grafana/pkg/api/dashboard_acl_test.go

package api

import (
	"testing"

	"github.com/grafana/grafana/pkg/bus"
	"github.com/grafana/grafana/pkg/components/simplejson"
	"github.com/grafana/grafana/pkg/models"

	. "github.com/smartystreets/goconvey/convey"
)

func TestDashboardAclApiEndpoint(t *testing.T) {
	Convey("Given a dashboard acl", t, func() {
		mockResult := []*models.DashboardAcl{
			{Id: 1, OrgId: 1, DashboardId: 1, UserId: 2, Permission: models.PERMISSION_EDIT},
			{Id: 2, OrgId: 1, DashboardId: 1, UserId: 3, Permission: models.PERMISSION_VIEW},
			{Id: 3, OrgId: 1, DashboardId: 1, UserGroupId: 1, Permission: models.PERMISSION_EDIT},
			{Id: 4, OrgId: 1, DashboardId: 1, UserGroupId: 2, Permission: models.PERMISSION_READ_ONLY_EDIT},
		}
		dtoRes := []*models.DashboardAclInfoDTO{
			{Id: 1, OrgId: 1, DashboardId: 1, UserId: 2, Permission: models.PERMISSION_EDIT},
			{Id: 2, OrgId: 1, DashboardId: 1, UserId: 3, Permission: models.PERMISSION_VIEW},
			{Id: 3, OrgId: 1, DashboardId: 1, UserGroupId: 1, Permission: models.PERMISSION_EDIT},
			{Id: 4, OrgId: 1, DashboardId: 1, UserGroupId: 2, Permission: models.PERMISSION_READ_ONLY_EDIT},
		}

		bus.AddHandler("test", func(query *models.GetDashboardAclInfoListQuery) error {
			query.Result = dtoRes
			return nil
		})

		bus.AddHandler("test", func(query *models.GetInheritedDashboardAclQuery) error {
			query.Result = mockResult
			return nil
		})

		userGroupResp := []*models.UserGroup{}
		bus.AddHandler("test", func(query *models.GetUserGroupsByUserQuery) error {
			query.Result = userGroupResp
			return nil
		})

		Convey("When user is org admin", func() {
			loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/id/1/acl", "/api/dashboards/id/:dashboardsId/acl", models.ROLE_ADMIN, func(sc *scenarioContext) {
				Convey("Should be able to access ACL", func() {
					sc.handlerFunc = GetDashboardAclList
					sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()

					So(sc.resp.Code, ShouldEqual, 200)

					respJSON, err := simplejson.NewJson(sc.resp.Body.Bytes())
					So(err, ShouldBeNil)
					So(respJSON.GetIndex(0).Get("userId").MustInt(), ShouldEqual, 2)
					So(respJSON.GetIndex(0).Get("permissions").MustInt(), ShouldEqual, models.PERMISSION_EDIT)
				})
			})
		})

		Convey("When user is editor and in the ACL", func() {
			loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/id/1/acl", "/api/dashboards/id/:dashboardId/acl", models.ROLE_EDITOR, func(sc *scenarioContext) {
				mockResult = append(mockResult, &models.DashboardAcl{Id: 1, OrgId: 1, DashboardId: 1, UserId: 1, Permission: models.PERMISSION_EDIT})

				Convey("Should be able to access ACL", func() {
					sc.handlerFunc = GetDashboardAclList
					sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()

					So(sc.resp.Code, ShouldEqual, 200)
				})
			})

			loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/id/1/acl/1", "/api/dashboards/id/:dashboardId/acl/:aclId", models.ROLE_EDITOR, func(sc *scenarioContext) {
				mockResult = append(mockResult, &models.DashboardAcl{Id: 1, OrgId: 1, DashboardId: 1, UserId: 1, Permission: models.PERMISSION_EDIT})

				bus.AddHandler("test3", func(cmd *models.RemoveDashboardAclCommand) error {
					return nil
				})

				Convey("Should be able to delete permission", func() {
					sc.handlerFunc = DeleteDashboardAcl
					sc.fakeReqWithParams("DELETE", sc.url, map[string]string{}).exec()

					So(sc.resp.Code, ShouldEqual, 200)
				})
			})

