root
/
grafana
mirror of https://github.com/grafana/grafana.git
1
0
Fork 0
Code Issues Actions 21 Packages Projects Releases Wiki Activity

AccessControl: Allow plugin roles to include `plugins:write` (#101089)

This commit is contained in:
Gabriel MABILLE 2025-02-21 08:23:04 +01:00 committed by GitHub
parent 33eca9e6fb
commit 0290da6aaa
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/services/accesscontrol/pluginutils/utils.go
View File

@ -12,6 +12,7 @@ import (
var (
allowedCoreActions = map[string]string{
"plugins:write": "plugins:id:",
"plugins.app:access": "plugins:id:",
"folders:create": "folders:uid:",
"folders:read": "folders:uid:",

23
pkg/services/accesscontrol/pluginutils/utils_test.go
View File

@ -172,6 +172,29 @@ func TestValidatePluginRole(t *testing.T) {
},
wantErr: &ac.ErrorInvalidRole{},
},
{
name: "valid core plugin permission targets plugin",
pluginID: "test-app",
role: ac.RoleDTO{
Name: "plugins:test-app:reader",
DisplayName: "Plugin Configurator",
Permissions: []ac.Permission{
{Action: "plugins:write", Scope: "plugins:id:test-app"},
},
},
},
{
name: "invalid core plugin permission targets other plugin",
pluginID: "test-app",
role: ac.RoleDTO{
Name: "plugins:test-app:reader",
DisplayName: "Plugin Configurator",
Permissions: []ac.Permission{
{Action: "plugins:write", Scope: "plugins:id:other-app"},
},
},
wantErr: &ac.ErrorInvalidRole{},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {