diff --git a/pkg/services/guardian/accesscontrol_guardian.go b/pkg/services/guardian/accesscontrol_guardian.go index d4d010db552..87ddfef95c1 100644 --- a/pkg/services/guardian/accesscontrol_guardian.go +++ b/pkg/services/guardian/accesscontrol_guardian.go @@ -44,7 +44,6 @@ type AccessControlDashboardGuardian struct { log log.Logger dashboardID int64 dashboard *models.Dashboard - parentFolderUID string user *models.SignedInUser store sqlstore.Store ac accesscontrol.AccessControl @@ -62,10 +61,9 @@ func (a *AccessControlDashboardGuardian) CanSave() (bool, error) { return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid))) } - return a.evaluate(accesscontrol.EvalAny( + return a.evaluate( accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)), - accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)), - )) + ) } func (a *AccessControlDashboardGuardian) CanEdit() (bool, error) { @@ -80,10 +78,9 @@ func (a *AccessControlDashboardGuardian) CanEdit() (bool, error) { return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid))) } - return a.evaluate(accesscontrol.EvalAny( + return a.evaluate( accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)), - accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)), - )) + ) } func (a *AccessControlDashboardGuardian) CanView() (bool, error) { @@ -95,10 +92,9 @@ func (a *AccessControlDashboardGuardian) CanView() (bool, error) { return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersRead, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid))) } - return a.evaluate(accesscontrol.EvalAny( + return a.evaluate( accesscontrol.EvalPermission(dashboards.ActionDashboardsRead, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)), - accesscontrol.EvalPermission(dashboards.ActionDashboardsRead, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)), - )) + ) } func (a *AccessControlDashboardGuardian) CanAdmin() (bool, error) { @@ -113,15 +109,9 @@ func (a *AccessControlDashboardGuardian) CanAdmin() (bool, error) { )) } - return a.evaluate(accesscontrol.EvalAny( - accesscontrol.EvalAll( - accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsRead, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)), - accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsWrite, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)), - ), - accesscontrol.EvalAll( - accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsRead, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)), - accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)), - ), + return a.evaluate(accesscontrol.EvalAll( + accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsRead, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)), + accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsWrite, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)), )) } @@ -134,10 +124,9 @@ func (a *AccessControlDashboardGuardian) CanDelete() (bool, error) { return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersDelete, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid))) } - return a.evaluate(accesscontrol.EvalAny( + return a.evaluate( accesscontrol.EvalPermission(dashboards.ActionDashboardsDelete, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)), - accesscontrol.EvalPermission(dashboards.ActionDashboardsDelete, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)), - )) + ) } func (a *AccessControlDashboardGuardian) CanCreate(folderID int64, isFolder bool) (bool, error) { @@ -269,13 +258,6 @@ func (a *AccessControlDashboardGuardian) loadDashboard() error { if err := a.dashboardService.GetDashboard(a.ctx, query); err != nil { return err } - if !query.Result.IsFolder { - folder, err := a.loadParentFolder(query.Result.FolderId) - if err != nil { - return err - } - a.parentFolderUID = folder.Uid - } a.dashboard = query.Result } return nil diff --git a/pkg/services/guardian/accesscontrol_guardian_test.go b/pkg/services/guardian/accesscontrol_guardian_test.go index f1c540b76d6..b0f5950f096 100644 --- a/pkg/services/guardian/accesscontrol_guardian_test.go +++ b/pkg/services/guardian/accesscontrol_guardian_test.go @@ -587,14 +587,15 @@ func setupAccessControlGuardianTest(t *testing.T, uid string, permissions []*acc toSave.SetUid(uid) // seed dashboard - dash, err := dashdb.ProvideDashboardStore(store).SaveDashboard(models.SaveDashboardCommand{ + dashStore := dashdb.ProvideDashboardStore(store) + dash, err := dashStore.SaveDashboard(models.SaveDashboardCommand{ Dashboard: toSave.Data, UserId: 1, OrgId: 1, - FolderId: 0, }) require.NoError(t, err) ac := accesscontrolmock.New().WithPermissions(permissions) + ac.RegisterScopeAttributeResolver(dashboards.NewDashboardUIDScopeResolver(dashStore)) license := licensingtest.NewFakeLicensing() license.On("FeatureEnabled", "accesscontrol.enforcement").Return(true).Maybe()