Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access Control: Clear user's permission cache after resource creation #59101

Merged
merged 5 commits into from Nov 24, 2022
Merged

Access Control: Clear user's permission cache after resource creation #59101

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
99a3608
refresh user's permission cache after resource creation
IevaVasiljeva Nov 22, 2022
eeb2799
clear the cache instead of reloading the permissions
IevaVasiljeva Nov 22, 2022
a736f45
don't error if can't clear cache
IevaVasiljeva Nov 22, 2022
6ced4cc
fix tests
IevaVasiljeva Nov 23, 2022
1c831b2
fix tests again
IevaVasiljeva Nov 23, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
8 changes: 8 additions & 0 deletions pkg/api/dashboard.go
View file
Open in desktop
Expand Up @@ -450,6 +450,14 @@ func (hs *HTTPServer) postDashboard(c *models.ReqContext, cmd models.SaveDashboa

dashboard, err := hs.DashboardService.SaveDashboard(alerting.WithUAEnabled(ctx, hs.Cfg.UnifiedAlerting.IsEnabled()), dashItem, allowUiUpdate)

// Reload permission cache for the user who's created the dashboard, so that they can access it immediately
if newDashboard && !hs.AccessControl.IsDisabled() {
_, err := hs.accesscontrolService.GetUserPermissions(c.Req.Context(), c.SignedInUser, accesscontrol.Options{ReloadCache: true})
if err != nil {
return response.Error(500, "Failed to reload permission cache after adding dashboard", err)
}
}

if hs.Live != nil {
// Tell everyone listening that the dashboard changed
if dashboard == nil {
Expand Down
9 changes: 9 additions & 0 deletions pkg/api/datasources.go
View file
Open in desktop
Expand Up @@ -19,6 +19,7 @@ import (
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/plugins/adapters"
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/datasources"
"github.com/grafana/grafana/pkg/services/datasources/permissions"
"github.com/grafana/grafana/pkg/services/user"
Expand Down Expand Up @@ -396,6 +397,14 @@ func (hs *HTTPServer) AddDataSource(c *models.ReqContext) response.Response {
return response.Error(500, "Failed to add datasource", err)
}

// Reload permission cache for the user who's created the data source, so that they can access this data source immediately
if !hs.AccessControl.IsDisabled() {
_, err := hs.accesscontrolService.GetUserPermissions(c.Req.Context(), c.SignedInUser, ac.Options{ReloadCache: true})
if err != nil {
return response.Error(500, "Failed to reload permission cache after adding data source", err)
}
}

ds := hs.convertModelToDtos(c.Req.Context(), cmd.Result)
return response.JSON(http.StatusOK, util.DynMap{
"message": "Datasource added",
Expand Down
9 changes: 9 additions & 0 deletions pkg/api/folder.go
View file
Open in desktop
Expand Up @@ -9,6 +9,7 @@ import (
"github.com/grafana/grafana/pkg/api/dtos"
"github.com/grafana/grafana/pkg/api/response"
"github.com/grafana/grafana/pkg/models"
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/dashboards"
"github.com/grafana/grafana/pkg/services/featuremgmt"
"github.com/grafana/grafana/pkg/services/folder"
Expand Down Expand Up @@ -128,6 +129,14 @@ func (hs *HTTPServer) CreateFolder(c *models.ReqContext) response.Response {
return apierrors.ToFolderErrorResponse(err)
}

// Reload permission cache for the user who's created the folder, so that they can access it immediately
if !hs.AccessControl.IsDisabled() {
_, err := hs.accesscontrolService.GetUserPermissions(c.Req.Context(), c.SignedInUser, ac.Options{ReloadCache: true})
if err != nil {
return response.Error(500, "Failed to reload permission cache after adding folder", err)
}
}

g := guardian.New(c.Req.Context(), folder.ID, c.OrgID, c.SignedInUser)
// TODO set ParentUID if nested folders are enabled
return response.JSON(http.StatusOK, hs.newToFolderDto(c, g, folder))
Expand Down
9 changes: 9 additions & 0 deletions pkg/api/team.go
View file
Open in desktop
Expand Up @@ -8,6 +8,7 @@ import (
"github.com/grafana/grafana/pkg/api/dtos"
"github.com/grafana/grafana/pkg/api/response"
"github.com/grafana/grafana/pkg/models"
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/org"
"github.com/grafana/grafana/pkg/util"
"github.com/grafana/grafana/pkg/web"
Expand Down Expand Up @@ -41,6 +42,14 @@ func (hs *HTTPServer) CreateTeam(c *models.ReqContext) response.Response {
return response.Error(500, "Failed to create Team", err)
}

// Reload permission cache for the user who's created the team, so that they can access this data source immediately
if !hs.AccessControl.IsDisabled() {
_, err := hs.accesscontrolService.GetUserPermissions(c.Req.Context(), c.SignedInUser, ac.Options{ReloadCache: true})
if err != nil {
return response.Error(500, "Failed to reload permission cache after adding team", err)
}
}

if accessControlEnabled || (c.OrgRole == org.RoleEditor && hs.Cfg.EditorsCanAdmin) {
// if the request is authenticated using API tokens
// the SignedInUser is an empty struct therefore
Expand Down