root
/
grafana
mirror of https://github.com/grafana/grafana.git
1
0
Fork 0
Code Issues Actions 139 Packages Projects Releases Wiki Activity
grafana/pkg/api/dashboard_permission.go

326 lines
9.1 KiB
Go
Raw Normal View History

WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard.
2017-05-08 21:35:34 +08:00
package api
import (
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 22:05:47 +08:00
"context"
Chore: Handle wrapped errors (#29223) * Chore: Handle wrapped errors Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2020-11-19 20:34:28 +08:00
"errors"
Chore: Refactor api handlers to use web.Bind (#42199) * Chore: Refactor api handlers to use web.Bind * fix comments * fix comment * trying to fix most of the tests and force routing.Wrap type check * fix library panels tests * fix frontend logging tests * allow passing nil as a response to skip writing * return nil instead of the response * rewrite login handler function types * remove handlerFuncCtx * make linter happy * remove old bindings from the libraryelements * restore comments
2021-11-29 17:18:01 +08:00
"net/http"
Remove Macaron ParamsInt64 function from code base (#43810) * draft commit * change all calls * Compilation errors
2022-01-15 00:55:57 +08:00
"strconv"
dashboard acl work
2017-06-22 07:02:03 +08:00
"time"
"github.com/grafana/grafana/pkg/api/dtos"
Chore: Moves common and response into separate packages (#30298) * Chore: moves common and response into separate packages * Chore: moves common and response into separate packages * Update pkg/api/utils/common.go Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Chore: changes after PR comments * Chore: move wrap to routing package * Chore: move functions in common to response package * Chore: move functions in common to response package * Chore: formats imports Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2021-01-15 21:43:20 +08:00
"github.com/grafana/grafana/pkg/api/response"
Chore: Avoid aliasing importing models in api package (#22492)
2020-03-04 19:57:20 +08:00
"github.com/grafana/grafana/pkg/models"
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 22:05:47 +08:00
"github.com/grafana/grafana/pkg/services/accesscontrol"
Chore: Remove dashboards from models pkg (#61578) * Copy dashboard models to dashboard pkg * Use some models from current pkg instead of models * Adjust api pkg * Adjust pkg services * Fix lint * Chore: Remove dashboards models * Remove dashboards from models pkg * Fix lint in tests * Fix lint in tests 2 * Fix for import in auth * Remove newline * Revert unused fix
2023-01-18 20:52:41 +08:00
"github.com/grafana/grafana/pkg/services/dashboards"
WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard.
2017-05-08 21:35:34 +08:00
"github.com/grafana/grafana/pkg/services/guardian"
Chore: Refactor api handlers to use web.Bind (#42199) * Chore: Refactor api handlers to use web.Bind * fix comments * fix comment * trying to fix most of the tests and force routing.Wrap type check * fix library panels tests * fix frontend logging tests * allow passing nil as a response to skip writing * return nil instead of the response * rewrite login handler function types * remove handlerFuncCtx * make linter happy * remove old bindings from the libraryelements * restore comments
2021-11-29 17:18:01 +08:00
"github.com/grafana/grafana/pkg/web"
WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard.
2017-05-08 21:35:34 +08:00
)
Chore: Move swagger definitions to the handlers (#52643)
2022-07-27 21:54:37 +08:00
// swagger:route GET /dashboards/uid/{uid}/permissions dashboard_permissions getDashboardPermissionsListByUID
//
// Gets all existing permissions for the given dashboard.
//
// Responses:
// 200: getDashboardPermissionsListResponse
// 401: unauthorisedError
// 403: forbiddenError
// 404: notFoundError
// 500: internalServerError
// swagger:route GET /dashboards/id/{DashboardID}/permissions dashboard_permissions getDashboardPermissionsListByID
//
// Gets all existing permissions for the given dashboard.
//
// Please refer to [updated API](#/dashboard_permissions/getDashboardPermissionsListByUID) instead
//
// Deprecated: true
//
// Responses:
// 200: getDashboardPermissionsListResponse
// 401: unauthorisedError
// 403: forbiddenError
// 404: notFoundError
// 500: internalServerError
Chore: Moves common and response into separate packages (#30298) * Chore: moves common and response into separate packages * Chore: moves common and response into separate packages * Update pkg/api/utils/common.go Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Chore: changes after PR comments * Chore: move wrap to routing package * Chore: move functions in common to response package * Chore: move functions in common to response package * Chore: formats imports Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2021-01-15 21:43:20 +08:00
func (hs *HTTPServer) GetDashboardPermissionList(c *models.ReqContext) response.Response {
Add endpoint with UID for dashboard permissions (#47753) * Replace sequential IDs with UID for dashboard permossion * Add back endpoint with id * Rename parameter from dashboarUid->uid and add swagger definitions for endpoints * Generate swagger json * Add deprecated to swagger and docs * Add deprecated comment in the api.go * Add model for POST body * Fix model post body for endpoint * Generate spec with enterprise
2022-04-21 22:24:03 +08:00
var dashID int64
var err error
dashUID := web.Params(c.Req)[":uid"]
if dashUID == "" {
dashID, err = strconv.ParseInt(web.Params(c.Req)[":dashboardId"], 10, 64)
if err != nil {
return response.Error(http.StatusBadRequest, "dashboardId is invalid", err)
}
Remove Macaron ParamsInt64 function from code base (#43810) * draft commit * change all calls * Compilation errors
2022-01-15 00:55:57 +08:00
}
WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard.
