query("SELECT 1 from "+dialect.Quote("dashboard_acl")+" WHERE dashboard_id =? and (team_id=? or user_id=?)", cmd.DashboardId, cmd.TeamId, cmd.UserId); err != nil {`
WIP: Add or update Dashboard ACL SQL Integration Tests for the guardian class too. 2017-04-29 03:22:53 +08:00			`return err`
			`} else if len(res) == 1 {`
dashboard acl work 2017-06-22 02:11:16 +08:00
WIP: Add or update Dashboard ACL SQL Integration Tests for the guardian class too. 2017-04-29 03:22:53 +08:00			`entity := m.DashboardAcl{`
dashboard acl work 2017-06-22 02:11:16 +08:00			`Permission: cmd.Permission,`
			`Updated: time.Now(),`
WIP: Add or update Dashboard ACL SQL Integration Tests for the guardian class too. 2017-04-29 03:22:53 +08:00			`}`
dashboard acl work 2017-06-22 02:11:16 +08:00
refactor: rename User Groups to Teams 2017-12-08 23:25:45 +08:00			`if _, err := sess.Cols("updated", "permission").Where("dashboard_id =? and (team_id=? or user_id=?)", cmd.DashboardId, cmd.TeamId, cmd.UserId).Update(&entity); err != nil {`
WIP: Add or update Dashboard ACL SQL Integration Tests for the guardian class too. 2017-04-29 03:22:53 +08:00			`return err`
			`}`

			`return nil`
			`}`

			`entity := m.DashboardAcl{`
			`OrgId: cmd.OrgId,`
refactor: format files by gofmt 2017-12-12 00:46:05 +08:00			`TeamId: cmd.TeamId,`
WIP: Add or update Dashboard ACL SQL Integration Tests for the guardian class too. 2017-04-29 03:22:53 +08:00			`UserId: cmd.UserId,`
			`Created: time.Now(),`
			`Updated: time.Now(),`
			`DashboardId: cmd.DashboardId,`
dashboard acl work 2017-06-22 02:11:16 +08:00			`Permission: cmd.Permission,`
WIP: Add or update Dashboard ACL SQL Integration Tests for the guardian class too. 2017-04-29 03:22:53 +08:00			`}`

dashboard acl work 2017-06-22 02:11:16 +08:00			`cols := []string{"org_id", "created", "updated", "dashboard_id", "permission"}`
WIP: Add or update Dashboard ACL SQL Integration Tests for the guardian class too. 2017-04-29 03:22:53 +08:00
			`if cmd.UserId != 0 {`
			`cols = append(cols, "user_id")`
			`}`

refactor: rename User Groups to Teams 2017-12-08 23:25:45 +08:00			`if cmd.TeamId != 0 {`
			`cols = append(cols, "team_id")`
WIP: Add or update Dashboard ACL SQL Integration Tests for the guardian class too. 2017-04-29 03:22:53 +08:00			`}`

dashboard acl work 2017-06-22 02:11:16 +08:00			`_, err := sess.Cols(cols...).Insert(&entity)`
WIP: Add or update Dashboard ACL SQL Integration Tests for the guardian class too. 2017-04-29 03:22:53 +08:00			`if err != nil {`
			`return err`
			`}`
dashboard acl work 2017-06-22 02:11:16 +08:00
WIP: API - add dash permission 2017-06-10 03:56:13 +08:00			`cmd.Result = entity`
WIP: Add or update Dashboard ACL SQL Integration Tests for the guardian class too. 2017-04-29 03:22:53 +08:00
WIP: API - add dash permission 2017-06-10 03:56:13 +08:00			`// Update dashboard HasAcl flag`
WIP: Add or update Dashboard ACL SQL Integration Tests for the guardian class too. 2017-04-29 03:22:53 +08:00			`dashboard := m.Dashboard{`
			`HasAcl: true,`
			`}`
refactoring dashoard folder guardian 2017-06-18 06:24:38 +08:00
dashboard folder search fix 2017-06-24 04:00:26 +08:00			`if _, err := sess.Cols("has_acl").Where("id=? OR folder_id=?", cmd.DashboardId, cmd.DashboardId).Update(&dashboard); err != nil {`
WIP: Add or update Dashboard ACL SQL Integration Tests for the guardian class too. 2017-04-29 03:22:53 +08:00			`return err`
			`}`

