From 697afc71b4e7d088824f19d99b73182f3ae12fe2 Mon Sep 17 00:00:00 2001
From: Gabriel MABILLE <gamab@users.noreply.github.com>
Date: Tue, 10 Sep 2024 18:22:40 +0200
Subject: [PATCH] RBAC: FIX Allow specifying several valid scopes for a kind
 (#93176)

* PermRegistry: Fix regression with actions applying to multiple scopes

* Add tests

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

---------

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
---
 pkg/services/accesscontrol/permreg/permreg.go  |  6 ++----
 .../accesscontrol/permreg/permreg_test.go      | 18 +++++++++++++++++-
 2 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/pkg/services/accesscontrol/permreg/permreg.go b/pkg/services/accesscontrol/permreg/permreg.go
index cb3cc4ba5b5..361b2600d08 100644
--- a/pkg/services/accesscontrol/permreg/permreg.go
+++ b/pkg/services/accesscontrol/permreg/permreg.go
@@ -128,11 +128,9 @@ func (pr *permissionRegistry) RegisterPluginScope(scope string) {
 }
 
 func (pr *permissionRegistry) RegisterPermission(action, scope string) error {
-	if _, ok := pr.actionScopePrefixes[action]; ok {
-		// action already registered
-		return nil
+	if _, ok := pr.actionScopePrefixes[action]; !ok {
+		pr.actionScopePrefixes[action] = PrefixSet{}
 	}
-	pr.actionScopePrefixes[action] = PrefixSet{}
 
 	if scope == "" {
 		// scopeless action
diff --git a/pkg/services/accesscontrol/permreg/permreg_test.go b/pkg/services/accesscontrol/permreg/permreg_test.go
index 0f16555c541..3fbe7afcac5 100644
--- a/pkg/services/accesscontrol/permreg/permreg_test.go
+++ b/pkg/services/accesscontrol/permreg/permreg_test.go
@@ -103,7 +103,11 @@ func Test_permissionRegistry_RegisterPermission(t *testing.T) {
 
 func Test_permissionRegistry_IsPermissionValid(t *testing.T) {
 	pr := newPermissionRegistry()
-	err := pr.RegisterPermission("folders:read", "folders:uid:")
+	err := pr.RegisterPermission("folders:read", "folders:*")
+	require.NoError(t, err)
+	err = pr.RegisterPermission("dashboards:read", "dashboards:*")
+	require.NoError(t, err)
+	err = pr.RegisterPermission("dashboards:read", "folders:*")
 	require.NoError(t, err)
 	err = pr.RegisterPermission("test-app.settings:read", "")
 	require.NoError(t, err)
@@ -132,6 +136,18 @@ func Test_permissionRegistry_IsPermissionValid(t *testing.T) {
 			scope:   "folders:*",
 			wantErr: false,
 		},
+		{
+			name:    "valid dashboards read with dashboard scope",
+			action:  "dashboards:read",
+			scope:   "dashboards:uid:my_team_dash",
+			wantErr: false,
+		},
+		{
+			name:    "valid dashboards read with folder scope",
+			action:  "dashboards:read",
+			scope:   "folders:uid:my_team_folder",
+			wantErr: false,
+		},
 		{
 			name:    "valid folders read with super wildcard",
 			action:  "folders:read",