2017-05-08 21:35:34 +08:00
Chore: Add user service method SetUsingOrg and GetSignedInUserWithCacheCtx (#53343) * Chore: Add user service method SetUsingOrg * Chore: Add user service method GetSignedInUserWithCacheCtx * Use method GetSignedInUserWithCacheCtx from user service * Fix lint after rebase * Fix lint * Fix lint error * roll back some changes * Roll back changes in api and middleware * Add xorm tags to SignedInUser ID fields
2022-08-11 19:28:55 +08:00
dash, rsp := hs.getDashboardHelper(c.Req.Context(), c.OrgID, dashID, dashUID)
dashboard: always make sure dashboard exist in dashboard acl http api (#10856)
2018-02-12 16:26:09 +08:00
if rsp != nil {
return rsp
}
Guardian: Introduce additional constructors (#59577) * Guardian: Use dashboard UID instead of ID * Apply suggestions from code review Introduce several guardian constructors and each time use the most appropriate one.
2022-12-15 22:34:17 +08:00
g, err := guardian.NewByDashboard(c.Req.Context(), dash, c.OrgID, c.SignedInUser)
if err != nil {
return response.Err(err)
Add endpoint with UID for dashboard permissions (#47753) * Replace sequential IDs with UID for dashboard permossion * Add back endpoint with id * Rename parameter from dashboarUid->uid and add swagger definitions for endpoints * Generate swagger json * Add deprecated to swagger and docs * Add deprecated comment in the api.go * Add model for POST body * Fix model post body for endpoint * Generate spec with enterprise
2022-04-21 22:24:03 +08:00
}
dashboards: handle new guardian error responses and update tests Using a mocked guardian instead and relies on the actual guardian tests for verifying permission handling correctness
2018-02-27 03:15:57 +08:00
if canAdmin, err := g.CanAdmin(); err != nil || !canAdmin {
dashboard guardian refactoring starting to work
2017-06-20 01:47:44 +08:00
return dashboardGuardianResponse(err)
WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard.
2017-05-08 21:35:34 +08:00
}
Permissions: Fix inherited folder permissions can prevent new permissions being added to a dashboard (#33329) In the case permissions has been added on dashboard(s). Later permissions for the parent folder of the dashboard is edited in such a way that dashboard in that folder has a permission that is a duplicate of an inherited one. This PR changes so that duplicate permissions are now filtered out from /api/dashboards/id/<dashboard id>/permissions. Duplicate permission are not filtered out if the permission on dashboard is higher than on the inherited folder. Fixes #33296 Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2021-04-28 20:42:18 +08:00
acl, err := g.GetACLWithoutDuplicates()
acl fixes
2017-06-23 05:10:43 +08:00
if err != nil {
Chore: Moves common and response into separate packages (#30298) * Chore: moves common and response into separate packages * Chore: moves common and response into separate packages * Update pkg/api/utils/common.go Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Chore: changes after PR comments * Chore: move wrap to routing package * Chore: move functions in common to response package * Chore: move functions in common to response package * Chore: formats imports Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2021-01-15 21:43:20 +08:00
return response.Error(500, "Failed to get dashboard permissions", err)
WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard.