			`return nil`
			`})`
			`}`

Stale permissions (#10768) * dashfolders: hide permissions in settings if folder has changed and the dashboard has not been saved yet. Otherwise the use will see stale permissions from the original folder. * dashfolders: return folder url for inherited permissions 2018-02-05 21:28:24 +08:00			`// RemoveDashboardAcl removes a specified permission from the dashboard acl`
refactoring renaming dashboard folder operations 2017-06-20 05:15:25 +08:00			`func RemoveDashboardAcl(cmd *m.RemoveDashboardAclCommand) error {`
WIP: fix after upstream sqlstore refactoring 2017-05-24 22:19:21 +08:00			`return inTransaction(func(sess *DBSession) error {`
folders: changed api urls for dashboard acls 2017-06-20 06:11:30 +08:00			`var rawSQL = "DELETE FROM " + dialect.Quote("dashboard_acl") + " WHERE org_id =? and id=?"`
			`_, err := sess.Exec(rawSQL, cmd.OrgId, cmd.AclId)`
WIP: Can remove dashboard permission - sql 2017-05-03 17:32:21 +08:00			`if err != nil {`
			`return err`
			`}`

			`return err`
			`})`
			`}`

Stale permissions (#10768) * dashfolders: hide permissions in settings if folder has changed and the dashboard has not been saved yet. Otherwise the use will see stale permissions from the original folder. * dashfolders: return folder url for inherited permissions 2018-02-05 21:28:24 +08:00			`// GetDashboardAclInfoList returns a list of permissions for a dashboard. They can be fetched from three`
			`// different places.`
			`// 1) Permissions for the dashboard`
			`// 2) permissions for its parent folder`
			`// 3) if no specific permissions have been set for the dashboard or its parent folder then get the default permissions`
refactoring more renaming 2017-06-20 05:30:54 +08:00			`func GetDashboardAclInfoList(query *m.GetDashboardAclInfoListQuery) error {`
dashfolders: fixes #10671. Allow Editors default access to Root. Editors should be able to create dashboards in root and should be able to create folders. They cannot administrate permissions though and these dashboards and folders will get the default permissions. 2018-01-31 23:43:21 +08:00			`var err error`

			`if query.DashboardId == 0 {`
			sql := `SELECT
dashboard acl work 2017-06-22 02:11:16 +08:00			`da.id,`
			`da.org_id,`
			`da.dashboard_id,`
			`da.user_id,`
refactor: rename User Groups to Teams 2017-12-08 23:25:45 +08:00			`da.team_id,`
dashboard acl work 2017-06-22 02:11:16 +08:00			`da.permission,`
			`da.role,`
			`da.created,`
			`da.updated,`
dashfolders: fixes #10671. Allow Editors default access to Root. Editors should be able to create dashboards in root and should be able to create folders. They cannot administrate permissions though and these dashboards and folders will get the default permissions. 2018-01-31 23:43:21 +08:00			`'' as user_login,`
			`'' as user_email,`
Stale permissions (#10768) * dashfolders: hide permissions in settings if folder has changed and the dashboard has not been saved yet. Otherwise the use will see stale permissions from the original folder. * dashfolders: return folder url for inherited permissions 2018-02-05 21:28:24 +08:00			`'' as team,`
			`'' as title,`
			`'' as slug,`
			'' as uid,` +
			dialect.BooleanStr(false) + ` AS is_folder
dashfolders: fixes #10671. Allow Editors default access to Root. Editors should be able to create dashboards in root and should be able to create folders. They cannot administrate permissions though and these dashboards and folders will get the default permissions. 2018-01-31 23:43:21 +08:00			`FROM dashboard_acl as da`
			WHERE da.dashboard_id = -1`
			`query.Result = make([]*m.DashboardAclInfoDTO, 0)`
			`err = x.SQL(sql).Find(&query.Result)`

			`} else {`
			dashboardFilter := fmt.Sprintf(`IN (
			`SELECT %d`
			`UNION`
			`SELECT folder_id from dashboard where id = %d`
			)`, query.DashboardId, query.DashboardId)

