Commit 74840178 by Torkel Ödegaard

refactoring dashboard folder security checks

parent f7194878
......@@ -50,7 +50,6 @@ func GetDashboard(c *middleware.Context) Response {
}
guardian := guardian.NewDashboardGuardian(dash.Id, c.OrgId, c.SignedInUser)
if canView, err := guardian.CanView(); err != nil || !canView {
return dashboardGuardianResponse(err)
}
......
......@@ -12,19 +12,32 @@ import (
func TestDashboardAclApiEndpoint(t *testing.T) {
Convey("Given a dashboard acl", t, func() {
mockResult := []*models.DashboardAclInfoDTO{
mockResult := []*models.DashboardAcl{
{Id: 1, OrgId: 1, DashboardId: 1, UserId: 2, Permissions: models.PERMISSION_EDIT},
{Id: 2, OrgId: 1, DashboardId: 1, UserId: 3, Permissions: models.PERMISSION_VIEW},
{Id: 3, OrgId: 1, DashboardId: 1, UserGroupId: 1, Permissions: models.PERMISSION_EDIT},
{Id: 4, OrgId: 1, DashboardId: 1, UserGroupId: 2, Permissions: models.PERMISSION_READ_ONLY_EDIT},
}
dtoRes := []*models.DashboardAclInfoDTO{
{Id: 1, OrgId: 1, DashboardId: 1, UserId: 2, Permissions: models.PERMISSION_EDIT},
{Id: 2, OrgId: 1, DashboardId: 1, UserId: 3, Permissions: models.PERMISSION_VIEW},
{Id: 3, OrgId: 1, DashboardId: 1, UserGroupId: 1, Permissions: models.PERMISSION_EDIT},
{Id: 4, OrgId: 1, DashboardId: 1, UserGroupId: 2, Permissions: models.PERMISSION_READ_ONLY_EDIT},
}
bus.AddHandler("test", func(query *models.GetDashboardPermissionsQuery) error {
query.Result = dtoRes
return nil
})
bus.AddHandler("test", func(query *models.GetInheritedDashboardAclQuery) error {
query.Result = mockResult
return nil
})
userGroupResp := []*models.UserGroup{}
bus.AddHandler("test", func(query *models.GetUserGroupsByUserQuery) error {
query.Result = []*models.UserGroup{}
query.Result = userGroupResp
return nil
})
......@@ -46,7 +59,7 @@ func TestDashboardAclApiEndpoint(t *testing.T) {
Convey("When user is editor and in the ACL", func() {
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/1/acl", "/api/dashboards/:id/acl", models.ROLE_EDITOR, func(sc *scenarioContext) {
mockResult = append(mockResult, &models.DashboardAclInfoDTO{Id: 1, OrgId: 1, DashboardId: 1, UserId: 1, Permissions: models.PERMISSION_EDIT})
mockResult = append(mockResult, &models.DashboardAcl{Id: 1, OrgId: 1, DashboardId: 1, UserId: 1, Permissions: models.PERMISSION_EDIT})
Convey("Should be able to access ACL", func() {
sc.handlerFunc = GetDashboardAcl
......@@ -57,7 +70,7 @@ func TestDashboardAclApiEndpoint(t *testing.T) {
})
loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/1/acl/user/1", "/api/dashboards/:id/acl/user/:userId", models.ROLE_EDITOR, func(sc *scenarioContext) {
mockResult = append(mockResult, &models.DashboardAclInfoDTO{Id: 1, OrgId: 1, DashboardId: 1, UserId: 1, Permissions: models.PERMISSION_EDIT})
mockResult = append(mockResult, &models.DashboardAcl{Id: 1, OrgId: 1, DashboardId: 1, UserId: 1, Permissions: models.PERMISSION_EDIT})
bus.AddHandler("test3", func(cmd *models.RemoveDashboardPermissionCommand) error {
return nil
......@@ -73,11 +86,7 @@ func TestDashboardAclApiEndpoint(t *testing.T) {
Convey("When user is a member of a user group in the ACL with edit permission", func() {
loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/1/acl/user/1", "/api/dashboards/:id/acl/user/:userId", models.ROLE_EDITOR, func(sc *scenarioContext) {
bus.AddHandler("test3", func(query *models.GetUserGroupsByUserQuery) error {
query.Result = []*models.UserGroup{{Id: 1, OrgId: 1, Name: "UG1"}}
return nil
})
userGroupResp = append(userGroupResp, &models.UserGroup{Id: 1, OrgId: 1, Name: "UG1"})
bus.AddHandler("test3", func(cmd *models.RemoveDashboardPermissionCommand) error {
return nil
......@@ -105,7 +114,7 @@ func TestDashboardAclApiEndpoint(t *testing.T) {
})
loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/1/acl/user/1", "/api/dashboards/:id/acl/user/:userId", models.ROLE_EDITOR, func(sc *scenarioContext) {
mockResult = append(mockResult, &models.DashboardAclInfoDTO{Id: 1, OrgId: 1, DashboardId: 1, UserId: 1, Permissions: models.PERMISSION_VIEW})
mockResult = append(mockResult, &models.DashboardAcl{Id: 1, OrgId: 1, DashboardId: 1, UserId: 1, Permissions: models.PERMISSION_VIEW})
bus.AddHandler("test3", func(cmd *models.RemoveDashboardPermissionCommand) error {
return nil
})
......
......@@ -30,6 +30,12 @@ func TestDashboardApiEndpoint(t *testing.T) {
return nil
})
aclMockResp := []*models.DashboardAcl{}
bus.AddHandler("test", func(query *models.GetInheritedDashboardAclQuery) error {
query.Result = aclMockResp
return nil
})
cmd := models.SaveDashboardCommand{
Dashboard: simplejson.NewFromAny(map[string]interface{}{
"parentId": fakeDash.ParentId,
......@@ -165,6 +171,19 @@ func TestDashboardApiEndpoint(t *testing.T) {
fakeDash.ParentId = 1
fakeDash.HasAcl = true
aclMockResp := []*models.DashboardAcl{
{
DashboardId: 1,
Permissions: models.PERMISSION_EDIT,
UserId: 200,
},
}
bus.AddHandler("test", func(query *models.GetInheritedDashboardAclQuery) error {
query.Result = aclMockResp
return nil
})
bus.AddHandler("test", func(query *models.GetDashboardQuery) error {
query.Result = fakeDash
return nil
......@@ -186,10 +205,6 @@ func TestDashboardApiEndpoint(t *testing.T) {
Convey("When user is an Org Viewer and has no permissions for this dashboard", func() {
role := models.ROLE_VIEWER
bus.AddHandler("test", func(query *models.GetDashboardPermissionsQuery) error {
query.Result = []*models.DashboardAclInfoDTO{}
return nil
})
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/2", "/api/dashboards/:id", role, func(sc *scenarioContext) {
sc.handlerFunc = GetDashboard
......@@ -224,11 +239,6 @@ func TestDashboardApiEndpoint(t *testing.T) {
Convey("When user is an Org Editor and has no permissions for this dashboard", func() {
role := models.ROLE_EDITOR
bus.AddHandler("test", func(query *models.GetDashboardPermissionsQuery) error {
query.Result = []*models.DashboardAclInfoDTO{}
return nil
})
loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/2", "/api/dashboards/:id", role, func(sc *scenarioContext) {
sc.handlerFunc = GetDashboard
sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()
......@@ -262,11 +272,11 @@ func TestDashboardApiEndpoint(t *testing.T) {
Convey("When user is an Org Viewer but has an edit permission", func() {
role := models.ROLE_VIEWER
mockResult := []*models.DashboardAclInfoDTO{
mockResult := []*models.DashboardAcl{
{Id: 1, OrgId: 1, DashboardId: 2, UserId: 1, Permissions: models.PERMISSION_EDIT},
}
bus.AddHandler("test", func(query *models.GetDashboardPermissionsQuery) error {
bus.AddHandler("test", func(query *models.GetInheritedDashboardAclQuery) error {
query.Result = mockResult
return nil
})
......@@ -304,11 +314,11 @@ func TestDashboardApiEndpoint(t *testing.T) {
Convey("When user is an Org Editor but has a view permission", func() {
role := models.ROLE_EDITOR
mockResult := []*models.DashboardAclInfoDTO{
mockResult := []*models.DashboardAcl{
{Id: 1, OrgId: 1, DashboardId: 2, UserId: 1, Permissions: models.PERMISSION_VIEW},
}
bus.AddHandler("test", func(query *models.GetDashboardPermissionsQuery) error {
bus.AddHandler("test", func(query *models.GetInheritedDashboardAclQuery) error {
query.Result = mockResult
return nil
})
......
......@@ -87,7 +87,7 @@ func (g *DashboardGuardian) getAcl() ([]*m.DashboardAcl, error) {
}
func (g *DashboardGuardian) getUserGroups() ([]*m.UserGroup, error) {
if g.groups == nil {
if g.groups != nil {
return g.groups, nil
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment