grafana/pkg/registry/apis/folders/sub_access.go

package folders

import (
	"context"
	"net/http"

	"k8s.io/apimachinery/pkg/runtime"
	"k8s.io/apiserver/pkg/registry/rest"

	folders "github.com/grafana/grafana/apps/folder/pkg/apis/folder/v1beta1"
	"github.com/grafana/grafana/pkg/apimachinery/identity"
	"github.com/grafana/grafana/pkg/services/accesscontrol"
	"github.com/grafana/grafana/pkg/services/apiserver/endpoints/request"
	"github.com/grafana/grafana/pkg/services/dashboards"
	"github.com/grafana/grafana/pkg/services/folder"
)

type subAccessREST struct {
	service folder.Service
	ac      accesscontrol.AccessControl
}

var _ = rest.Connecter(&subAccessREST{})
var _ = rest.StorageMetadata(&subAccessREST{})

func (r *subAccessREST) New() runtime.Object {
	return &folders.FolderAccessInfo{}
}

func (r *subAccessREST) Destroy() {
}

func (r *subAccessREST) ConnectMethods() []string {
	return []string{"GET"}
}

func (r *subAccessREST) ProducesMIMETypes(verb string) []string {
	return nil
}

func (r *subAccessREST) ProducesObject(verb string) interface{} {
	return &folders.FolderAccessInfo{}
}

func (r *subAccessREST) NewConnectOptions() (runtime.Object, bool, string) {
	return nil, false, "" // true means you can use the trailing path as a variable
}

func (r *subAccessREST) Connect(ctx context.Context, name string, opts runtime.Object, responder rest.Responder) (http.Handler, error) {
	ns, err := request.NamespaceInfoFrom(ctx, true)
	if err != nil {
		return nil, err
	}
	user, err := identity.GetRequester(ctx)
	if err != nil {
		return nil, err
	}

	// Can view is managed here (and in the Authorizer)
	f, err := r.service.Get(ctx, &folder.GetFolderQuery{
		UID:          &name,
		OrgID:        ns.OrgID,
		SignedInUser: user,
	})
	if err != nil {
		return nil, err
	}

	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
		access := &folders.FolderAccessInfo{}
		canEditEvaluator := accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(f.UID))
		access.CanEdit, _ = r.ac.Evaluate(ctx, user, canEditEvaluator)
		access.CanSave = access.CanEdit
		canAdminEvaluator := accesscontrol.EvalAll(
			accesscontrol.EvalPermission(dashboards.ActionFoldersPermissionsRead, dashboards.ScopeFoldersProvider.GetResourceScopeUID(f.UID)),
			accesscontrol.EvalPermission(dashboards.ActionFoldersPermissionsWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(f.UID)),
		)
		access.CanAdmin, _ = r.ac.Evaluate(ctx, user, canAdminEvaluator)
		canDeleteEvaluator := accesscontrol.EvalPermission(dashboards.ActionFoldersDelete, dashboards.ScopeFoldersProvider.GetResourceScopeUID(f.UID))
		access.CanDelete, _ = r.ac.Evaluate(ctx, user, canDeleteEvaluator)
		responder.Object(http.StatusOK, access)
	}), nil
}
K8s/Folders: Add all features to k8s endpoints (#81858) 2024-02-06 23:09:40 +08:00			`package folders`

			`import (`
			`"context"`
			`"net/http"`

			`"k8s.io/apimachinery/pkg/runtime"`
			`"k8s.io/apiserver/pkg/registry/rest"`

K8s/Folders: Use v1beta1 and app-sdk based spec (#103975) 2025-04-15 04:20:10 +08:00			`folders "github.com/grafana/grafana/apps/folder/pkg/apis/folder/v1beta1"`
K8s: Improve identity mapping setup (#89450) 2024-06-20 22:53:07 +08:00			`"github.com/grafana/grafana/pkg/apimachinery/identity"`
RBAC: Remove folder guardians part 2 (#104645) * replace usage of folder guardians with access control evaluators * remove NewByFolderUID guardian * bring up to date * fix test * more test fixes, and don't fetch the folder before evaluating lib element access * change what error is returned * fix alerting test * try to fix linter errors * replace the use of newByFolder guardian with direct access control evaluator checks * remove newByFolder guardian * remove unintentional changes * remove unintentional changes * undo unwanted change 2025-05-17 05:25:07 +08:00			`"github.com/grafana/grafana/pkg/services/accesscontrol"`
K8s/Folders: Add all features to k8s endpoints (#81858) 2024-02-06 23:09:40 +08:00			`"github.com/grafana/grafana/pkg/services/apiserver/endpoints/request"`
RBAC: Remove folder guardians part 2 (#104645) * replace usage of folder guardians with access control evaluators * remove NewByFolderUID guardian * bring up to date * fix test * more test fixes, and don't fetch the folder before evaluating lib element access * change what error is returned * fix alerting test * try to fix linter errors * replace the use of newByFolder guardian with direct access control evaluator checks * remove newByFolder guardian * remove unintentional changes * remove unintentional changes * undo unwanted change 2025-05-17 05:25:07 +08:00			`"github.com/grafana/grafana/pkg/services/dashboards"`
K8s/Folders: Add all features to k8s endpoints (#81858) 2024-02-06 23:09:40 +08:00			`"github.com/grafana/grafana/pkg/services/folder"`
			`)`

			`type subAccessREST struct {`
			`service folder.Service`
RBAC: Remove folder guardians part 2 (#104645) * replace usage of folder guardians with access control evaluators * remove NewByFolderUID guardian * bring up to date * fix test * more test fixes, and don't fetch the folder before evaluating lib element access * change what error is returned * fix alerting test * try to fix linter errors * replace the use of newByFolder guardian with direct access control evaluator checks * remove newByFolder guardian * remove unintentional changes * remove unintentional changes * undo unwanted change 2025-05-17 05:25:07 +08:00			`ac accesscontrol.AccessControl`
K8s/Folders: Add all features to k8s endpoints (#81858) 2024-02-06 23:09:40 +08:00			`}`

