Ana Sayfa Keşfet Yardım
Üye Ol Giriş Yap
oscarleiva
/
energylink
1
0
Çatalla 0
Dosyalar Sorunlar 0 Değişiklik İstekleri 0 Wiki
Ağaç: a94de51e5e
Dallar Biçim İmleri
energylink
/
pkg
/
services
/
guardian
/
guardian_test.go

guardian_test.go 25 KB
Geçmiş Ham

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711 
  1. package guardian
    2. 

  2. 

  3. import (
    4. 

  4. 	"fmt"
    5. 

  5. 	"testing"
    6. 

  6. 

  7. 	"github.com/grafana/grafana/pkg/bus"
    8. 

  8. 

  9. 	m "github.com/grafana/grafana/pkg/models"
    10. 

  10. 	. "github.com/smartystreets/goconvey/convey"
    11. 

  11. )
    12. 

  12. 

  13. func TestGuardian(t *testing.T) {
    14. 

  14. 	Convey("Guardian permission tests", t, func() {
    15. 

  15. 		orgRoleScenario("Given user has admin org role", m.ROLE_ADMIN, func(sc *scenarioContext) {
    16. 

  16. 			canAdmin, _ := sc.g.CanAdmin()
    17. 

  17. 			canEdit, _ := sc.g.CanEdit()
    18. 

  18. 			canSave, _ := sc.g.CanSave()
    19. 

  19. 			canView, _ := sc.g.CanView()
    20. 

  20. 			So(canAdmin, ShouldBeTrue)
    21. 

  21. 			So(canEdit, ShouldBeTrue)
    22. 

  22. 			So(canSave, ShouldBeTrue)
    23. 

  23. 			So(canView, ShouldBeTrue)
    24. 

  24. 

  25. 			Convey("When trying to update permissions", func() {
    26. 

  26. 				Convey("With duplicate user permissions should return error", func() {
    27. 

  27. 					p := []*m.DashboardAcl{
    28. 

  28. 						{OrgId: 1, DashboardId: 1, UserId: 1, Permission: m.PERMISSION_VIEW},
    29. 

  29. 						{OrgId: 1, DashboardId: 1, UserId: 1, Permission: m.PERMISSION_ADMIN},
    30. 

  30. 					}
    31. 

  31. 					_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    32. 

  32. 					So(err, ShouldEqual, ErrGuardianPermissionExists)
    33. 

  33. 				})
    34. 

  34. 

  35. 				Convey("With duplicate team permissions should return error", func() {
    36. 

  36. 					p := []*m.DashboardAcl{
    37. 

  37. 						{OrgId: 1, DashboardId: 1, TeamId: 1, Permission: m.PERMISSION_VIEW},
    38. 

  38. 						{OrgId: 1, DashboardId: 1, TeamId: 1, Permission: m.PERMISSION_ADMIN},
    39. 

  39. 					}
    40. 

  40. 					_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    41. 

  41. 					So(err, ShouldEqual, ErrGuardianPermissionExists)
    42. 

  42. 				})
    43. 

  43. 

  44. 				Convey("With duplicate everyone with editor role permission should return error", func() {
    45. 

  45. 					r := m.ROLE_EDITOR
    46. 

  46. 					p := []*m.DashboardAcl{
    47. 

  47. 						{OrgId: 1, DashboardId: 1, Role: &r, Permission: m.PERMISSION_VIEW},
    48. 

  48. 						{OrgId: 1, DashboardId: 1, Role: &r, Permission: m.PERMISSION_ADMIN},
    49. 

  49. 					}
    50. 

  50. 					_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    51. 

  51. 					So(err, ShouldEqual, ErrGuardianPermissionExists)
    52. 

  52. 				})
    53. 

  53. 

  54. 				Convey("With duplicate everyone with viewer role permission should return error", func() {
    55. 

  55. 					r := m.ROLE_VIEWER
    56. 

  56. 					p := []*m.DashboardAcl{
    57. 

  57. 						{OrgId: 1, DashboardId: 1, Role: &r, Permission: m.PERMISSION_VIEW},
    58. 

  58. 						{OrgId: 1, DashboardId: 1, Role: &r, Permission: m.PERMISSION_ADMIN},
    59. 

  59. 					}
    60. 

  60. 					_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    61. 

  61. 					So(err, ShouldEqual, ErrGuardianPermissionExists)
    62. 

  62. 				})
    63. 

  63. 

  64. 				Convey("With everyone with admin role permission should return error", func() {
    65. 

  65. 					r := m.ROLE_ADMIN
    66. 

  66. 					p := []*m.DashboardAcl{
    67. 

  67. 						{OrgId: 1, DashboardId: 1, Role: &r, Permission: m.PERMISSION_ADMIN},
    68. 

  68. 					}
    69. 

  69. 					_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    70. 

  70. 					So(err, ShouldEqual, ErrGuardianPermissionExists)
    71. 

  71. 				})
    72. 

  72. 			})
    73. 

  73. 

  74. 			Convey("Given default permissions", func() {
    75. 

  75. 				editor := m.ROLE_EDITOR
    76. 

  76. 				viewer := m.ROLE_VIEWER
    77. 

  77. 				existingPermissions := []*m.DashboardAclInfoDTO{
    78. 

  78. 					{OrgId: 1, DashboardId: -1, Role: &editor, Permission: m.PERMISSION_EDIT},
    79. 

  79. 					{OrgId: 1, DashboardId: -1, Role: &viewer, Permission: m.PERMISSION_VIEW},
    80. 

  80. 				}
    81. 

  81. 

  82. 				bus.AddHandler("test", func(query *m.GetDashboardAclInfoListQuery) error {
    83. 

