teams: start of team update guardian for editors

pkg/models/team.go

@@ -7,9 +7,11 @@ import (
 
 // Typed errors
 var (
-	ErrTeamNotFound       = errors.New("Team not found")
-	ErrTeamNameTaken      = errors.New("Team name is taken")
-	ErrTeamMemberNotFound = errors.New("Team member not found")
+	ErrTeamNotFound                         = errors.New("Team not found")
+	ErrTeamNameTaken                        = errors.New("Team name is taken")
+	ErrTeamMemberNotFound                   = errors.New("Team member not found")
+	ErrNotAllowedToUpdateTeam               = errors.New("User not allowed to update team")
+	ErrNotAllowedToUpdateTeamInDifferentOrg = errors.New("User not allowed to update team in another org")
 )
 
 // Team model

pkg/services/teams/team.go

@@ -5,6 +5,41 @@ import (
 	m "github.com/grafana/grafana/pkg/models"
 )
 
+func canUpdateTeam(orgId int64, teamId int64, user m.SignedInUser) error {
+	if user.OrgRole == m.ROLE_ADMIN {
+		return nil
+	}
+
+	if user.OrgId != orgId {
+		return m.ErrNotAllowedToUpdateTeamInDifferentOrg
+	}
+
+	cmd := m.GetTeamMembersQuery{
+		OrgId:  orgId,
+		TeamId: teamId,
+		UserId: user.UserId,
+		// TODO: do we need to do something special about external users
+		// External: false,
+	}
+
+	if err := bus.Dispatch(&cmd); err != nil {
+		// TODO: look into how we want to do logging
+		return err
+	}
+
+	for _, member := range cmd.Result {
+		if member.UserId == user.UserId && member.Permission == int64(m.PERMISSION_ADMIN) {
+			return nil
+		}
+	}
+
+	return m.ErrNotAllowedToUpdateTeam
+}
+
 func UpdateTeam(user m.SignedInUser, cmd *m.UpdateTeamCommand) error {
+	if err := canUpdateTeam(cmd.OrgId, cmd.Id, user); err != nil {
+		return err
+	}
+
 	return bus.Dispatch(cmd)
 }

pkg/services/teams/teams_test.go

 package teams
 
 import (
-	. "github.com/smartystreets/goconvey/convey"
+	"github.com/grafana/grafana/pkg/bus"
 	m "github.com/grafana/grafana/pkg/models"
+	"github.com/pkg/errors"
+	. "github.com/smartystreets/goconvey/convey"
+	"testing"
 )
 
-
 func TestUpdateTeam(t *testing.T) {
-	Convey("Updating a team as an editor", t, func() {
+	Convey("Updating a team", t, func() {
+		bus.ClearBusHandlers()
 		Convey("Given an editor and a team he isn't a member of", func() {
-			
-			UpdateTeam(editor, m.UpdateTeamCommand{
-		Id:    0,
-		Name:  "",
-		Email: "",
-		OrgId: 0,
-	})
+			editor := m.SignedInUser{
+				UserId:  1,
+				OrgId:   1,
+				OrgRole: m.ROLE_EDITOR,
+			}
+
+			Convey("Should not be able to update the team", func() {
+				cmd := m.UpdateTeamCommand{
+					Id:    1,
+					OrgId: editor.OrgId,
+				}
+
+				bus.AddHandler("test", func(cmd *m.UpdateTeamCommand) error {
+					return errors.New("Editor not allowed to update team.")
+				})
+				bus.AddHandler("test", func(cmd *m.GetTeamMembersQuery) error {
+					cmd.Result = []*m.TeamMemberDTO{}
+					return nil
+				})
+
+				err := UpdateTeam(editor, &cmd)
+
+				So(err, ShouldEqual, m.ErrNotAllowedToUpdateTeam)
+			})
 		})
 
