apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

AccessControl: Clear user permission cache for update org user role (#62745)

Browse Source 
* clear user permission cache for update org user role

* check enabled state of ac
pull/62878/head
Jo 2 years ago committed by GitHub
parent 6840cc11ff
commit 12d192d80e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 12 additions and 3 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 13
      pkg/api/org_users.go
  2. 2
      pkg/api/org_users_test.go

13
pkg/api/org_users.go
Unescape View File

@ -381,16 +381,23 @@ func (hs *HTTPServer) UpdateOrgUser(c *contextmodel.ReqContext) response.Respons
func (hs *HTTPServer) updateOrgUserHelper(c *contextmodel.ReqContext, cmd org.UpdateOrgUserCommand) response.Response { func (hs *HTTPServer) updateOrgUserHelper(c *contextmodel.ReqContext, cmd org.UpdateOrgUserCommand) response.Response {
if !cmd.Role.IsValid() { if !cmd.Role.IsValid() {
return response.Error(400, "Invalid role specified", nil) return response.Error(http.StatusBadRequest, "Invalid role specified", nil)
} }
if !c.OrgRole.Includes(cmd.Role) && !c.IsGrafanaAdmin { if !c.OrgRole.Includes(cmd.Role) && !c.IsGrafanaAdmin {
return response.Error(http.StatusForbidden, "Cannot assign a role higher than user's role", nil) return response.Error(http.StatusForbidden, "Cannot assign a role higher than user's role", nil)
} }
if err := hs.orgService.UpdateOrgUser(c.Req.Context(), &cmd); err != nil { if err := hs.orgService.UpdateOrgUser(c.Req.Context(), &cmd); err != nil {
if errors.Is(err, org.ErrLastOrgAdmin) { if errors.Is(err, org.ErrLastOrgAdmin) {
return response.Error(400, "Cannot change role so that there is no organization admin left", nil) return response.Error(http.StatusBadRequest, "Cannot change role so that there is no organization admin left", nil)
} }
return response.Error(500, "Failed update org user", err) return response.Error(http.StatusInternalServerError, "Failed update org user", err)
}
if !hs.accesscontrolService.IsDisabled() {
hs.accesscontrolService.ClearUserPermissionCache(&user.SignedInUser{
UserID: cmd.UserID,
OrgID: cmd.OrgID,
})
} }
return response.Success("Organization user updated") return response.Success("Organization user updated")

2
pkg/api/org_users_test.go
Unescape View File

@ -630,6 +630,7 @@ func TestOrgUsersAPIEndpointWithSetPerms_AccessControl(t *testing.T) {
ExpectedUser: &user.User{}, ExpectedUser: &user.User{},
ExpectedSignedInUser: userWithPermissions(1, tt.permissions), ExpectedSignedInUser: userWithPermissions(1, tt.permissions),
} }
hs.accesscontrolService = &actest.FakeService{}
}) })
u := userWithPermissions(1, tt.permissions) u := userWithPermissions(1, tt.permissions)
@ -703,6 +704,7 @@ func TestPatchOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
hs.Cfg.RBACEnabled = tt.enableAccessControl hs.Cfg.RBACEnabled = tt.enableAccessControl
hs.orgService = &orgtest.FakeOrgService{} hs.orgService = &orgtest.FakeOrgService{}
hs.authInfoService = &logintest.AuthInfoServiceFake{} hs.authInfoService = &logintest.AuthInfoServiceFake{}
hs.accesscontrolService = &actest.FakeService{}
hs.userService = &usertest.FakeUserService{ hs.userService = &usertest.FakeUserService{
ExpectedUser: &user.User{}, ExpectedUser: &user.User{},
ExpectedSignedInUser: userWithPermissions(1, tt.permissions), ExpectedSignedInUser: userWithPermissions(1, tt.permissions),

Write Preview
Loading…
Cancel
Save