  83. 					query.Result = existingPermissions
    84. 

  84. 					return nil
    85. 

  85. 				})
    86. 

  86. 

  87. 				Convey("When trying to update dashboard permissions without everyone with role editor can edit should be allowed", func() {
    88. 

  88. 					r := m.ROLE_VIEWER
    89. 

  89. 					p := []*m.DashboardAcl{
    90. 

  90. 						{OrgId: 1, DashboardId: 1, Role: &r, Permission: m.PERMISSION_VIEW},
    91. 

  91. 					}
    92. 

  92. 					ok, _ := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    93. 

  93. 					So(ok, ShouldBeTrue)
    94. 

  94. 				})
    95. 

  95. 

  96. 				Convey("When trying to update dashboard permissions without everyone with role viewer can view should be allowed", func() {
    97. 

  97. 					r := m.ROLE_EDITOR
    98. 

  98. 					p := []*m.DashboardAcl{
    99. 

  99. 						{OrgId: 1, DashboardId: 1, Role: &r, Permission: m.PERMISSION_EDIT},
    100. 

  100. 					}
    101. 

  101. 					ok, _ := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    102. 

  102. 					So(ok, ShouldBeTrue)
    103. 

  103. 				})
    104. 

  104. 			})
    105. 

  105. 

  106. 			Convey("Given parent folder has user admin permission", func() {
    107. 

  107. 				existingPermissions := []*m.DashboardAclInfoDTO{
    108. 

  108. 					{OrgId: 1, DashboardId: 2, UserId: 1, Permission: m.PERMISSION_ADMIN},
    109. 

  109. 				}
    110. 

  110. 

  111. 				bus.AddHandler("test", func(query *m.GetDashboardAclInfoListQuery) error {
    112. 

  112. 					query.Result = existingPermissions
    113. 

  113. 					return nil
    114. 

  114. 				})
    115. 

  115. 

  116. 				Convey("When trying to update dashboard permissions with admin user permission should return error", func() {
    117. 

  117. 					p := []*m.DashboardAcl{
    118. 

  118. 						{OrgId: 1, DashboardId: 3, UserId: 1, Permission: m.PERMISSION_ADMIN},
    119. 

  119. 					}
    120. 

  120. 					_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    121. 

  121. 					So(err, ShouldEqual, ErrGuardianOverride)
    122. 

  122. 				})
    123. 

  123. 

  124. 				Convey("When trying to update dashboard permissions with edit user permission should return error", func() {
    125. 

  125. 					p := []*m.DashboardAcl{
    126. 

  126. 						{OrgId: 1, DashboardId: 3, UserId: 1, Permission: m.PERMISSION_EDIT},
    127. 

  127. 					}
    128. 

  128. 					_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    129. 

  129. 					So(err, ShouldEqual, ErrGuardianOverride)
    130. 

  130. 				})
    131. 

  131. 

  132. 				Convey("When trying to update dashboard permissions with view user permission should return error", func() {
    133. 

  133. 					p := []*m.DashboardAcl{
    134. 

  134. 						{OrgId: 1, DashboardId: 3, UserId: 1, Permission: m.PERMISSION_VIEW},
    135. 

  135. 					}
    136. 

  136. 					_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    137. 

  137. 					So(err, ShouldEqual, ErrGuardianOverride)
    138. 

  138. 				})
    139. 

  139. 			})
    140. 

  140. 

  141. 			Convey("Given parent folder has user edit permission", func() {
    142. 

  142. 				existingPermissions := []*m.DashboardAclInfoDTO{
    143. 

  143. 					{OrgId: 1, DashboardId: 2, UserId: 1, Permission: m.PERMISSION_EDIT},
    144. 

  144. 				}
    145. 

  145. 

  146. 				bus.AddHandler("test", func(query *m.GetDashboardAclInfoListQuery) error {
    147. 

  147. 					query.Result = existingPermissions
    148. 

  148. 					return nil
    149. 

  149. 				})
    150. 

  150. 

  151. 				Convey("When trying to update dashboard permissions with admin user permission should be allowed", func() {
    152. 

  152. 					p := []*m.DashboardAcl{
    153. 

  153. 						{OrgId: 1, DashboardId: 3, UserId: 1, Permission: m.PERMISSION_ADMIN},
    154. 

  154. 					}
    155. 

  155. 					ok, _ := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    156. 

  156. 					So(ok, ShouldBeTrue)
    157. 

  157. 				})
    158. 

  158. 

  159. 				Convey("When trying to update dashboard permissions with edit user permission should return error", func() {
    160. 

  160. 					p := []*m.DashboardAcl{
    161. 

  161. 						{OrgId: 1, DashboardId: 3, UserId: 1, Permission: m.PERMISSION_EDIT},
    162. 

  162. 					}
    163. 

  163. 					_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    164. 

  164. 					So(err, ShouldEqual, ErrGuardianOverride)
    165. 

  165. 				})
    166. 

  166. 

  167. 				Convey("When trying to update dashboard permissions with view user permission should return error", func() {
    168. 

  168. 					p := []*m.DashboardAcl{
    169. 

  169. 						{OrgId: 1, DashboardId: 3, UserId: 1, Permission: m.PERMISSION_VIEW},
    170. 

  170. 					}
    171. 

  171. 					_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    172. 

  172. 					So(err, ShouldEqual, ErrGuardianOverride)
    173. 

  173. 				})
    174. 

  174. 			})
    175. 

  175. 

  176. 			Convey("Given parent folder has user view permission", func() {
    177. 

  177. 				existingPermissions := []*m.DashboardAclInfoDTO{
    178. 

