Alerting: Use UID scope for folders authorization (#48970)

3 years ago · e528f2e430
parent 00ef1acb93
commit e528f2e430
3 changed files with 9 additions and 10 deletions
--- a/pkg/services/ngalert/CHANGELOG.md
+++ b/pkg/services/ngalert/CHANGELOG.md
@ -50,6 +50,7 @@ Scopes must have an order to ensure consistency and ease of search, this helps u
  - `grafana_alerting_ticker_next_tick_timestamp_seconds`
  - `grafana_alerting_ticker_interval_seconds`
 - [ENHANCEMENT] Create folder 'General Alerting' when Grafana starts from the scratch #48866
+- [ENHANCEMENT] Rule changes authorization logic to use UID folder scope instead of ID scope #48970
 - [FEATURE] Indicate whether routes are provisioned when GETting Alertmanager configuration #47857
 - [FEATURE] Indicate whether contact point is provisioned when GETting Alertmanager configuration #48323
 - [FEATURE] Indicate whether alert rule is provisioned when GETting the rule #48458
--- a/pkg/services/ngalert/api/authorization.go
+++ b/pkg/services/ngalert/api/authorization.go
@ -4,7 +4,6 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
-	"strconv"

 	"github.com/grafana/grafana/pkg/expr"
 	"github.com/grafana/grafana/pkg/middleware"
@ -226,7 +225,7 @@ func authorizeRuleChanges(namespace *models.Folder, change *changes, evaluator f
 		Delete: change.Delete,
 	}

-	namespaceScope := dashboards.ScopeFoldersProvider.GetResourceScope(strconv.FormatInt(namespace.Id, 10))
+	namespaceScope := dashboards.ScopeFoldersProvider.GetResourceScopeUID(namespace.Uid)
 	if len(change.Delete) > 0 {
 		var allowedToDelete []*ngmodels.AlertRule
 		for _, rule := range change.Delete {
--- a/pkg/services/ngalert/api/authorization_test.go
+++ b/pkg/services/ngalert/api/authorization_test.go
@ -5,7 +5,6 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
-	"strconv"
 	"testing"

 	"github.com/go-openapi/loads"
@ -71,7 +70,7 @@ func TestAuthorize(t *testing.T) {

 func TestAuthorizeRuleChanges(t *testing.T) {
 	namespace := randFolder()
-	namespaceIdScope := dashboards.ScopeFoldersProvider.GetResourceScope(strconv.FormatInt(namespace.Id, 10))
+	namespaceIdScope := dashboards.ScopeFoldersProvider.GetResourceScopeUID(namespace.Uid)

 	testCases := []struct {
 		name        string
@ -215,7 +214,7 @@ func TestAuthorizeRuleChanges(t *testing.T) {

 func TestAuthorizeRuleDelete(t *testing.T) {
 	namespace := randFolder()
-	namespaceIdScope := dashboards.ScopeFoldersProvider.GetResourceScope(strconv.FormatInt(namespace.Id, 10))
+	namespaceScope := dashboards.ScopeFoldersProvider.GetResourceScopeUID(namespace.Uid)

 	getScopes := func(rules []*models.AlertRule) []string {
 		var scopes []string
@ -245,7 +244,7 @@ func TestAuthorizeRuleDelete(t *testing.T) {
 			permissions: func(c *changes) map[string][]string {
 				return map[string][]string{
 					ac.ActionAlertingRuleDelete: {
-						namespaceIdScope,
+						namespaceScope,
 					},
 					datasources.ActionQuery: getScopes(c.Delete),
 				}
@ -267,7 +266,7 @@ func TestAuthorizeRuleDelete(t *testing.T) {
 			permissions: func(c *changes) map[string][]string {
 				return map[string][]string{
 					ac.ActionAlertingRuleDelete: {
-						namespaceIdScope,
+						namespaceScope,
 					},
 					datasources.ActionQuery: {
 						getScopes(c.Delete[:1])[0],
@ -291,7 +290,7 @@ func TestAuthorizeRuleDelete(t *testing.T) {
 			permissions: func(c *changes) map[string][]string {
 				return map[string][]string{
 					ac.ActionAlertingRuleDelete: {
-						namespaceIdScope,
+						namespaceScope,
 					},
 				}
 			},
@ -313,10 +312,10 @@ func TestAuthorizeRuleDelete(t *testing.T) {
 			permissions: func(c *changes) map[string][]string {
 				return map[string][]string{
 					ac.ActionAlertingRuleDelete: {
-						namespaceIdScope,
+						namespaceScope,
 					},
 					ac.ActionAlertingRuleCreate: {
-						namespaceIdScope,
+						namespaceScope,
 					},
 					datasources.ActionQuery: getScopes(c.New),
 				}