			Convey("When user is a member of a user group in the ACL with edit permission", func() {
				loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/id/1/acl/1", "/api/dashboards/id/:dashboardsId/acl/:aclId", models.ROLE_EDITOR, func(sc *scenarioContext) {
					userGroupResp = append(userGroupResp, &models.UserGroup{Id: 1, OrgId: 1, Name: "UG1"})

					bus.AddHandler("test3", func(cmd *models.RemoveDashboardAclCommand) error {
						return nil
					})

					Convey("Should be able to delete permission", func() {
						sc.handlerFunc = DeleteDashboardAcl
						sc.fakeReqWithParams("DELETE", sc.url, map[string]string{}).exec()

						So(sc.resp.Code, ShouldEqual, 200)
					})
				})
			})
		})

		Convey("When user is editor and not in the ACL", func() {
			loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/id/1/acl", "/api/dashboards/id/:dashboardsId/acl", models.ROLE_EDITOR, func(sc *scenarioContext) {

				Convey("Should not be able to access ACL", func() {
					sc.handlerFunc = GetDashboardAclList
					sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()

					So(sc.resp.Code, ShouldEqual, 403)
				})
			})

			loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/id/1/acl/user/1", "/api/dashboards/id/:dashboardsId/acl/user/:userId", models.ROLE_EDITOR, func(sc *scenarioContext) {
				mockResult = append(mockResult, &models.DashboardAcl{Id: 1, OrgId: 1, DashboardId: 1, UserId: 1, Permission: models.PERMISSION_VIEW})
				bus.AddHandler("test3", func(cmd *models.RemoveDashboardAclCommand) error {
					return nil
				})

				Convey("Should be not be able to delete permission", func() {
					sc.handlerFunc = DeleteDashboardAcl
					sc.fakeReqWithParams("DELETE", sc.url, map[string]string{}).exec()

					So(sc.resp.Code, ShouldEqual, 403)
				})
			})
		})
	})
}
WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard. 2017-05-08 21:35:34 +08:00			`package api`

			`import (`
			`"testing"`

			`"github.com/grafana/grafana/pkg/bus"`
			`"github.com/grafana/grafana/pkg/components/simplejson"`
			`"github.com/grafana/grafana/pkg/models"`

			`. "github.com/smartystreets/goconvey/convey"`
			`)`

			`func TestDashboardAclApiEndpoint(t *testing.T) {`
			`Convey("Given a dashboard acl", t, func() {`
refactoring dashboard folder security checks 2017-06-20 03:22:42 +08:00			`mockResult := []*models.DashboardAcl{`
dashboard acl work 2017-06-22 02:11:16 +08:00			`{Id: 1, OrgId: 1, DashboardId: 1, UserId: 2, Permission: models.PERMISSION_EDIT},`
			`{Id: 2, OrgId: 1, DashboardId: 1, UserId: 3, Permission: models.PERMISSION_VIEW},`
			`{Id: 3, OrgId: 1, DashboardId: 1, UserGroupId: 1, Permission: models.PERMISSION_EDIT},`
			`{Id: 4, OrgId: 1, DashboardId: 1, UserGroupId: 2, Permission: models.PERMISSION_READ_ONLY_EDIT},`
WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard. 2017-05-08 21:35:34 +08:00			`}`
refactoring dashboard folder security checks 2017-06-20 03:22:42 +08:00			`dtoRes := []*models.DashboardAclInfoDTO{`
dashboard acl work 2017-06-22 02:11:16 +08:00			`{Id: 1, OrgId: 1, DashboardId: 1, UserId: 2, Permission: models.PERMISSION_EDIT},`
			`{Id: 2, OrgId: 1, DashboardId: 1, UserId: 3, Permission: models.PERMISSION_VIEW},`
			`{Id: 3, OrgId: 1, DashboardId: 1, UserGroupId: 1, Permission: models.PERMISSION_EDIT},`
			`{Id: 4, OrgId: 1, DashboardId: 1, UserGroupId: 2, Permission: models.PERMISSION_READ_ONLY_EDIT},`
refactoring dashboard folder security checks 2017-06-20 03:22:42 +08:00			`}`

refactoring more renaming 2017-06-20 05:30:54 +08:00			`bus.AddHandler("test", func(query *models.GetDashboardAclInfoListQuery) error {`
refactoring dashboard folder security checks 2017-06-20 03:22:42 +08:00			`query.Result = dtoRes`
			`return nil`
			`})`