			`var _ = rest.Connecter(&subAccessREST{})`
K8s: improve openapi generation (#83796) 2024-03-02 06:26:04 +08:00			`var _ = rest.StorageMetadata(&subAccessREST{})`
K8s/Folders: Add all features to k8s endpoints (#81858) 2024-02-06 23:09:40 +08:00
			`func (r *subAccessREST) New() runtime.Object {`
K8s: Folders: Add v1 api (#103842) 2025-04-11 20:09:52 +08:00			`return &folders.FolderAccessInfo{}`
K8s/Folders: Add all features to k8s endpoints (#81858) 2024-02-06 23:09:40 +08:00			`}`

			`func (r *subAccessREST) Destroy() {`
			`}`

			`func (r *subAccessREST) ConnectMethods() []string {`
			`return []string{"GET"}`
			`}`

K8s: improve openapi generation (#83796) 2024-03-02 06:26:04 +08:00			`func (r *subAccessREST) ProducesMIMETypes(verb string) []string {`
			`return nil`
			`}`

			`func (r *subAccessREST) ProducesObject(verb string) interface{} {`
K8s: Folders: Add v1 api (#103842) 2025-04-11 20:09:52 +08:00			`return &folders.FolderAccessInfo{}`
K8s: improve openapi generation (#83796) 2024-03-02 06:26:04 +08:00			`}`

K8s/Folders: Add all features to k8s endpoints (#81858) 2024-02-06 23:09:40 +08:00			`func (r *subAccessREST) NewConnectOptions() (runtime.Object, bool, string) {`
			`return nil, false, "" // true means you can use the trailing path as a variable`
			`}`

			`func (r *subAccessREST) Connect(ctx context.Context, name string, opts runtime.Object, responder rest.Responder) (http.Handler, error) {`
			`ns, err := request.NamespaceInfoFrom(ctx, true)`
			`if err != nil {`
			`return nil, err`
			`}`
K8s: Improve identity mapping setup (#89450) 2024-06-20 22:53:07 +08:00			`user, err := identity.GetRequester(ctx)`
K8s/Folders: Add all features to k8s endpoints (#81858) 2024-02-06 23:09:40 +08:00			`if err != nil {`
			`return nil, err`
			`}`
Team: Add sub resource and api for team members (#92492) * Add team members as a sub resource * Fix and clean up pagination for teams * Fix and clean up pagination for users * Fix and clean up pagination for service accounts * Update snapshots 2024-08-28 16:30:23 +08:00
K8s/Folders: Add all features to k8s endpoints (#81858) 2024-02-06 23:09:40 +08:00			`// Can view is managed here (and in the Authorizer)`
			`f, err := r.service.Get(ctx, &folder.GetFolderQuery{`
			`UID: &name,`
			`OrgID: ns.OrgID,`
			`SignedInUser: user,`
			`})`
			`if err != nil {`
			`return nil, err`
			`}`

			`return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {`
K8s: Folders: Add v1 api (#103842) 2025-04-11 20:09:52 +08:00			`access := &folders.FolderAccessInfo{}`
Folders: Correctly resolve nested folder breadcrumbs (#106344) correctly use UID scope instead of ID based scope 2025-06-05 17:02:07 +08:00			`canEditEvaluator := accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(f.UID))`
RBAC: Remove folder guardians part 2 (#104645) * replace usage of folder guardians with access control evaluators * remove NewByFolderUID guardian * bring up to date * fix test * more test fixes, and don't fetch the folder before evaluating lib element access * change what error is returned * fix alerting test * try to fix linter errors * replace the use of newByFolder guardian with direct access control evaluator checks * remove newByFolder guardian * remove unintentional changes * remove unintentional changes * undo unwanted change 2025-05-17 05:25:07 +08:00			`access.CanEdit, _ = r.ac.Evaluate(ctx, user, canEditEvaluator)`
			`access.CanSave = access.CanEdit`
			`canAdminEvaluator := accesscontrol.EvalAll(`
			`accesscontrol.EvalPermission(dashboards.ActionFoldersPermissionsRead, dashboards.ScopeFoldersProvider.GetResourceScopeUID(f.UID)),`
			`accesscontrol.EvalPermission(dashboards.ActionFoldersPermissionsWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(f.UID)),`
			`)`
			`access.CanAdmin, _ = r.ac.Evaluate(ctx, user, canAdminEvaluator)`
Folders: Correctly resolve nested folder breadcrumbs (#106344) correctly use UID scope instead of ID based scope 2025-06-05 17:02:07 +08:00			`canDeleteEvaluator := accesscontrol.EvalPermission(dashboards.ActionFoldersDelete, dashboards.ScopeFoldersProvider.GetResourceScopeUID(f.UID))`
RBAC: Remove folder guardians part 2 (#104645) * replace usage of folder guardians with access control evaluators * remove NewByFolderUID guardian * bring up to date * fix test * more test fixes, and don't fetch the folder before evaluating lib element access * change what error is returned * fix alerting test * try to fix linter errors * replace the use of newByFolder guardian with direct access control evaluator checks * remove newByFolder guardian * remove unintentional changes * remove unintentional changes * undo unwanted change 2025-05-17 05:25:07 +08:00			`access.CanDelete, _ = r.ac.Evaluate(ctx, user, canDeleteEvaluator)`
K8s/Folders: Add all features to k8s endpoints (#81858) 2024-02-06 23:09:40 +08:00			`responder.Object(http.StatusOK, access)`
			`}), nil`
			`}`