2017-05-08 21:35:34 +08:00
}
Chore: Remove dashboard ACL from models (#61749) * Remove dashboard ACL from models * Remove unused comment
2023-01-20 21:58:47 +08:00
filteredACLs := make([]*dashboards.DashboardACLInfoDTO, 0, len(acl))
Stale permissions (#10768) * dashfolders: hide permissions in settings if folder has changed and the dashboard has not been saved yet. Otherwise the use will see stale permissions from the original folder. * dashfolders: return folder url for inherited permissions
2018-02-05 21:28:24 +08:00
for _, perm := range acl {
Chore: Remove dashboard ACL from models (#61749) * Remove dashboard ACL from models * Remove unused comment
2023-01-20 21:58:47 +08:00
if perm.UserID > 0 && dtos.IsHiddenUser(perm.UserLogin, c.SignedInUser, hs.Cfg) {
Add an option to hide certain users in the UI (#28942) * Add an option to hide certain users in the UI * revert changes for admin users routes * fix sqlstore function name * Improve slice management Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Hidden users: convert slice to map * filter with user logins instead of IDs * put HiddenUsers in Cfg struct * hide hidden users from dashboards/folders permissions list * Update conf/defaults.ini Co-authored-by: Torkel Ödegaard <torkel@grafana.com> * fix params order * fix tests * fix dashboard/folder update with hidden user * add team tests * add dashboard and folder permissions tests * fixes after merge * fix tests * API: add test for org users endpoints * update hidden users management for dashboard / folder permissions * improve dashboard / folder permissions tests * fixes after merge * Guardian: add hidden acl tests * API: add team members tests * fix team sql syntax for postgres * api tests update * fix linter error * fix tests errors after merge Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Torkel Ödegaard <torkel@grafana.com> Co-authored-by: Leonard Gram <leo@xlson.com>
2020-11-24 19:10:32 +08:00
continue
}
Chore: Remove dashboard ACL from models (#61749) * Remove dashboard ACL from models * Remove unused comment
2023-01-20 21:58:47 +08:00
perm.UserAvatarURL = dtos.GetGravatarUrl(perm.UserEmail)
permission: generate team avatar url with default
2018-04-04 21:50:45 +08:00
Chore: Remove dashboard ACL from models (#61749) * Remove dashboard ACL from models * Remove unused comment
2023-01-20 21:58:47 +08:00
if perm.TeamID > 0 {
perm.TeamAvatarURL = dtos.GetGravatarUrlWithDefault(perm.TeamEmail, perm.Team)
permission: generate team avatar url with default
2018-04-04 21:50:45 +08:00
}
Stale permissions (#10768) * dashfolders: hide permissions in settings if folder has changed and the dashboard has not been saved yet. Otherwise the use will see stale permissions from the original folder. * dashfolders: return folder url for inherited permissions
2018-02-05 21:28:24 +08:00
if perm.Slug != "" {
Chore: Remove dashboard ACL from models (#61749) * Remove dashboard ACL from models * Remove unused comment
2023-01-20 21:58:47 +08:00
perm.URL = dashboards.GetDashboardFolderURL(perm.IsFolder, perm.UID, perm.Slug)
Stale permissions (#10768) * dashfolders: hide permissions in settings if folder has changed and the dashboard has not been saved yet. Otherwise the use will see stale permissions from the original folder. * dashfolders: return folder url for inherited permissions
2018-02-05 21:28:24 +08:00
}
Add an option to hide certain users in the UI (#28942) * Add an option to hide certain users in the UI * revert changes for admin users routes * fix sqlstore function name * Improve slice management Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Hidden users: convert slice to map * filter with user logins instead of IDs * put HiddenUsers in Cfg struct * hide hidden users from dashboards/folders permissions list * Update conf/defaults.ini Co-authored-by: Torkel Ödegaard <torkel@grafana.com> * fix params order * fix tests * fix dashboard/folder update with hidden user * add team tests * add dashboard and folder permissions tests * fixes after merge * fix tests * API: add test for org users endpoints * update hidden users management for dashboard / folder permissions * improve dashboard / folder permissions tests * fixes after merge * Guardian: add hidden acl tests * API: add team members tests * fix team sql syntax for postgres * api tests update * fix linter error * fix tests errors after merge Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Torkel Ödegaard <torkel@grafana.com> Co-authored-by: Leonard Gram <leo@xlson.com>
2020-11-24 19:10:32 +08:00
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 21:14:58 +08:00
filteredACLs = append(filteredACLs, perm)
Stale permissions (#10768) * dashfolders: hide permissions in settings if folder has changed and the dashboard has not been saved yet. Otherwise the use will see stale permissions from the original folder. * dashfolders: return folder url for inherited permissions
2018-02-05 21:28:24 +08:00
}
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 21:14:58 +08:00
return response.JSON(http.StatusOK, filteredACLs)
WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard.
2017-05-08 21:35:34 +08:00
}
WIP: delete permission in API
2017-05-22 16:36:47 +08:00
Chore: Move swagger definitions to the handlers (#52643)
2022-07-27 21:54:37 +08:00
// swagger:route POST /dashboards/uid/{uid}/permissions dashboard_permissions updateDashboardPermissionsByUID
//
// Updates permissions for a dashboard.
//
// This operation will remove existing permissions if theyre not included in the request.
//
// Responses:
// 200: okResponse
// 400: badRequestError
// 401: unauthorisedError
// 403: forbiddenError
// 404: notFoundError
// 500: internalServerError
// swagger:route POST /dashboards/id/{DashboardID}/permissions dashboard_permissions updateDashboardPermissionsByID
//
// Updates permissions for a dashboard.