-		// the editor should not be able to update the team if they aren't members of it
+		Convey("Given an editor and a team he is a member of", func() {
+			editor := m.SignedInUser{
+				UserId:  1,
+				OrgId:   1,
+				OrgRole: m.ROLE_EDITOR,
+			}
+
+			testTeam := m.Team{
+				Id:    1,
+				OrgId: 1,
+			}
+
+			Convey("Should be able to update the team", func() {
+				cmd := m.UpdateTeamCommand{
+					Id:    testTeam.Id,
+					OrgId: testTeam.OrgId,
+				}
+
+				teamUpdated := false
+
+				bus.AddHandler("test", func(cmd *m.UpdateTeamCommand) error {
+					teamUpdated = true
+					return nil
+				})
+
+				bus.AddHandler("test", func(cmd *m.GetTeamMembersQuery) error {
+					cmd.Result = []*m.TeamMemberDTO{{
+						OrgId:      testTeam.OrgId,
+						TeamId:     testTeam.Id,
+						UserId:     editor.UserId,
+						Permission: int64(m.PERMISSION_ADMIN),
+					}}
+					return nil
+				})
 
-		fakeDash := m.NewDashboard("Child dash")
-		fakeDash.Id = 1
-		fakeDash.FolderId = 1
-		fakeDash.HasAcl = false
+				err := UpdateTeam(editor, &cmd)
 
-		bus.AddHandler("test", func(query *m.GetDashboardsBySlugQuery) error {
-			dashboards := []*m.Dashboard{fakeDash}
-			query.Result = dashboards
-			return nil
+				So(teamUpdated, ShouldBeTrue)
+				So(err, ShouldBeNil)
+			})
 		})
 
-		var getDashboardQueries []*m.GetDashboardQuery
+		Convey("Given an editor and a team in another org", func() {
+			editor := m.SignedInUser{
+				UserId:  1,
+				OrgId:   1,
+				OrgRole: m.ROLE_EDITOR,
+			}
 
-		bus.AddHandler("test", func(query *m.GetDashboardQuery) error {
-			query.Result = fakeDash
-			getDashboardQueries = append(getDashboardQueries, query)
-			return nil
+			testTeam := m.Team{
+				Id:    1,
+				OrgId: 2,
+			}
+
+			Convey("Shouldn't be able to update the team", func() {
+				cmd := m.UpdateTeamCommand{
+					Id:    testTeam.Id,
+					OrgId: testTeam.OrgId,
+				}
+
+				bus.AddHandler("test", func(cmd *m.UpdateTeamCommand) error {
+					return errors.New("Can't update a team in a different org.")
+				})
+				bus.AddHandler("test", func(cmd *m.GetTeamMembersQuery) error {
+					cmd.Result = []*m.TeamMemberDTO{{
+						OrgId:      testTeam.OrgId,
+						TeamId:     testTeam.Id,
+						UserId:     editor.UserId,
+						Permission: int64(m.PERMISSION_ADMIN),
+					}}
+					return nil
+				})
+
+				err := UpdateTeam(editor, &cmd)
+
+				So(err, ShouldEqual, m.ErrNotAllowedToUpdateTeamInDifferentOrg)
+			})
 		})
 
-		bus.AddHandler("test", func(query *m.IsDashboardProvisionedQuery) error {
+		Convey("Given an org admin and a team", func() {
+			editor := m.SignedInUser{
+				UserId:  1,
+				OrgId:   1,
+				OrgRole: m.ROLE_ADMIN,
+			}
+
+			testTeam := m.Team{
+				Id:    1,
+				OrgId: 1,
+			}
+
+			Convey("Should be able to update the team", func() {
+				cmd := m.UpdateTeamCommand{
+					Id:    testTeam.Id,
+					OrgId: testTeam.OrgId,
+				}
+
+				teamUpdated := false
+
+				bus.AddHandler("test", func(cmd *m.UpdateTeamCommand) error {
+					teamUpdated = true
+					return nil
+				})
+
+				err := UpdateTeam(editor, &cmd)
+
+				So(teamUpdated, ShouldBeTrue)
+				So(err, ShouldBeNil)
+			})
+		})
+	})
+}