			`bus.AddHandler("test", func(query *models.GetInheritedDashboardAclQuery) error {`
WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard. 2017-05-08 21:35:34 +08:00			`query.Result = mockResult`
			`return nil`
			`})`

refactoring dashboard folder security checks 2017-06-20 03:22:42 +08:00			`userGroupResp := []*models.UserGroup{}`
WIP: add permission check for GetDashboard 2017-06-12 21:48:55 +08:00			`bus.AddHandler("test", func(query *models.GetUserGroupsByUserQuery) error {`
refactoring dashboard folder security checks 2017-06-20 03:22:42 +08:00			`query.Result = userGroupResp`
WIP: add permission check for GetDashboard 2017-06-12 21:48:55 +08:00			`return nil`
			`})`

WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard. 2017-05-08 21:35:34 +08:00			`Convey("When user is org admin", func() {`
folders: changed api urls for dashboard acls 2017-06-20 06:11:30 +08:00			`loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/id/1/acl", "/api/dashboards/id/:dashboardsId/acl", models.ROLE_ADMIN, func(sc *scenarioContext) {`
WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard. 2017-05-08 21:35:34 +08:00			`Convey("Should be able to access ACL", func() {`
folders: changed api urls for dashboard acls 2017-06-20 06:11:30 +08:00			`sc.handlerFunc = GetDashboardAclList`
WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard. 2017-05-08 21:35:34 +08:00			`sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()`

			`So(sc.resp.Code, ShouldEqual, 200)`

			`respJSON, err := simplejson.NewJson(sc.resp.Body.Bytes())`
			`So(err, ShouldBeNil)`
			`So(respJSON.GetIndex(0).Get("userId").MustInt(), ShouldEqual, 2)`
refactoring dashoard folder guardian 2017-06-18 06:24:38 +08:00			`So(respJSON.GetIndex(0).Get("permissions").MustInt(), ShouldEqual, models.PERMISSION_EDIT)`
WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard. 2017-05-08 21:35:34 +08:00			`})`
			`})`
			`})`

WIP: delete permission in API 2017-05-22 16:36:47 +08:00			`Convey("When user is editor and in the ACL", func() {`
folders: changed api urls for dashboard acls 2017-06-20 06:11:30 +08:00			`loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/id/1/acl", "/api/dashboards/id/:dashboardId/acl", models.ROLE_EDITOR, func(sc *scenarioContext) {`
dashboard acl work 2017-06-22 02:11:16 +08:00			`mockResult = append(mockResult, &models.DashboardAcl{Id: 1, OrgId: 1, DashboardId: 1, UserId: 1, Permission: models.PERMISSION_EDIT})`
WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard. 2017-05-08 21:35:34 +08:00
WIP: delete permission in API 2017-05-22 16:36:47 +08:00			`Convey("Should be able to access ACL", func() {`
folders: changed api urls for dashboard acls 2017-06-20 06:11:30 +08:00			`sc.handlerFunc = GetDashboardAclList`
WIP: delete permission in API 2017-05-22 16:36:47 +08:00			`sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()`

			`So(sc.resp.Code, ShouldEqual, 200)`
			`})`
			`})`

folders: changed api urls for dashboard acls 2017-06-20 06:11:30 +08:00			`loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/id/1/acl/1", "/api/dashboards/id/:dashboardId/acl/:aclId", models.ROLE_EDITOR, func(sc *scenarioContext) {`
dashboard acl work 2017-06-22 02:11:16 +08:00			`mockResult = append(mockResult, &models.DashboardAcl{Id: 1, OrgId: 1, DashboardId: 1, UserId: 1, Permission: models.PERMISSION_EDIT})`
WIP: delete permission in API 2017-05-22 16:36:47 +08:00
refactoring renaming dashboard folder operations 2017-06-20 05:15:25 +08:00			`bus.AddHandler("test3", func(cmd *models.RemoveDashboardAclCommand) error {`
WIP: delete permission in API 2017-05-22 16:36:47 +08:00			`return nil`
			`})`