//
// Please refer to [updated API](#/dashboard_permissions/updateDashboardPermissionsByUID) instead
//
// This operation will remove existing permissions if theyre not included in the request.
//
// Deprecated: true
//
// Responses:
// 200: okResponse
// 400: badRequestError
// 401: unauthorisedError
// 403: forbiddenError
// 404: notFoundError
// 500: internalServerError
Chore: Refactor api handlers to use web.Bind (#42199) * Chore: Refactor api handlers to use web.Bind * fix comments * fix comment * trying to fix most of the tests and force routing.Wrap type check * fix library panels tests * fix frontend logging tests * allow passing nil as a response to skip writing * return nil instead of the response * rewrite login handler function types * remove handlerFuncCtx * make linter happy * remove old bindings from the libraryelements * restore comments
2021-11-29 17:18:01 +08:00
func (hs *HTTPServer) UpdateDashboardPermissions(c *models.ReqContext) response.Response {
Add endpoint with UID for dashboard permissions (#47753) * Replace sequential IDs with UID for dashboard permossion * Add back endpoint with id * Rename parameter from dashboarUid->uid and add swagger definitions for endpoints * Generate swagger json * Add deprecated to swagger and docs * Add deprecated comment in the api.go * Add model for POST body * Fix model post body for endpoint * Generate spec with enterprise
2022-04-21 22:24:03 +08:00
var dashID int64
var err error
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 21:14:58 +08:00
apiCmd := dtos.UpdateDashboardACLCommand{}
Chore: Refactor api handlers to use web.Bind (#42199) * Chore: Refactor api handlers to use web.Bind * fix comments * fix comment * trying to fix most of the tests and force routing.Wrap type check * fix library panels tests * fix frontend logging tests * allow passing nil as a response to skip writing * return nil instead of the response * rewrite login handler function types * remove handlerFuncCtx * make linter happy * remove old bindings from the libraryelements * restore comments
2021-11-29 17:18:01 +08:00
if err := web.Bind(c.Req, &apiCmd); err != nil {
return response.Error(http.StatusBadRequest, "bad request data", err)
}
Permissions: Validate against Team/User permission role update (#29101) * validate against role field update * lowercase error string * make all msgs consistent style * fix wording Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * sayonara simple json Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2020-11-18 22:36:41 +08:00
if err := validatePermissionsUpdate(apiCmd); err != nil {
Chore: Moves common and response into separate packages (#30298) * Chore: moves common and response into separate packages * Chore: moves common and response into separate packages * Update pkg/api/utils/common.go Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Chore: changes after PR comments * Chore: move wrap to routing package * Chore: move functions in common to response package * Chore: move functions in common to response package * Chore: formats imports Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2021-01-15 21:43:20 +08:00
return response.Error(400, err.Error(), err)
Permissions: Validate against Team/User permission role update (#29101) * validate against role field update * lowercase error string * make all msgs consistent style * fix wording Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * sayonara simple json Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2020-11-18 22:36:41 +08:00
}
Add endpoint with UID for dashboard permissions (#47753) * Replace sequential IDs with UID for dashboard permossion * Add back endpoint with id * Rename parameter from dashboarUid->uid and add swagger definitions for endpoints * Generate swagger json * Add deprecated to swagger and docs * Add deprecated comment in the api.go * Add model for POST body * Fix model post body for endpoint * Generate spec with enterprise
2022-04-21 22:24:03 +08:00
dashUID := web.Params(c.Req)[":uid"]
if dashUID == "" {
dashID, err = strconv.ParseInt(web.Params(c.Req)[":dashboardId"], 10, 64)
if err != nil {
return response.Error(http.StatusBadRequest, "dashboardId is invalid", err)
}
Remove Macaron ParamsInt64 function from code base (#43810) * draft commit * change all calls * Compilation errors
2022-01-15 00:55:57 +08:00
}
dashboard guardian refactoring starting to work
2017-06-20 01:47:44 +08:00
Chore: Add user service method SetUsingOrg and GetSignedInUserWithCacheCtx (#53343) * Chore: Add user service method SetUsingOrg * Chore: Add user service method GetSignedInUserWithCacheCtx * Use method GetSignedInUserWithCacheCtx from user service * Fix lint after rebase * Fix lint * Fix lint error * roll back some changes * Roll back changes in api and middleware * Add xorm tags to SignedInUser ID fields
2022-08-11 19:28:55 +08:00
dash, rsp := hs.getDashboardHelper(c.Req.Context(), c.OrgID, dashID, dashUID)
dashboard: always make sure dashboard exist in dashboard acl http api (#10856)
2018-02-12 16:26:09 +08:00
if rsp != nil {
return rsp
}
Guardian: Introduce additional constructors (#59577) * Guardian: Use dashboard UID instead of ID * Apply suggestions from code review Introduce several guardian constructors and each time use the most appropriate one.