  178. 					{OrgId: 1, DashboardId: 2, UserId: 1, Permission: m.PERMISSION_VIEW},
    179. 

  179. 				}
    180. 

  180. 

  181. 				bus.AddHandler("test", func(query *m.GetDashboardAclInfoListQuery) error {
    182. 

  182. 					query.Result = existingPermissions
    183. 

  183. 					return nil
    184. 

  184. 				})
    185. 

  185. 

  186. 				Convey("When trying to update dashboard permissions with admin user permission should be allowed", func() {
    187. 

  187. 					p := []*m.DashboardAcl{
    188. 

  188. 						{OrgId: 1, DashboardId: 3, UserId: 1, Permission: m.PERMISSION_ADMIN},
    189. 

  189. 					}
    190. 

  190. 					ok, _ := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    191. 

  191. 					So(ok, ShouldBeTrue)
    192. 

  192. 				})
    193. 

  193. 

  194. 				Convey("When trying to update dashboard permissions with edit user permission should be allowed", func() {
    195. 

  195. 					p := []*m.DashboardAcl{
    196. 

  196. 						{OrgId: 1, DashboardId: 3, UserId: 1, Permission: m.PERMISSION_EDIT},
    197. 

  197. 					}
    198. 

  198. 					ok, _ := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    199. 

  199. 					So(ok, ShouldBeTrue)
    200. 

  200. 				})
    201. 

  201. 

  202. 				Convey("When trying to update dashboard permissions with view user permission should return error", func() {
    203. 

  203. 					p := []*m.DashboardAcl{
    204. 

  204. 						{OrgId: 1, DashboardId: 3, UserId: 1, Permission: m.PERMISSION_VIEW},
    205. 

  205. 					}
    206. 

  206. 					_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    207. 

  207. 					So(err, ShouldEqual, ErrGuardianOverride)
    208. 

  208. 				})
    209. 

  209. 			})
    210. 

  210. 

  211. 			Convey("Given parent folder has team admin permission", func() {
    212. 

  212. 				existingPermissions := []*m.DashboardAclInfoDTO{
    213. 

  213. 					{OrgId: 1, DashboardId: 2, TeamId: 1, Permission: m.PERMISSION_ADMIN},
    214. 

  214. 				}
    215. 

  215. 

  216. 				bus.AddHandler("test", func(query *m.GetDashboardAclInfoListQuery) error {
    217. 

  217. 					query.Result = existingPermissions
    218. 

  218. 					return nil
    219. 

  219. 				})
    220. 

  220. 

  221. 				Convey("When trying to update dashboard permissions with admin team permission should return error", func() {
    222. 

  222. 					p := []*m.DashboardAcl{
    223. 

  223. 						{OrgId: 1, DashboardId: 3, TeamId: 1, Permission: m.PERMISSION_ADMIN},
    224. 

  224. 					}
    225. 

  225. 					_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    226. 

  226. 					So(err, ShouldEqual, ErrGuardianOverride)
    227. 

  227. 				})
    228. 

  228. 

  229. 				Convey("When trying to update dashboard permissions with edit team permission should return error", func() {
    230. 

  230. 					p := []*m.DashboardAcl{
    231. 

  231. 						{OrgId: 1, DashboardId: 3, TeamId: 1, Permission: m.PERMISSION_EDIT},
    232. 

  232. 					}
    233. 

  233. 					_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    234. 

  234. 					So(err, ShouldEqual, ErrGuardianOverride)
    235. 

  235. 				})
    236. 

  236. 

  237. 				Convey("When trying to update dashboard permissions with view team permission should return error", func() {
    238. 

  238. 					p := []*m.DashboardAcl{
    239. 

  239. 						{OrgId: 1, DashboardId: 3, TeamId: 1, Permission: m.PERMISSION_VIEW},
    240. 

  240. 					}
    241. 

  241. 					_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    242. 

  242. 					So(err, ShouldEqual, ErrGuardianOverride)
    243. 

  243. 				})
    244. 

  244. 			})
    245. 

  245. 

  246. 			Convey("Given parent folder has team edit permission", func() {
    247. 

  247. 				existingPermissions := []*m.DashboardAclInfoDTO{
    248. 

  248. 					{OrgId: 1, DashboardId: 2, TeamId: 1, Permission: m.PERMISSION_EDIT},
    249. 

  249. 				}
    250. 

  250. 

  251. 				bus.AddHandler("test", func(query *m.GetDashboardAclInfoListQuery) error {
    252. 

  252. 					query.Result = existingPermissions
    253. 

  253. 					return nil
    254. 

  254. 				})
    255. 

  255. 

  256. 				Convey("When trying to update dashboard permissions with admin team permission should be allowed", func() {
    257. 

  257. 					p := []*m.DashboardAcl{
    258. 

  258. 						{OrgId: 1, DashboardId: 3, TeamId: 1, Permission: m.PERMISSION_ADMIN},
    259. 

  259. 					}
    260. 

  260. 					ok, _ := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    261. 

  261. 					So(ok, ShouldBeTrue)
    262. 

  262. 				})
    263. 

  263. 

  264. 				Convey("When trying to update dashboard permissions with edit team permission should return error", func() {
    265. 

  265. 					p := []*m.DashboardAcl{
    266. 

  266. 						{OrgId: 1, DashboardId: 3, TeamId: 1, Permission: m.PERMISSION_EDIT},
    267. 

  267. 					}
    268. 

  268. 					_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    269. 

  269. 					So(err, ShouldEqual, ErrGuardianOverride)
    270. 

  270. 				})
    271. 

  271. 

  272. 				Convey("When trying to update dashboard permissions with view team permission should return error", func() {
    273. 

