only check dashboard scope in guardian and register resolver for tests (#50427)

pkg/services/guardian/accesscontrol_guardian.go

@@ -44,7 +44,6 @@ type AccessControlDashboardGuardian struct {
 	log                         log.Logger
 	dashboardID                 int64
 	dashboard                   *models.Dashboard
-	parentFolderUID             string
 	user                        *models.SignedInUser
 	store                       sqlstore.Store
 	ac                          accesscontrol.AccessControl
@@ -62,10 +61,9 @@ func (a *AccessControlDashboardGuardian) CanSave() (bool, error) {
 		return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid)))
 	}
 
-	return a.evaluate(accesscontrol.EvalAny(
+	return a.evaluate(
 		accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
-		accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)),
+	)
-	))
 }
 
 func (a *AccessControlDashboardGuardian) CanEdit() (bool, error) {
@@ -80,10 +78,9 @@ func (a *AccessControlDashboardGuardian) CanEdit() (bool, error) {
 		return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid)))
 	}
 
-	return a.evaluate(accesscontrol.EvalAny(
+	return a.evaluate(
 		accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
-		accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)),
+	)
-	))
 }
 
 func (a *AccessControlDashboardGuardian) CanView() (bool, error) {
@@ -95,10 +92,9 @@ func (a *AccessControlDashboardGuardian) CanView() (bool, error) {
 		return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersRead, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid)))
 	}
 
-	return a.evaluate(accesscontrol.EvalAny(
+	return a.evaluate(
 		accesscontrol.EvalPermission(dashboards.ActionDashboardsRead, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
-		accesscontrol.EvalPermission(dashboards.ActionDashboardsRead, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)),
+	)
-	))
 }
 
 func (a *AccessControlDashboardGuardian) CanAdmin() (bool, error) {
@@ -113,15 +109,9 @@ func (a *AccessControlDashboardGuardian) CanAdmin() (bool, error) {
 		))
 	}
 
-	return a.evaluate(accesscontrol.EvalAny(
+	return a.evaluate(accesscontrol.EvalAll(
-		accesscontrol.EvalAll(
+		accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsRead, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
-			accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsRead, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
+		accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsWrite, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
-			accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsWrite, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
-		),
-		accesscontrol.EvalAll(
-			accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsRead, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)),
-			accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)),
-		),
 	))
 }
 
@@ -134,10 +124,9 @@ func (a *AccessControlDashboardGuardian) CanDelete() (bool, error) {
 		return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersDelete, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid)))
 	}
 
-	return a.evaluate(accesscontrol.EvalAny(
+	return a.evaluate(
 		accesscontrol.EvalPermission(dashboards.ActionDashboardsDelete, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
-		accesscontrol.EvalPermission(dashboards.ActionDashboardsDelete, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)),
+	)
-	))
 }
 
 func (a *AccessControlDashboardGuardian) CanCreate(folderID int64, isFolder bool) (bool, error) {
@@ -269,13 +258,6 @@ func (a *AccessControlDashboardGuardian) loadDashboard() error {
 		if err := a.dashboardService.GetDashboard(a.ctx, query); err != nil {
 			return err
 		}
-		if !query.Result.IsFolder {
-			folder, err := a.loadParentFolder(query.Result.FolderId)
-			if err != nil {
-				return err
-			}
-			a.parentFolderUID = folder.Uid
-		}
 		a.dashboard = query.Result
 	}
 	return nil

pkg/services/guardian/accesscontrol_guardian_test.go

@@ -587,14 +587,15 @@ func setupAccessControlGuardianTest(t *testing.T, uid string, permissions []*acc
 	toSave.SetUid(uid)
 
 	// seed dashboard
-	dash, err := dashdb.ProvideDashboardStore(store).SaveDashboard(models.SaveDashboardCommand{
+	dashStore := dashdb.ProvideDashboardStore(store)
+	dash, err := dashStore.SaveDashboard(models.SaveDashboardCommand{
 		Dashboard: toSave.Data,
 		UserId:    1,
 		OrgId:     1,
-		FolderId:  0,
 	})
 	require.NoError(t, err)
 	ac := accesscontrolmock.New().WithPermissions(permissions)
+	ac.RegisterScopeAttributeResolver(dashboards.NewDashboardUIDScopeResolver(dashStore))
 	license := licensingtest.NewFakeLicensing()
 	license.On("FeatureEnabled", "accesscontrol.enforcement").Return(true).Maybe()