2022-12-15 22:34:17 +08:00
g, err := guardian.NewByDashboard(c.Req.Context(), dash, c.OrgID, c.SignedInUser)
if err != nil {
return response.Err(err)
Add endpoint with UID for dashboard permissions (#47753) * Replace sequential IDs with UID for dashboard permossion * Add back endpoint with id * Rename parameter from dashboarUid->uid and add swagger definitions for endpoints * Generate swagger json * Add deprecated to swagger and docs * Add deprecated comment in the api.go * Add model for POST body * Fix model post body for endpoint * Generate spec with enterprise
2022-04-21 22:24:03 +08:00
}
dashboards: handle new guardian error responses and update tests Using a mocked guardian instead and relies on the actual guardian tests for verifying permission handling correctness
2018-02-27 03:15:57 +08:00
if canAdmin, err := g.CanAdmin(); err != nil || !canAdmin {
dashboard guardian refactoring starting to work
2017-06-20 01:47:44 +08:00
return dashboardGuardianResponse(err)
}
Chore: Remove dashboard ACL from models (#61749) * Remove dashboard ACL from models * Remove unused comment
2023-01-20 21:58:47 +08:00
items := make([]*dashboards.DashboardACL, 0, len(apiCmd.Items))
dashboard acl work
2017-06-22 07:02:03 +08:00
for _, item := range apiCmd.Items {
Chore: Remove dashboard ACL from models (#61749) * Remove dashboard ACL from models * Remove unused comment
2023-01-20 21:58:47 +08:00
items = append(items, &dashboards.DashboardACL{
Chore: Add user service method SetUsingOrg and GetSignedInUserWithCacheCtx (#53343) * Chore: Add user service method SetUsingOrg * Chore: Add user service method GetSignedInUserWithCacheCtx * Use method GetSignedInUserWithCacheCtx from user service * Fix lint after rebase * Fix lint * Fix lint error * roll back some changes * Roll back changes in api and middleware * Add xorm tags to SignedInUser ID fields
2022-08-11 19:28:55 +08:00
OrgID: c.OrgID,
Backend: Rename variables for style conformance (#29097) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
2020-11-18 00:09:14 +08:00
DashboardID: dashID,
UserID: item.UserID,
TeamID: item.TeamID,
dashboard acl work
2017-06-22 07:02:03 +08:00
Role: item.Role,
Permission: item.Permission,
Created: time.Now(),
Updated: time.Now(),
})
}
Add an option to hide certain users in the UI (#28942) * Add an option to hide certain users in the UI * revert changes for admin users routes * fix sqlstore function name * Improve slice management Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Hidden users: convert slice to map * filter with user logins instead of IDs * put HiddenUsers in Cfg struct * hide hidden users from dashboards/folders permissions list * Update conf/defaults.ini Co-authored-by: Torkel Ödegaard <torkel@grafana.com> * fix params order * fix tests * fix dashboard/folder update with hidden user * add team tests * add dashboard and folder permissions tests * fixes after merge * fix tests * API: add test for org users endpoints * update hidden users management for dashboard / folder permissions * improve dashboard / folder permissions tests * fixes after merge * Guardian: add hidden acl tests * API: add team members tests * fix team sql syntax for postgres * api tests update * fix linter error * fix tests errors after merge Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Torkel Ödegaard <torkel@grafana.com> Co-authored-by: Leonard Gram <leo@xlson.com>
2020-11-24 19:10:32 +08:00
hiddenACL, err := g.GetHiddenACL(hs.Cfg)
if err != nil {
Chore: Moves common and response into separate packages (#30298) * Chore: moves common and response into separate packages * Chore: moves common and response into separate packages * Update pkg/api/utils/common.go Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Chore: changes after PR comments * Chore: move wrap to routing package * Chore: move functions in common to response package * Chore: move functions in common to response package * Chore: formats imports Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2021-01-15 21:43:20 +08:00
return response.Error(500, "Error while retrieving hidden permissions", err)
Add an option to hide certain users in the UI (#28942) * Add an option to hide certain users in the UI * revert changes for admin users routes * fix sqlstore function name * Improve slice management Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Hidden users: convert slice to map * filter with user logins instead of IDs * put HiddenUsers in Cfg struct * hide hidden users from dashboards/folders permissions list * Update conf/defaults.ini Co-authored-by: Torkel Ödegaard <torkel@grafana.com> * fix params order * fix tests * fix dashboard/folder update with hidden user * add team tests * add dashboard and folder permissions tests * fixes after merge * fix tests * API: add test for org users endpoints * update hidden users management for dashboard / folder permissions * improve dashboard / folder permissions tests * fixes after merge * Guardian: add hidden acl tests * API: add team members tests * fix team sql syntax for postgres * api tests update * fix linter error * fix tests errors after merge Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Torkel Ödegaard <torkel@grafana.com> Co-authored-by: Leonard Gram <leo@xlson.com>
2020-11-24 19:10:32 +08:00
}
PluginManager: Make Plugins, Renderer and DataSources non-global (#31866) * PluginManager: Make Plugins and DataSources non-global Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix integration tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Replace outdated command Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * DashboardService: Ensure it gets constructed with necessary parameters Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix build Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * DashboardService: Ensure it gets constructed with necessary parameters Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Remove dead code Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix test Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix test Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Remove FocusConvey Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix test Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Remove dead code Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Undo interface changes Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Backend: Move tsdbifaces.RequestHandler to plugins.DataRequestHandler Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Rename to DataSourceCount Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Consolidate dashboard interfaces into one Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix test Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix dashboard integration tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
2021-03-17 23:06:10 +08:00
items = append(items, hiddenACL...)
