LibraryPanels: Adds permissions to getAllHandler (grafana#31416)

* LibraryPanels: Adds permissions to getAllHandler * Chore: adds a test to verify the permissions * Chore: tests refactor
clear-street · Feb 24, 2021 · 466462d · 466462d
1 parent f3a7cb4
commit 466462d
Show file tree

Hide file tree

Showing 7 changed files with 412 additions and 574 deletions.
diff --git a/pkg/services/librarypanels/api.go b/pkg/services/librarypanels/api.go
@@ -97,7 +97,7 @@ func (lps *LibraryPanelService) getHandler(c *models.ReqContext) response.Respon
 
 // getAllHandler handles GET /api/library-panels/.
 func (lps *LibraryPanelService) getAllHandler(c *models.ReqContext) response.Response {
-	libraryPanels, err := lps.getAllLibraryPanels(c)
+	libraryPanels, err := lps.getAllLibraryPanels(c, c.QueryInt64("limit"))
 	if err != nil {
 		return response.Error(500, "Failed to get library panels", err)
 	}

diff --git a/pkg/services/librarypanels/database.go b/pkg/services/librarypanels/database.go
@@ -14,7 +14,8 @@ import (
 
 var (
 	sqlStatmentLibrayPanelDTOWithMeta = `
-SELECT lp.id, lp.org_id, lp.folder_id, lp.uid, lp.name, lp.model, lp.created, lp.created_by, lp.updated, lp.updated_by
+SELECT DISTINCT
+	lp.id, lp.org_id, lp.folder_id, lp.uid, lp.name, lp.model, lp.created, lp.created_by, lp.updated, lp.updated_by
 	, 0 AS can_edit
 	, u1.login AS created_by_name
 	, u1.email AS created_by_email
@@ -275,14 +276,21 @@ func (lps *LibraryPanelService) getLibraryPanel(c *models.ReqContext, uid string
 }
 
 // getAllLibraryPanels gets all library panels.
-func (lps *LibraryPanelService) getAllLibraryPanels(c *models.ReqContext) ([]LibraryPanelDTO, error) {
-	orgID := c.SignedInUser.OrgId
+func (lps *LibraryPanelService) getAllLibraryPanels(c *models.ReqContext, limit int64) ([]LibraryPanelDTO, error) {
 	libraryPanels := make([]LibraryPanelWithMeta, 0)
 	err := lps.SQLStore.WithDbSession(c.Context.Req.Context(), func(session *sqlstore.DBSession) error {
-		sql := sqlStatmentLibrayPanelDTOWithMeta + "WHERE lp.org_id=?"
-		sess := session.SQL(sql, orgID)
-		err := sess.Find(&libraryPanels)
-		if err != nil {
+		builder := sqlstore.SQLBuilder{}
+		builder.Write(sqlStatmentLibrayPanelDTOWithMeta)
+		builder.Write(" LEFT JOIN dashboard AS dashboard on lp.folder_id = dashboard.id")
+		builder.Write(` WHERE lp.org_id = ?`, c.SignedInUser.OrgId)
+		if c.SignedInUser.OrgRole != models.ROLE_ADMIN {
+			builder.WriteDashboardPermissionFilter(c.SignedInUser, models.PERMISSION_VIEW)
+		}
+		if limit == 0 {
+			limit = 1000
+		}
+		builder.Write(lps.SQLStore.Dialect.Limit(limit))
+		if err := session.SQL(builder.GetSQLString(), builder.GetParams()...).Find(&libraryPanels); err != nil {
 			return err
 		}