Team: Create permission type for team membership (grafana#92352)

* Create permission type enum for team and remove usage of dashboard permission type

Author: kalleep

pkg/api/folder_bench_test.go

@@ -31,7 +31,6 @@ import (
 	"github.com/grafana/grafana/pkg/services/contexthandler/ctxkey"
 	contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
 	"github.com/grafana/grafana/pkg/services/dashboards"
-	"github.com/grafana/grafana/pkg/services/dashboards/dashboardaccess"
 	"github.com/grafana/grafana/pkg/services/dashboards/database"
 	dashboardservice "github.com/grafana/grafana/pkg/services/dashboards/service"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
@@ -261,7 +260,7 @@ func setupDB(b testing.TB) benchScenario {
 				UserID:     userID,
 				TeamID:     teamID,
 				OrgID:      orgID,
-				Permission: dashboardaccess.PERMISSION_VIEW,
+				Permission: team.PermissionTypeMember,
 				Created:    now,
 				Updated:    now,
 			})

pkg/services/accesscontrol/database/database_test.go

@@ -17,7 +17,6 @@ import (
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/services/accesscontrol/database"
 	rs "github.com/grafana/grafana/pkg/services/accesscontrol/resourcepermissions"
-	"github.com/grafana/grafana/pkg/services/dashboards/dashboardaccess"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/grafana/grafana/pkg/services/org"
 	"github.com/grafana/grafana/pkg/services/org/orgimpl"
@@ -403,15 +402,15 @@ func createUserAndTeam(t *testing.T, store db.DB, userSrv user.Service, teamSvc
 	})
 	require.NoError(t, err)
 
-	team, err := teamSvc.CreateTeam(context.Background(), "team", "", orgID)
+	createdTeam, err := teamSvc.CreateTeam(context.Background(), "team", "", orgID)
 	require.NoError(t, err)
 
 	err = store.WithDbSession(context.Background(), func(sess *db.Session) error {
-		return teamimpl.AddOrUpdateTeamMemberHook(sess, user.ID, orgID, team.ID, false, dashboardaccess.PERMISSION_VIEW)
+		return teamimpl.AddOrUpdateTeamMemberHook(sess, user.ID, orgID, createdTeam.ID, false, team.PermissionTypeMember)
 	})
 	require.NoError(t, err)
 
-	return user, team
+	return user, createdTeam
 }
 
 type helperServices struct {
@@ -453,19 +452,19 @@ func createUsersAndTeams(t *testing.T, store db.DB, svcs helperServices, orgID i
 			continue
 		}
 
-		team, err := svcs.teamSvc.CreateTeam(context.Background(), fmt.Sprintf("team%v", i+1), "", orgID)
+		createdTeam, err := svcs.teamSvc.CreateTeam(context.Background(), fmt.Sprintf("team%v", i+1), "", orgID)
 		require.NoError(t, err)
 
 		err = store.WithDbSession(context.Background(), func(sess *db.Session) error {
-			return teamimpl.AddOrUpdateTeamMemberHook(sess, user.ID, orgID, team.ID, false, dashboardaccess.PERMISSION_VIEW)
+			return teamimpl.AddOrUpdateTeamMemberHook(sess, user.ID, orgID, createdTeam.ID, false, team.PermissionTypeMember)
 		})
 		require.NoError(t, err)
 
 		err = svcs.orgSvc.UpdateOrgUser(context.Background(),
 			&org.UpdateOrgUserCommand{Role: users[i].orgRole, OrgID: orgID, UserID: user.ID})
 		require.NoError(t, err)
 
-		res = append(res, dbUser{userID: user.ID, teamID: team.ID})
+		res = append(res, dbUser{userID: user.ID, teamID: createdTeam.ID})
 	}
 
 	return res

pkg/services/accesscontrol/ossaccesscontrol/team.go

@@ -9,7 +9,6 @@ import (
 	"github.com/grafana/grafana/pkg/infra/db"
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/services/accesscontrol/resourcepermissions"
-	"github.com/grafana/grafana/pkg/services/dashboards/dashboardaccess"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/grafana/grafana/pkg/services/licensing"
 	"github.com/grafana/grafana/pkg/services/team"
@@ -83,9 +82,9 @@ func ProvideTeamPermissions(
 			}
 			switch permission {
 			case "Member":
-				return teamimpl.AddOrUpdateTeamMemberHook(session, user.ID, orgID, teamId, user.IsExternal, 0)
+				return teamimpl.AddOrUpdateTeamMemberHook(session, user.ID, orgID, teamId, user.IsExternal, team.PermissionTypeMember)
 			case "Admin":
-				return teamimpl.AddOrUpdateTeamMemberHook(session, user.ID, orgID, teamId, user.IsExternal, dashboardaccess.PERMISSION_ADMIN)
+				return teamimpl.AddOrUpdateTeamMemberHook(session, user.ID, orgID, teamId, user.IsExternal, team.PermissionTypeAdmin)
 			case "":
 				return teamimpl.RemoveTeamMemberHook(session, &team.RemoveTeamMemberCommand{
 					OrgID:  orgID,

pkg/services/sqlstore/migrations/accesscontrol/team_membership.go

@@ -8,7 +8,6 @@ import (
 	"xorm.io/xorm"
 