Add an option to hide certain users in the UI (#28942) * Add an option to hide certain users in the UI * revert changes for admin users routes * fix sqlstore function name * Improve slice management Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Hidden users: convert slice to map * filter with user logins instead of IDs * put HiddenUsers in Cfg struct * hide hidden users from dashboards/folders permissions list * Update conf/defaults.ini Co-authored-by: Torkel Ödegaard <torkel@grafana.com> * fix params order * fix tests * fix dashboard/folder update with hidden user * add team tests * add dashboard and folder permissions tests * fixes after merge * fix tests * API: add test for org users endpoints * update hidden users management for dashboard / folder permissions * improve dashboard / folder permissions tests * fixes after merge * Guardian: add hidden acl tests * API: add team members tests * fix team sql syntax for postgres * api tests update * fix linter error * fix tests errors after merge Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Torkel Ödegaard <torkel@grafana.com> Co-authored-by: Leonard Gram <leo@xlson.com>
2020-11-24 19:10:32 +08:00
PluginManager: Make Plugins, Renderer and DataSources non-global (#31866) * PluginManager: Make Plugins and DataSources non-global Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix integration tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Replace outdated command Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * DashboardService: Ensure it gets constructed with necessary parameters Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix build Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * DashboardService: Ensure it gets constructed with necessary parameters Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Remove dead code Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix test Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix test Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Remove FocusConvey Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix test Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Remove dead code Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Undo interface changes Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Backend: Move tsdbifaces.RequestHandler to plugins.DataRequestHandler Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Rename to DataSourceCount Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Consolidate dashboard interfaces into one Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix test Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix dashboard integration tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
2021-03-17 23:06:10 +08:00
if okToUpdate, err := g.CheckPermissionBeforeUpdate(models.PERMISSION_ADMIN, items); err != nil || !okToUpdate {
dashfolders: stop user locking themselves out of a folder
2018-01-18 21:30:04 +08:00
if err != nil {
Chore: Handle wrapped errors (#29223) * Chore: Handle wrapped errors Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2020-11-19 20:34:28 +08:00
if errors.Is(err, guardian.ErrGuardianPermissionExists) || errors.Is(err, guardian.ErrGuardianOverride) {
Chore: Moves common and response into separate packages (#30298) * Chore: moves common and response into separate packages * Chore: moves common and response into separate packages * Update pkg/api/utils/common.go Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Chore: changes after PR comments * Chore: move wrap to routing package * Chore: move functions in common to response package * Chore: move functions in common to response package * Chore: formats imports Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2021-01-15 21:43:20 +08:00
return response.Error(400, err.Error(), err)
dashboards: handle new guardian error responses and update tests Using a mocked guardian instead and relies on the actual guardian tests for verifying permission handling correctness
2018-02-27 03:15:57 +08:00
}
Chore: Moves common and response into separate packages (#30298) * Chore: moves common and response into separate packages * Chore: moves common and response into separate packages * Update pkg/api/utils/common.go Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Chore: changes after PR comments * Chore: move wrap to routing package * Chore: move functions in common to response package * Chore: move functions in common to response package * Chore: formats imports Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2021-01-15 21:43:20 +08:00
return response.Error(500, "Error while checking dashboard permissions", err)
dashfolders: stop user locking themselves out of a folder
2018-01-18 21:30:04 +08:00
}
Chore: Moves common and response into separate packages (#30298) * Chore: moves common and response into separate packages * Chore: moves common and response into separate packages * Update pkg/api/utils/common.go Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Chore: changes after PR comments * Chore: move wrap to routing package * Chore: move functions in common to response package * Chore: move functions in common to response package * Chore: formats imports Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2021-01-15 21:43:20 +08:00