  273. 					p := []*m.DashboardAcl{
    274. 

  274. 						{OrgId: 1, DashboardId: 3, TeamId: 1, Permission: m.PERMISSION_VIEW},
    275. 

  275. 					}
    276. 

  276. 					_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    277. 

  277. 					So(err, ShouldEqual, ErrGuardianOverride)
    278. 

  278. 				})
    279. 

  279. 			})
    280. 

  280. 

  281. 			Convey("Given parent folder has team view permission", func() {
    282. 

  282. 				existingPermissions := []*m.DashboardAclInfoDTO{
    283. 

  283. 					{OrgId: 1, DashboardId: 2, TeamId: 1, Permission: m.PERMISSION_VIEW},
    284. 

  284. 				}
    285. 

  285. 

  286. 				bus.AddHandler("test", func(query *m.GetDashboardAclInfoListQuery) error {
    287. 

  287. 					query.Result = existingPermissions
    288. 

  288. 					return nil
    289. 

  289. 				})
    290. 

  290. 

  291. 				Convey("When trying to update dashboard permissions with admin team permission should be allowed", func() {
    292. 

  292. 					p := []*m.DashboardAcl{
    293. 

  293. 						{OrgId: 1, DashboardId: 3, TeamId: 1, Permission: m.PERMISSION_ADMIN},
    294. 

  294. 					}
    295. 

  295. 					ok, _ := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    296. 

  296. 					So(ok, ShouldBeTrue)
    297. 

  297. 				})
    298. 

  298. 

  299. 				Convey("When trying to update dashboard permissions with edit team permission should be allowed", func() {
    300. 

  300. 					p := []*m.DashboardAcl{
    301. 

  301. 						{OrgId: 1, DashboardId: 3, TeamId: 1, Permission: m.PERMISSION_EDIT},
    302. 

  302. 					}
    303. 

  303. 					ok, _ := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    304. 

  304. 					So(ok, ShouldBeTrue)
    305. 

  305. 				})
    306. 

  306. 

  307. 				Convey("When trying to update dashboard permissions with view team permission should return error", func() {
    308. 

  308. 					p := []*m.DashboardAcl{
    309. 

  309. 						{OrgId: 1, DashboardId: 3, TeamId: 1, Permission: m.PERMISSION_VIEW},
    310. 

  310. 					}
    311. 

  311. 					_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    312. 

  312. 					So(err, ShouldEqual, ErrGuardianOverride)
    313. 

  313. 				})
    314. 

  314. 			})
    315. 

  315. 

  316. 			Convey("Given parent folder has editor role with edit permission", func() {
    317. 

  317. 				r := m.ROLE_EDITOR
    318. 

  318. 				existingPermissions := []*m.DashboardAclInfoDTO{
    319. 

  319. 					{OrgId: 1, DashboardId: 2, Role: &r, Permission: m.PERMISSION_EDIT},
    320. 

  320. 				}
    321. 

  321. 

  322. 				bus.AddHandler("test", func(query *m.GetDashboardAclInfoListQuery) error {
    323. 

  323. 					query.Result = existingPermissions
    324. 

  324. 					return nil
    325. 

  325. 				})
    326. 

  326. 

  327. 				Convey("When trying to update dashboard permissions with everyone with editor role can admin permission should be allowed", func() {
    328. 

  328. 					p := []*m.DashboardAcl{
    329. 

  329. 						{OrgId: 1, DashboardId: 3, Role: &r, Permission: m.PERMISSION_ADMIN},
    330. 

  330. 					}
    331. 

  331. 					ok, _ := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    332. 

  332. 					So(ok, ShouldBeTrue)
    333. 

  333. 				})
    334. 

  334. 

  335. 				Convey("When trying to update dashboard permissions with everyone with editor role can edit permission should return error", func() {
    336. 

  336. 					p := []*m.DashboardAcl{
    337. 

  337. 						{OrgId: 1, DashboardId: 3, Role: &r, Permission: m.PERMISSION_EDIT},
    338. 

  338. 					}
    339. 

  339. 					_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    340. 

  340. 					So(err, ShouldEqual, ErrGuardianOverride)
    341. 

  341. 				})
    342. 

  342. 

  343. 				Convey("When trying to update dashboard permissions with everyone with editor role can view permission should return error", func() {
    344. 

  344. 					p := []*m.DashboardAcl{
    345. 

  345. 						{OrgId: 1, DashboardId: 3, Role: &r, Permission: m.PERMISSION_VIEW},
    346. 

  346. 					}
    347. 

  347. 					_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    348. 

  348. 					So(err, ShouldEqual, ErrGuardianOverride)
    349. 

  349. 				})
    350. 

  350. 			})
    351. 

  351. 

  352. 			Convey("Given parent folder has editor role with view permission", func() {
    353. 

  353. 				r := m.ROLE_EDITOR
    354. 

  354. 				existingPermissions := []*m.DashboardAclInfoDTO{
    355. 

  355. 					{OrgId: 1, DashboardId: 2, Role: &r, Permission: m.PERMISSION_VIEW},
    356. 

  356. 				}
    357. 

  357. 

  358. 				bus.AddHandler("test", func(query *m.GetDashboardAclInfoListQuery) error {
    359. 

  359. 					query.Result = existingPermissions
    360. 

  360. 					return nil
    361. 

  361. 				})
    362. 

  362. 

  363. 				Convey("When trying to update dashboard permissions with everyone with viewer role can admin permission should be allowed", func() {
    364. 

  364. 					p := []*m.DashboardAcl{
    365. 

  365. 						{OrgId: 1, DashboardId: 3, Role: &r, Permission: m.PERMISSION_ADMIN},
    366. 