			rawSQL := `
Stale permissions (#10768) * dashfolders: hide permissions in settings if folder has changed and the dashboard has not been saved yet. Otherwise the use will see stale permissions from the original folder. * dashfolders: return folder url for inherited permissions 2018-02-05 21:28:24 +08:00			`-- get permissions for the dashboard and its parent folder`
dashfolders: fixes #10671. Allow Editors default access to Root. Editors should be able to create dashboards in root and should be able to create folders. They cannot administrate permissions though and these dashboards and folders will get the default permissions. 2018-01-31 23:43:21 +08:00			`SELECT`
			`da.id,`
			`da.org_id,`
			`da.dashboard_id,`
			`da.user_id,`
			`da.team_id,`
			`da.permission,`
			`da.role,`
			`da.created,`
			`da.updated,`
			`u.login AS user_login,`
			`u.email AS user_email,`
Stale permissions (#10768) * dashfolders: hide permissions in settings if folder has changed and the dashboard has not been saved yet. Otherwise the use will see stale permissions from the original folder. * dashfolders: return folder url for inherited permissions 2018-02-05 21:28:24 +08:00			`ug.name AS team,`
			`d.title,`
			`d.slug,`
			`d.uid,`
			`d.is_folder`
dashfolders: fixes #10671. Allow Editors default access to Root. Editors should be able to create dashboards in root and should be able to create folders. They cannot administrate permissions though and these dashboards and folders will get the default permissions. 2018-01-31 23:43:21 +08:00			FROM` + dialect.Quote("dashboard_acl") + ` as da
			LEFT OUTER JOIN ` + dialect.Quote("user") + ` AS u ON u.id = da.user_id
			`LEFT OUTER JOIN team ug on ug.id = da.team_id`
Stale permissions (#10768) * dashfolders: hide permissions in settings if folder has changed and the dashboard has not been saved yet. Otherwise the use will see stale permissions from the original folder. * dashfolders: return folder url for inherited permissions 2018-02-05 21:28:24 +08:00			`LEFT OUTER JOIN dashboard d on da.dashboard_id = d.id`
dashfolders: fixes #10671. Allow Editors default access to Root. Editors should be able to create dashboards in root and should be able to create folders. They cannot administrate permissions though and these dashboards and folders will get the default permissions. 2018-01-31 23:43:21 +08:00			WHERE dashboard_id ` + dashboardFilter + ` AND da.org_id = ?

Stale permissions (#10768) * dashfolders: hide permissions in settings if folder has changed and the dashboard has not been saved yet. Otherwise the use will see stale permissions from the original folder. * dashfolders: return folder url for inherited permissions 2018-02-05 21:28:24 +08:00			`-- Also include default permissions if folder or dashboard field "has_acl" is false`
dashfolders: fixes #10671. Allow Editors default access to Root. Editors should be able to create dashboards in root and should be able to create folders. They cannot administrate permissions though and these dashboards and folders will get the default permissions. 2018-01-31 23:43:21 +08:00
			`UNION`
			`SELECT`
			`da.id,`
			`da.org_id,`
			`da.dashboard_id,`
			`da.user_id,`
			`da.team_id,`
			`da.permission,`
			`da.role,`
			`da.created,`
			`da.updated,`
			`'' as user_login,`
			`'' as user_email,`
Stale permissions (#10768) * dashfolders: hide permissions in settings if folder has changed and the dashboard has not been saved yet. Otherwise the use will see stale permissions from the original folder. * dashfolders: return folder url for inherited permissions 2018-02-05 21:28:24 +08:00			`'' as team,`
			`folder.title,`
			`folder.slug,`
			`folder.uid,`
			`folder.is_folder`
			`FROM dashboard_acl as da,`
dashfolders: fixes #10671. Allow Editors default access to Root. Editors should be able to create dashboards in root and should be able to create folders. They cannot administrate permissions though and these dashboards and folders will get the default permissions. 2018-01-31 23:43:21 +08:00			`dashboard as dash`
Stale permissions (#10768) * dashfolders: hide permissions in settings if folder has changed and the dashboard has not been saved yet. Otherwise the use will see stale permissions from the original folder. * dashfolders: return folder url for inherited permissions 2018-02-05 21:28:24 +08:00			`LEFT OUTER JOIN dashboard folder on dash.folder_id = folder.id`
dashfolders: fixes #10671. Allow Editors default access to Root. Editors should be able to create dashboards in root and should be able to create folders. They cannot administrate permissions though and these dashboards and folders will get the default permissions. 2018-01-31 23:43:21 +08:00			`WHERE`
			`dash.id = ? AND (`
			dash.has_acl = ` + dialect.BooleanStr(false) + ` or
			folder.has_acl = ` + dialect.BooleanStr(false) + `
			`) AND`
			`da.dashboard_id = -1`
			`ORDER BY 1 ASC`
			`

			`query.Result = make([]*m.DashboardAclInfoDTO, 0)`
			`err = x.SQL(rawSQL, query.OrgId, query.DashboardId).Find(&query.Result)`
			`}`
WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard. 2017-05-08 21:35:34 +08:00
WIP: Permission Type as string in permission query 2017-06-08 16:39:17 +08:00			`for _, p := range query.Result {`
dashboard acl work 2017-06-22 02:11:16 +08:00			`p.PermissionName = p.Permission.String()`
WIP: Permission Type as string in permission query 2017-06-08 16:39:17 +08:00			`}`

WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard. 2017-05-08 21:35:34 +08:00			`return err`
WIP: Add or update Dashboard ACL SQL Integration Tests for the guardian class too. 2017-04-29 03:22:53 +08:00			`}`