return response.Error(403, "Cannot remove own admin permission for a folder", nil)
dashfolders: stop user locking themselves out of a folder
2018-01-18 21:30:04 +08:00
}
Access control: refactor RBAC checks (#48107) * refactor RBAC checks * fix a test * another test fix * and another
2022-04-25 16:42:09 +08:00
if !hs.AccessControl.IsDisabled() {
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 21:14:58 +08:00
old, err := g.GetACL()
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 22:05:47 +08:00
if err != nil {
return response.Error(500, "Error while checking dashboard permissions", err)
}
Chore: Move dashboard models to dashboard pkg (#61458) * Copy dashboard models to dashboard pkg * Use some models from current pkg instead of models * Adjust api pkg * Adjust pkg services * Fix lint
2023-01-16 23:33:55 +08:00
if err := hs.updateDashboardAccessControl(c.Req.Context(), dash.OrgID, dash.UID, false, items, old); err != nil {
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 22:05:47 +08:00
return response.Error(500, "Failed to update permissions", err)
}
return response.Success("Dashboard permissions updated")
}
Public Dashboards: Query Caching (#51403) * passes id and uid to PublicDashboardDatasource * betterer results * If for a public dashboard, return the PublicDashboardDataSource first or else getDatasourceSrv.get() will fail bc of no authed user. Added some unit tests for resolving the uid from the many possible datasource types. * updates betterer * Exports DashboardService. Adds method to DashboardService to build anonymous user for use with public dashboards where there is no authed user. Adds method on dashboard_queries to get all dashboard uids from a dashboard. * refactors to get unique datasource uids * Adds tests for getting all unique datasource uids off a dashboard * adds test for building anonymous user with read and query actions that are scoped to each datasource uid in the dashboard * updates casing of DashboardService * updates test case to have additional panel with a different datasource * gives default interval to public dashboard data source
2022-07-07 02:42:39 +08:00
if err := hs.DashboardService.UpdateDashboardACL(c.Req.Context(), dashID, items); err != nil {
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 21:14:58 +08:00
if errors.Is(err, models.ErrDashboardACLInfoMissing) ||
Chore: Handle wrapped errors (#29223) * Chore: Handle wrapped errors Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2020-11-19 20:34:28 +08:00
errors.Is(err, models.ErrDashboardPermissionDashboardEmpty) {
Chore: Moves common and response into separate packages (#30298) * Chore: moves common and response into separate packages * Chore: moves common and response into separate packages * Update pkg/api/utils/common.go Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Chore: changes after PR comments * Chore: move wrap to routing package * Chore: move functions in common to response package * Chore: move functions in common to response package * Chore: formats imports Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2021-01-15 21:43:20 +08:00
return response.Error(409, err.Error(), err)
WIP: API - add dash permission
2017-06-10 03:56:13 +08:00
}
Chore: Moves common and response into separate packages (#30298) * Chore: moves common and response into separate packages * Chore: moves common and response into separate packages * Update pkg/api/utils/common.go Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Chore: changes after PR comments * Chore: move wrap to routing package * Chore: move functions in common to response package * Chore: move functions in common to response package * Chore: formats imports Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2021-01-15 21:43:20 +08:00
return response.Error(500, "Failed to create permission", err)
WIP: API - add dash permission
2017-06-10 03:56:13 +08:00
}
Chore: Moves common and response into separate packages (#30298) * Chore: moves common and response into separate packages * Chore: moves common and response into separate packages * Update pkg/api/utils/common.go Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Chore: changes after PR comments * Chore: move wrap to routing package * Chore: move functions in common to response package * Chore: move functions in common to response package * Chore: formats imports Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2021-01-15 21:43:20 +08:00
return response.Success("Dashboard permissions updated")
WIP: API - add dash permission
2017-06-10 03:56:13 +08:00
}
Permissions: Validate against Team/User permission role update (#29101) * validate against role field update * lowercase error string * make all msgs consistent style * fix wording Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * sayonara simple json Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2020-11-18 22:36:41 +08:00
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 22:05:47 +08:00
// updateDashboardAccessControl is used for api backward compatibility
Chore: Remove dashboard ACL from models (#61749) * Remove dashboard ACL from models * Remove unused comment
2023-01-20 21:58:47 +08:00
func (hs *HTTPServer) updateDashboardAccessControl(ctx context.Context, orgID int64, uid string, isFolder bool, items []*dashboards.DashboardACL, old []*dashboards.DashboardACLInfoDTO) error {