  366. 					}
    367. 

  367. 					ok, _ := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    368. 

  368. 					So(ok, ShouldBeTrue)
    369. 

  369. 				})
    370. 

  370. 

  371. 				Convey("When trying to update dashboard permissions with everyone with viewer role can edit permission should be allowed", func() {
    372. 

  372. 					p := []*m.DashboardAcl{
    373. 

  373. 						{OrgId: 1, DashboardId: 3, Role: &r, Permission: m.PERMISSION_EDIT},
    374. 

  374. 					}
    375. 

  375. 					ok, _ := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    376. 

  376. 					So(ok, ShouldBeTrue)
    377. 

  377. 				})
    378. 

  378. 

  379. 				Convey("When trying to update dashboard permissions with everyone with viewer role can view permission should return error", func() {
    380. 

  380. 					p := []*m.DashboardAcl{
    381. 

  381. 						{OrgId: 1, DashboardId: 3, Role: &r, Permission: m.PERMISSION_VIEW},
    382. 

  382. 					}
    383. 

  383. 					_, err := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    384. 

  384. 					So(err, ShouldEqual, ErrGuardianOverride)
    385. 

  385. 				})
    386. 

  386. 			})
    387. 

  387. 		})
    388. 

  388. 

  389. 		orgRoleScenario("Given user has editor org role", m.ROLE_EDITOR, func(sc *scenarioContext) {
    390. 

  390. 			everyoneWithRoleScenario(m.ROLE_EDITOR, m.PERMISSION_ADMIN, sc, func(sc *scenarioContext) {
    391. 

  391. 				canAdmin, _ := sc.g.CanAdmin()
    392. 

  392. 				canEdit, _ := sc.g.CanEdit()
    393. 

  393. 				canSave, _ := sc.g.CanSave()
    394. 

  394. 				canView, _ := sc.g.CanView()
    395. 

  395. 				So(canAdmin, ShouldBeTrue)
    396. 

  396. 				So(canEdit, ShouldBeTrue)
    397. 

  397. 				So(canSave, ShouldBeTrue)
    398. 

  398. 				So(canView, ShouldBeTrue)
    399. 

  399. 			})
    400. 

  400. 

  401. 			everyoneWithRoleScenario(m.ROLE_EDITOR, m.PERMISSION_EDIT, sc, func(sc *scenarioContext) {
    402. 

  402. 				canAdmin, _ := sc.g.CanAdmin()
    403. 

  403. 				canEdit, _ := sc.g.CanEdit()
    404. 

  404. 				canSave, _ := sc.g.CanSave()
    405. 

  405. 				canView, _ := sc.g.CanView()
    406. 

  406. 				So(canAdmin, ShouldBeFalse)
    407. 

  407. 				So(canEdit, ShouldBeTrue)
    408. 

  408. 				So(canSave, ShouldBeTrue)
    409. 

  409. 				So(canView, ShouldBeTrue)
    410. 

  410. 			})
    411. 

  411. 

  412. 			everyoneWithRoleScenario(m.ROLE_EDITOR, m.PERMISSION_VIEW, sc, func(sc *scenarioContext) {
    413. 

  413. 				canAdmin, _ := sc.g.CanAdmin()
    414. 

  414. 				canEdit, _ := sc.g.CanEdit()
    415. 

  415. 				canSave, _ := sc.g.CanSave()
    416. 

  416. 				canView, _ := sc.g.CanView()
    417. 

  417. 				So(canAdmin, ShouldBeFalse)
    418. 

  418. 				So(canEdit, ShouldBeFalse)
    419. 

  419. 				So(canSave, ShouldBeFalse)
    420. 

  420. 				So(canView, ShouldBeTrue)
    421. 

  421. 			})
    422. 

  422. 

  423. 			everyoneWithRoleScenario(m.ROLE_VIEWER, m.PERMISSION_ADMIN, sc, func(sc *scenarioContext) {
    424. 

  424. 				canAdmin, _ := sc.g.CanAdmin()
    425. 

  425. 				canEdit, _ := sc.g.CanEdit()
    426. 

  426. 				canSave, _ := sc.g.CanSave()
    427. 

  427. 				canView, _ := sc.g.CanView()
    428. 

  428. 				So(canAdmin, ShouldBeFalse)
    429. 

  429. 				So(canEdit, ShouldBeFalse)
    430. 

  430. 				So(canSave, ShouldBeFalse)
    431. 

  431. 				So(canView, ShouldBeFalse)
    432. 

  432. 			})
    433. 

  433. 

  434. 			everyoneWithRoleScenario(m.ROLE_VIEWER, m.PERMISSION_EDIT, sc, func(sc *scenarioContext) {
    435. 

  435. 				canAdmin, _ := sc.g.CanAdmin()
    436. 

  436. 				canEdit, _ := sc.g.CanEdit()
    437. 

  437. 				canSave, _ := sc.g.CanSave()
    438. 

  438. 				canView, _ := sc.g.CanView()
    439. 

  439. 				So(canAdmin, ShouldBeFalse)
    440. 

  440. 				So(canEdit, ShouldBeFalse)
    441. 

  441. 				So(canSave, ShouldBeFalse)
    442. 

  442. 				So(canView, ShouldBeFalse)
    443. 

  443. 			})
    444. 

  444. 

  445. 			everyoneWithRoleScenario(m.ROLE_VIEWER, m.PERMISSION_VIEW, sc, func(sc *scenarioContext) {
    446. 

  446. 				canAdmin, _ := sc.g.CanAdmin()
    447. 

  447. 				canEdit, _ := sc.g.CanEdit()
    448. 