			`Convey("Should be able to delete permission", func() {`
folders: changed api urls for dashboard acls 2017-06-20 06:11:30 +08:00			`sc.handlerFunc = DeleteDashboardAcl`
WIP: delete permission in API 2017-05-22 16:36:47 +08:00			`sc.fakeReqWithParams("DELETE", sc.url, map[string]string{}).exec()`

			`So(sc.resp.Code, ShouldEqual, 200)`
			`})`
			`})`

			`Convey("When user is a member of a user group in the ACL with edit permission", func() {`
folders: changed api urls for dashboard acls 2017-06-20 06:11:30 +08:00			`loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/id/1/acl/1", "/api/dashboards/id/:dashboardsId/acl/:aclId", models.ROLE_EDITOR, func(sc *scenarioContext) {`
refactoring dashboard folder security checks 2017-06-20 03:22:42 +08:00			`userGroupResp = append(userGroupResp, &models.UserGroup{Id: 1, OrgId: 1, Name: "UG1"})`
WIP: delete permission in API 2017-05-22 16:36:47 +08:00
refactoring renaming dashboard folder operations 2017-06-20 05:15:25 +08:00			`bus.AddHandler("test3", func(cmd *models.RemoveDashboardAclCommand) error {`
WIP: delete permission in API 2017-05-22 16:36:47 +08:00			`return nil`
			`})`

			`Convey("Should be able to delete permission", func() {`
folders: changed api urls for dashboard acls 2017-06-20 06:11:30 +08:00			`sc.handlerFunc = DeleteDashboardAcl`
WIP: delete permission in API 2017-05-22 16:36:47 +08:00			`sc.fakeReqWithParams("DELETE", sc.url, map[string]string{}).exec()`

			`So(sc.resp.Code, ShouldEqual, 200)`
			`})`
			`})`
			`})`
			`})`

			`Convey("When user is editor and not in the ACL", func() {`
folders: changed api urls for dashboard acls 2017-06-20 06:11:30 +08:00			`loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/id/1/acl", "/api/dashboards/id/:dashboardsId/acl", models.ROLE_EDITOR, func(sc *scenarioContext) {`
WIP: delete permission in API 2017-05-22 16:36:47 +08:00
WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard. 2017-05-08 21:35:34 +08:00			`Convey("Should not be able to access ACL", func() {`
folders: changed api urls for dashboard acls 2017-06-20 06:11:30 +08:00			`sc.handlerFunc = GetDashboardAclList`
WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard. 2017-05-08 21:35:34 +08:00			`sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()`

			`So(sc.resp.Code, ShouldEqual, 403)`
			`})`
			`})`
WIP: delete permission in API 2017-05-22 16:36:47 +08:00
folders: changed api urls for dashboard acls 2017-06-20 06:11:30 +08:00			`loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/id/1/acl/user/1", "/api/dashboards/id/:dashboardsId/acl/user/:userId", models.ROLE_EDITOR, func(sc *scenarioContext) {`
dashboard acl work 2017-06-22 02:11:16 +08:00			`mockResult = append(mockResult, &models.DashboardAcl{Id: 1, OrgId: 1, DashboardId: 1, UserId: 1, Permission: models.PERMISSION_VIEW})`
refactoring renaming dashboard folder operations 2017-06-20 05:15:25 +08:00			`bus.AddHandler("test3", func(cmd *models.RemoveDashboardAclCommand) error {`
WIP: delete permission in API 2017-05-22 16:36:47 +08:00			`return nil`
			`})`

			`Convey("Should be not be able to delete permission", func() {`
folders: changed api urls for dashboard acls 2017-06-20 06:11:30 +08:00			`sc.handlerFunc = DeleteDashboardAcl`
WIP: delete permission in API 2017-05-22 16:36:47 +08:00			`sc.fakeReqWithParams("DELETE", sc.url, map[string]string{}).exec()`

			`So(sc.resp.Code, ShouldEqual, 403)`
			`})`
			`})`
WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard. 2017-05-08 21:35:34 +08:00			`})`
			`})`
			`}`