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 22:05:47 +08:00
commands := []accesscontrol.SetResourcePermissionCommand{}
for _, item := range items {
permissions := item.Permission.String()
role := ""
if item.Role != nil {
role = string(*item.Role)
}
commands = append(commands, accesscontrol.SetResourcePermissionCommand{
UserID: item.UserID,
TeamID: item.TeamID,
BuiltinRole: role,
Permission: permissions,
})
}
for _, o := range old {
shouldRemove := true
for _, item := range items {
Chore: Remove dashboard ACL from models (#61749) * Remove dashboard ACL from models * Remove unused comment
2023-01-20 21:58:47 +08:00
if item.UserID != 0 && item.UserID == o.UserID {
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 22:05:47 +08:00
shouldRemove = false
break
}
Chore: Remove dashboard ACL from models (#61749) * Remove dashboard ACL from models * Remove unused comment
2023-01-20 21:58:47 +08:00
if item.TeamID != 0 && item.TeamID == o.TeamID {
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 22:05:47 +08:00
shouldRemove = false
break
}
if item.Role != nil && o.Role != nil && *item.Role == *o.Role {
shouldRemove = false
break
}
}
if shouldRemove {
role := ""
if o.Role != nil {
role = string(*o.Role)
}
commands = append(commands, accesscontrol.SetResourcePermissionCommand{
Chore: Remove dashboard ACL from models (#61749) * Remove dashboard ACL from models * Remove unused comment
2023-01-20 21:58:47 +08:00
UserID: o.UserID,
TeamID: o.TeamID,
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 22:05:47 +08:00
BuiltinRole: role,
Permission: "",
})
}
}
if isFolder {
AccessControl: Create own interface and impl for each permission service (#48871) * Create own interfaces for team, folder, dashboard and data source permissions services * Remove service container and inject them individually
2022-05-10 21:48:47 +08:00
if _, err := hs.folderPermissionsService.SetPermissions(ctx, orgID, uid, commands...); err != nil {
return err
}
return nil
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 22:05:47 +08:00
}
AccessControl: Create own interface and impl for each permission service (#48871) * Create own interfaces for team, folder, dashboard and data source permissions services * Remove service container and inject them individually
2022-05-10 21:48:47 +08:00
if _, err := hs.dashboardPermissionsService.SetPermissions(ctx, orgID, uid, commands...); err != nil {
return err
}
return nil
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-03-03 22:05:47 +08:00
}
Rename Acl to ACL (#52342) * Rename Acl to ACL * Fix yaml files * Add xorm tags and fix test
2022-07-18 21:14:58 +08:00
func validatePermissionsUpdate(apiCmd dtos.UpdateDashboardACLCommand) error {
Permissions: Validate against Team/User permission role update (#29101) * validate against role field update * lowercase error string * make all msgs consistent style * fix wording Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * sayonara simple json Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2020-11-18 22:36:41 +08:00
for _, item := range apiCmd.Items {
Forbid creation of dashboard permissions with both a user and a team (#40104) These permissions could be created through the API but would not show correctly in the UI.
2021-10-14 02:16:58 +08:00
if item.UserID > 0 && item.TeamID > 0 {
return models.ErrPermissionsWithUserAndTeamNotAllowed
}
Backend: Fix build (#29206) * Backend: Fix build Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
2020-11-18 23:16:58 +08:00
if (item.UserID > 0 || item.TeamID > 0) && item.Role != nil {
Permissions: Validate against Team/User permission role update (#29101) * validate against role field update * lowercase error string * make all msgs consistent style * fix wording Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * sayonara simple json Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2020-11-18 22:36:41 +08:00
return models.ErrPermissionsWithRoleNotAllowed
}
}
return nil
}
Chore: Move swagger definitions to the handlers (#52643)
2022-07-27 21:54:37 +08:00
// swagger:parameters getDashboardPermissionsListByUID
type GetDashboardPermissionsListByUIDParams struct {
// in:path
// required:true
UID string `json:"uid"`
}
// swagger:parameters getDashboardPermissionsListByID
type GetDashboardPermissionsListByIDParams struct {
// in:path
DashboardID int64
}
// swagger:parameters updateDashboardPermissionsByID
type UpdateDashboardPermissionsByIDParams struct {
// in:body
// required:true
Body dtos.UpdateDashboardACLCommand
// in:path
DashboardID int64
}
// swagger:parameters updateDashboardPermissionsByUID
type UpdateDashboardPermissionsByUIDParams struct {
// in:body
// required:true
Body dtos.UpdateDashboardACLCommand
// in:path
// required:true
// description: The dashboard UID
UID string `json:"uid"`
}
// swagger:response getDashboardPermissionsListResponse
type GetDashboardPermissionsResponse struct {
// in: body
Chore: Remove dashboard ACL from models (#61749) * Remove dashboard ACL from models * Remove unused comment
2023-01-20 21:58:47 +08:00
Body []*dashboards.DashboardACLInfoDTO `json:"body"`
Chore: Move swagger definitions to the handlers (#52643)
2022-07-27 21:54:37 +08:00
}