  448. 				canSave, _ := sc.g.CanSave()
    449. 

  449. 				canView, _ := sc.g.CanView()
    450. 

  450. 				So(canAdmin, ShouldBeFalse)
    451. 

  451. 				So(canEdit, ShouldBeFalse)
    452. 

  452. 				So(canSave, ShouldBeFalse)
    453. 

  453. 				So(canView, ShouldBeFalse)
    454. 

  454. 			})
    455. 

  455. 

  456. 			userWithPermissionScenario(m.PERMISSION_ADMIN, sc, func(sc *scenarioContext) {
    457. 

  457. 				canAdmin, _ := sc.g.CanAdmin()
    458. 

  458. 				canEdit, _ := sc.g.CanEdit()
    459. 

  459. 				canSave, _ := sc.g.CanSave()
    460. 

  460. 				canView, _ := sc.g.CanView()
    461. 

  461. 				So(canAdmin, ShouldBeTrue)
    462. 

  462. 				So(canEdit, ShouldBeTrue)
    463. 

  463. 				So(canSave, ShouldBeTrue)
    464. 

  464. 				So(canView, ShouldBeTrue)
    465. 

  465. 			})
    466. 

  466. 

  467. 			userWithPermissionScenario(m.PERMISSION_EDIT, sc, func(sc *scenarioContext) {
    468. 

  468. 				canAdmin, _ := sc.g.CanAdmin()
    469. 

  469. 				canEdit, _ := sc.g.CanEdit()
    470. 

  470. 				canSave, _ := sc.g.CanSave()
    471. 

  471. 				canView, _ := sc.g.CanView()
    472. 

  472. 				So(canAdmin, ShouldBeFalse)
    473. 

  473. 				So(canEdit, ShouldBeTrue)
    474. 

  474. 				So(canSave, ShouldBeTrue)
    475. 

  475. 				So(canView, ShouldBeTrue)
    476. 

  476. 			})
    477. 

  477. 

  478. 			userWithPermissionScenario(m.PERMISSION_VIEW, sc, func(sc *scenarioContext) {
    479. 

  479. 				canAdmin, _ := sc.g.CanAdmin()
    480. 

  480. 				canEdit, _ := sc.g.CanEdit()
    481. 

  481. 				canSave, _ := sc.g.CanSave()
    482. 

  482. 				canView, _ := sc.g.CanView()
    483. 

  483. 				So(canAdmin, ShouldBeFalse)
    484. 

  484. 				So(canEdit, ShouldBeFalse)
    485. 

  485. 				So(canSave, ShouldBeFalse)
    486. 

  486. 				So(canView, ShouldBeTrue)
    487. 

  487. 			})
    488. 

  488. 

  489. 			teamWithPermissionScenario(m.PERMISSION_ADMIN, sc, func(sc *scenarioContext) {
    490. 

  490. 				canAdmin, _ := sc.g.CanAdmin()
    491. 

  491. 				canEdit, _ := sc.g.CanEdit()
    492. 

  492. 				canSave, _ := sc.g.CanSave()
    493. 

  493. 				canView, _ := sc.g.CanView()
    494. 

  494. 				So(canAdmin, ShouldBeTrue)
    495. 

  495. 				So(canEdit, ShouldBeTrue)
    496. 

  496. 				So(canSave, ShouldBeTrue)
    497. 

  497. 				So(canView, ShouldBeTrue)
    498. 

  498. 			})
    499. 

  499. 

  500. 			teamWithPermissionScenario(m.PERMISSION_EDIT, sc, func(sc *scenarioContext) {
    501. 

  501. 				canAdmin, _ := sc.g.CanAdmin()
    502. 

  502. 				canEdit, _ := sc.g.CanEdit()
    503. 

  503. 				canSave, _ := sc.g.CanSave()
    504. 

  504. 				canView, _ := sc.g.CanView()
    505. 

  505. 				So(canAdmin, ShouldBeFalse)
    506. 

  506. 				So(canEdit, ShouldBeTrue)
    507. 

  507. 				So(canSave, ShouldBeTrue)
    508. 

  508. 				So(canView, ShouldBeTrue)
    509. 

  509. 			})
    510. 

  510. 

  511. 			teamWithPermissionScenario(m.PERMISSION_VIEW, sc, func(sc *scenarioContext) {
    512. 

  512. 				canAdmin, _ := sc.g.CanAdmin()
    513. 

  513. 				canEdit, _ := sc.g.CanEdit()
    514. 

  514. 				canSave, _ := sc.g.CanSave()
    515. 

  515. 				canView, _ := sc.g.CanView()
    516. 

  516. 				So(canAdmin, ShouldBeFalse)
    517. 

  517. 				So(canEdit, ShouldBeFalse)
    518. 

  518. 				So(canSave, ShouldBeFalse)
    519. 

  519. 				So(canView, ShouldBeTrue)
    520. 

  520. 			})
    521. 

  521. 

  522. 			Convey("When trying to update permissions should return false", func() {
    523. 

  523. 				p := []*m.DashboardAcl{
    524. 

  524. 					{OrgId: 1, DashboardId: 1, UserId: 1, Permission: m.PERMISSION_VIEW},
    525. 

  525. 					{OrgId: 1, DashboardId: 1, UserId: 1, Permission: m.PERMISSION_ADMIN},
    526. 

  526. 				}
    527. 

  527. 				ok, _ := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    528. 

  528. 				So(ok, ShouldBeFalse)
    529. 

  529. 			})
    530. 

  530. 		})
    531. 

  531. 

  532. 		orgRoleScenario("Given user has viewer org role", m.ROLE_VIEWER, func(sc *scenarioContext) {
    533. 

