Permissions: Editors becomes admin when creating dashboards, folders and teams #15977
Conversation
xlson
added
pr/needs-manual-testing
|
Great job! First quick pass through of the code, could not find any major things to improve. The two new global static functions MakeUserAdmin and teamguardian.CanAdmin are two things where I am not sure what the best way forward is. Grafana has a ton of these global static functions but we have for the last 2 years been trying to move away from them and move things to instances & stop accessing global instances like bus, cfg. But full self-registering services (that inject Cfg & Bus) adds some boilerplate, and adding it as a injection dependency on HttpServer would also then be needed. So for these small functions maybe there is a middle ground that we can use that is not a full blown service but something more light weight that still has no access to global instances? Also did some manual testing. And as a viewer (org role) & just a normal member of a team, I see the delete button on the team list. I do get an error trying to delete so the backend guardian is doing it's job :)
|
Great catch, I'll fix the FrontEnd part after interview! |
|
Potential UI problems:
|
|
@torkelo: @bergquist suggested sending in the bus as a parameter which I think is a good start. Ideally, I'd like to see us remove the bus completely, but as you mention, that is definitely at deeper rabbit hole. |
Made so permissions for the signedInUser flows from backend to frontend (#15977)
pkg/models/team_member.go
Outdated
| OrgId int64 | ||
| TeamId int64 | ||
| UserId int64 | ||
| External bool |
There was a problem hiding this comment.
Not obvious what this field is for - Leonard explained it to me but should have a comment or something.
There was a problem hiding this comment.
Still reviewing but here are the things I have found so far.
Another issue is that viewers can click on the New Team button on the teams page even though the button is disabled.
The New Team button should be fixed now
There was a problem hiding this comment.
I added a comment explaining external
Should be fixed now @daniellee, would be interesting to know why we do this. Must be there for a case I couldn't find. |
xlson
force-pushed
the
admin-on-create-poc
branch
from
f27d74b
to
94bba58
Compare
Co-Authored-By: xlson <leo@xlson.com>
…bs instead of filtering out children in navModel
xlson
force-pushed
the
admin-on-create-poc
branch
from
94bba58
to
53322a5
Compare
daniellee
changed the title
|
I like these features but would also like to assign limited editor permissions to users/teams. That way someone can edit certain dashboards (not only ones they create) without needing admin privileges. |
|
@WhitingPetroleum not sure I understand you, but to me you'll assign editor permissions to a folder for a team/user. If I misunderstand please open a feature request. |
What this PR does / why we need it:
When it is enabled editors become admin over any Dashboard, Folder or Team they create. The teams list view becomes visible to all users, but, users only see the teams they are members of.
Enable the feature flag to test:
editors_can_admin = trueWhich issue(s) this PR fixes:
Closes #15598
Closes #15599
Closes #15600
Closes #15602
Closes #11584
Special notes for your reviewer:
We'd appreciate code review as well as manual testing.
Open question: should the feature toggle be enabled or disabled by default?