  533. 			everyoneWithRoleScenario(m.ROLE_EDITOR, m.PERMISSION_ADMIN, sc, func(sc *scenarioContext) {
    534. 

  534. 				canAdmin, _ := sc.g.CanAdmin()
    535. 

  535. 				canEdit, _ := sc.g.CanEdit()
    536. 

  536. 				canSave, _ := sc.g.CanSave()
    537. 

  537. 				canView, _ := sc.g.CanView()
    538. 

  538. 				So(canAdmin, ShouldBeFalse)
    539. 

  539. 				So(canEdit, ShouldBeFalse)
    540. 

  540. 				So(canSave, ShouldBeFalse)
    541. 

  541. 				So(canView, ShouldBeFalse)
    542. 

  542. 			})
    543. 

  543. 

  544. 			everyoneWithRoleScenario(m.ROLE_EDITOR, m.PERMISSION_EDIT, sc, func(sc *scenarioContext) {
    545. 

  545. 				canAdmin, _ := sc.g.CanAdmin()
    546. 

  546. 				canEdit, _ := sc.g.CanEdit()
    547. 

  547. 				canSave, _ := sc.g.CanSave()
    548. 

  548. 				canView, _ := sc.g.CanView()
    549. 

  549. 				So(canAdmin, ShouldBeFalse)
    550. 

  550. 				So(canEdit, ShouldBeFalse)
    551. 

  551. 				So(canSave, ShouldBeFalse)
    552. 

  552. 				So(canView, ShouldBeFalse)
    553. 

  553. 			})
    554. 

  554. 

  555. 			everyoneWithRoleScenario(m.ROLE_EDITOR, m.PERMISSION_VIEW, sc, func(sc *scenarioContext) {
    556. 

  556. 				canAdmin, _ := sc.g.CanAdmin()
    557. 

  557. 				canEdit, _ := sc.g.CanEdit()
    558. 

  558. 				canSave, _ := sc.g.CanSave()
    559. 

  559. 				canView, _ := sc.g.CanView()
    560. 

  560. 				So(canAdmin, ShouldBeFalse)
    561. 

  561. 				So(canEdit, ShouldBeFalse)
    562. 

  562. 				So(canSave, ShouldBeFalse)
    563. 

  563. 				So(canView, ShouldBeFalse)
    564. 

  564. 			})
    565. 

  565. 

  566. 			everyoneWithRoleScenario(m.ROLE_VIEWER, m.PERMISSION_ADMIN, sc, func(sc *scenarioContext) {
    567. 

  567. 				canAdmin, _ := sc.g.CanAdmin()
    568. 

  568. 				canEdit, _ := sc.g.CanEdit()
    569. 

  569. 				canSave, _ := sc.g.CanSave()
    570. 

  570. 				canView, _ := sc.g.CanView()
    571. 

  571. 				So(canAdmin, ShouldBeTrue)
    572. 

  572. 				So(canEdit, ShouldBeTrue)
    573. 

  573. 				So(canSave, ShouldBeTrue)
    574. 

  574. 				So(canView, ShouldBeTrue)
    575. 

  575. 			})
    576. 

  576. 

  577. 			everyoneWithRoleScenario(m.ROLE_VIEWER, m.PERMISSION_EDIT, sc, func(sc *scenarioContext) {
    578. 

  578. 				canAdmin, _ := sc.g.CanAdmin()
    579. 

  579. 				canEdit, _ := sc.g.CanEdit()
    580. 

  580. 				canSave, _ := sc.g.CanSave()
    581. 

  581. 				canView, _ := sc.g.CanView()
    582. 

  582. 				So(canAdmin, ShouldBeFalse)
    583. 

  583. 				So(canEdit, ShouldBeTrue)
    584. 

  584. 				So(canSave, ShouldBeTrue)
    585. 

  585. 				So(canView, ShouldBeTrue)
    586. 

  586. 			})
    587. 

  587. 

  588. 			everyoneWithRoleScenario(m.ROLE_VIEWER, m.PERMISSION_VIEW, sc, func(sc *scenarioContext) {
    589. 

  589. 				canAdmin, _ := sc.g.CanAdmin()
    590. 

  590. 				canEdit, _ := sc.g.CanEdit()
    591. 

  591. 				canSave, _ := sc.g.CanSave()
    592. 

  592. 				canView, _ := sc.g.CanView()
    593. 

  593. 				So(canAdmin, ShouldBeFalse)
    594. 

  594. 				So(canEdit, ShouldBeFalse)
    595. 

  595. 				So(canSave, ShouldBeFalse)
    596. 

  596. 				So(canView, ShouldBeTrue)
    597. 

  597. 			})
    598. 

  598. 

  599. 			userWithPermissionScenario(m.PERMISSION_ADMIN, sc, func(sc *scenarioContext) {
    600. 

  600. 				canAdmin, _ := sc.g.CanAdmin()
    601. 

  601. 				canEdit, _ := sc.g.CanEdit()
    602. 

  602. 				canSave, _ := sc.g.CanSave()
    603. 

  603. 				canView, _ := sc.g.CanView()
    604. 

  604. 				So(canAdmin, ShouldBeTrue)
    605. 

  605. 				So(canEdit, ShouldBeTrue)
    606. 

  606. 				So(canSave, ShouldBeTrue)
    607. 

  607. 				So(canView, ShouldBeTrue)
    608. 

  608. 			})
    609. 

  609. 

  610. 			userWithPermissionScenario(m.PERMISSION_EDIT, sc, func(sc *scenarioContext) {
    611. 

  611. 				canAdmin, _ := sc.g.CanAdmin()
    612. 

  612. 				canEdit, _ := sc.g.CanEdit()
    613. 

  613. 				canSave, _ := sc.g.CanSave()
    614. 

  614. 				canView, _ := sc.g.CanView()
    615. 

  615. 				So(canAdmin, ShouldBeFalse)
    616. 

  616. 				So(canEdit, ShouldBeTrue)
    617. 

  617. 				So(canSave, ShouldBeTrue)
    618. 

  618. 				So(canView, ShouldBeTrue)
    619. 

  619. 			})
    620. 

  620. 

  621. 			userWithPermissionScenario(m.PERMISSION_VIEW, sc, func(sc *scenarioContext) {
    622. 

  622. 				canAdmin, _ := sc.g.CanAdmin()
    623. 

  623. 				canEdit, _ := sc.g.CanEdit()
    624. 

  624. 				canSave, _ := sc.g.CanSave()
    625. 

  625. 				canView, _ := sc.g.CanView()
    626. 

  626. 				So(canAdmin, ShouldBeFalse)
    627. 

  627. 				So(canEdit, ShouldBeFalse)
    628. 

  628. 				So(canSave, ShouldBeFalse)
    629. 

  629. 				So(canView, ShouldBeTrue)
    630. 

  630. 			})
    631. 

  631. 

  632. 			Convey("When trying to update permissions should return false", func() {
    633. 

  633. 				p := []*m.DashboardAcl{
    634. 

  634. 					{OrgId: 1, DashboardId: 1, UserId: 1, Permission: m.PERMISSION_VIEW},
    635. 

  635. 					{OrgId: 1, DashboardId: 1, UserId: 1, Permission: m.PERMISSION_ADMIN},
    636. 

  636. 				}
    637. 

  637. 				ok, _ := sc.g.CheckPermissionBeforeUpdate(m.PERMISSION_ADMIN, p)
    638. 

  638. 				So(ok, ShouldBeFalse)
    639. 

  639. 			})
    640. 

  640. 		})
    641. 

  641. 	})
    642. 

  642. }
    643. 

  643. 

  644. type scenarioContext struct {
    645. 

  645. 	g DashboardGuardian
    646. 

  646. }
    647. 

  647. 

  648. type scenarioFunc func(c *scenarioContext)
    649. 

  649. 

  650. func orgRoleScenario(desc string, role m.RoleType, fn scenarioFunc) {
    651. 

  651. 	user := &m.SignedInUser{
    652. 

  652. 		UserId:  1,
    653. 

  653. 		OrgId:   1,
    654. 

  654. 		OrgRole: role,
    655. 

  655. 	}
    656. 

  656. 	guard := New(1, 1, user)
    657. 

  657. 	sc := &scenarioContext{
    658. 

  658. 		g: guard,
    659. 

  659. 	}
    660. 

  660. 

  661. 	Convey(desc, func() {
    662. 

  662. 		fn(sc)
    663. 

  663. 	})
    664. 

  664. }
    665. 

  665. 

  666. func permissionScenario(desc string, sc *scenarioContext, permissions []*m.DashboardAclInfoDTO, fn scenarioFunc) {
    667. 

  667. 	bus.ClearBusHandlers()
    668. 

  668. 

  669. 	bus.AddHandler("test", func(query *m.GetDashboardAclInfoListQuery) error {
    670. 

  670. 		query.Result = permissions
    671. 

  671. 		return nil
    672. 

  672. 	})
    673. 

  673. 

  674. 	teams := []*m.Team{}
    675. 

  675. 

  676. 	for _, p := range permissions {
    677. 

  677. 		if p.TeamId > 0 {
    678. 

  678. 			teams = append(teams, &m.Team{Id: p.TeamId})
    679. 

  679. 		}
    680. 

  680. 	}
    681. 

  681. 

  682. 	bus.AddHandler("test", func(query *m.GetTeamsByUserQuery) error {
    683. 

  683. 		query.Result = teams
    684. 

  684. 		return nil
    685. 

  685. 	})
    686. 

  686. 

  687. 	Convey(desc, func() {
    688. 

  688. 		fn(sc)
    689. 

  689. 	})
    690. 

  690. }
    691. 

  691. 

  692. func userWithPermissionScenario(permission m.PermissionType, sc *scenarioContext, fn scenarioFunc) {
    693. 

  693. 	p := []*m.DashboardAclInfoDTO{
    694. 

  694. 		{OrgId: 1, DashboardId: 1, UserId: 1, Permission: permission},
    695. 

  695. 	}
    696. 

  696. 	permissionScenario(fmt.Sprintf("and user has permission to %s item", permission), sc, p, fn)
    697. 

  697. }
    698. 

  698. 

  699. func teamWithPermissionScenario(permission m.PermissionType, sc *scenarioContext, fn scenarioFunc) {
    700. 

  700. 	p := []*m.DashboardAclInfoDTO{
    701. 

  701. 		{OrgId: 1, DashboardId: 1, TeamId: 1, Permission: permission},
    702. 

  702. 	}
    703. 

  703. 	permissionScenario(fmt.Sprintf("and team has permission to %s item", permission), sc, p, fn)
    704. 

  704. }
    705. 

  705. 

  706. func everyoneWithRoleScenario(role m.RoleType, permission m.PermissionType, sc *scenarioContext, fn scenarioFunc) {
    707. 

  707. 	p := []*m.DashboardAclInfoDTO{
    708. 

  708. 		{OrgId: 1, DashboardId: 1, UserId: -1, Role: &role, Permission: permission},
    709. 

  709. 	}
    710. 

  710. 	permissionScenario(fmt.Sprintf("and everyone with %s role can %s item", role, permission), sc, p, fn)
    711. 

  711. }
    712.