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
-	"github.com/grafana/grafana/pkg/services/dashboards/dashboardaccess"
 	"github.com/grafana/grafana/pkg/services/org"
 	"github.com/grafana/grafana/pkg/services/sqlstore/migrator"
 	"github.com/grafana/grafana/pkg/services/team"
@@ -64,12 +63,12 @@ func (p *teamPermissionMigrator) setRolePermissions(roleID int64, permissions []
 }
 
 // mapPermissionToRBAC translates the legacy membership (Member or Admin) into RBAC permissions
-func (p *teamPermissionMigrator) mapPermissionToRBAC(permission dashboardaccess.PermissionType, teamID int64) []accesscontrol.Permission {
+func (p *teamPermissionMigrator) mapPermissionToRBAC(permission team.PermissionType, teamID int64) []accesscontrol.Permission {
 	teamIDScope := accesscontrol.Scope("teams", "id", strconv.FormatInt(teamID, 10))
 	switch permission {
-	case 0:
+	case team.PermissionTypeMember:
 		return []accesscontrol.Permission{{Action: "teams:read", Scope: teamIDScope}}
-	case dashboardaccess.PERMISSION_ADMIN:
+	case team.PermissionTypeAdmin:
 		return []accesscontrol.Permission{
 			{Action: "teams:delete", Scope: teamIDScope},
 			{Action: "teams:read", Scope: teamIDScope},
@@ -210,7 +209,7 @@ func (p *teamPermissionMigrator) generateAssociatedPermissions(teamMemberships [
 		// Downgrade team permissions if needed:
 		// only admins or editors (when editorsCanAdmin option is enabled)
 		// can access team administration endpoints
-		if m.Permission == dashboardaccess.PERMISSION_ADMIN {
+		if m.Permission == team.PermissionTypeAdmin {
 			if userRolesByOrg[m.OrgID][m.UserID] == string(org.RoleViewer) || (userRolesByOrg[m.OrgID][m.UserID] == string(org.RoleEditor) && !p.editorsCanAdmin) {
 				m.Permission = 0
 

pkg/services/sqlstore/migrations/accesscontrol/test/ac_test.go

@@ -12,7 +12,6 @@ import (
 
 	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
-	"github.com/grafana/grafana/pkg/services/dashboards/dashboardaccess"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/grafana/grafana/pkg/services/org"
 	"github.com/grafana/grafana/pkg/services/sqlstore/migrations"
@@ -328,7 +327,7 @@ func setupTeams(t *testing.T, x *xorm.Engine) {
 			TeamID:     1,
 			UserID:     1,
 			External:   false,
-			Permission: 0,
+			Permission: team.PermissionTypeMember,
 			Created:    now,
 			Updated:    now,
 		},
@@ -338,7 +337,7 @@ func setupTeams(t *testing.T, x *xorm.Engine) {
 			TeamID:     1,
 			UserID:     2,
 			External:   false,
-			Permission: dashboardaccess.PERMISSION_ADMIN,
+			Permission: team.PermissionTypeAdmin,
 			Created:    now,
 			Updated:    now,
 		},
@@ -348,7 +347,7 @@ func setupTeams(t *testing.T, x *xorm.Engine) {
 			TeamID:     1,
 			UserID:     3,
 			External:   false,
-			Permission: dashboardaccess.PERMISSION_ADMIN,
+			Permission: team.PermissionTypeAdmin,
 			Created:    now,
 			Updated:    now,
 		},
@@ -358,7 +357,7 @@ func setupTeams(t *testing.T, x *xorm.Engine) {
 			TeamID:     1,
 			UserID:     4,
 			External:   false,
-			Permission: dashboardaccess.PERMISSION_ADMIN,
+			Permission: team.PermissionTypeAdmin,
 			Created:    now,
 			Updated:    now,
 		},
@@ -368,7 +367,7 @@ func setupTeams(t *testing.T, x *xorm.Engine) {
 			TeamID:     2,
 			UserID:     5,
 			External:   false,
-			Permission: 0,
+			Permission: team.PermissionTypeMember,
 			Created:    now,
 			Updated:    now,
 		},

pkg/services/team/model.go

@@ -5,7 +5,6 @@ import (
 	"time"
 
 	"github.com/grafana/grafana/pkg/apimachinery/identity"
-	"github.com/grafana/grafana/pkg/services/dashboards/dashboardaccess"
 	"github.com/grafana/grafana/pkg/services/search/model"
 )
 
@@ -21,9 +20,6 @@ var (
 	ErrTeamMemberAlreadyAdded = errors.New("user is already added to this team")
 )
 
-const MemberPermissionName = "Member"
-const AdminPermissionName = "Admin"
-
 // Team model
 type Team struct {
 	ID    int64  `json:"id" xorm:"pk autoincr 'id'"`
@@ -91,15 +87,29 @@ type SearchTeamsQuery struct {
 }
 
 type TeamDTO struct {
-	ID            int64                          `json:"id" xorm:"id"`
-	UID           string                         `json:"uid" xorm:"uid"`
-	OrgID         int64                          `json:"orgId" xorm:"org_id"`
-	Name          string                         `json:"name"`
-	Email         string                         `json:"email"`
-	AvatarURL     string                         `json:"avatarUrl"`
-	MemberCount   int64                          `json:"memberCount"`
-	Permission    dashboardaccess.PermissionType `json:"permission"`
-	AccessControl map[string]bool                `json:"accessControl"`
+	ID            int64           `json:"id" xorm:"id"`
+	UID           string          `json:"uid" xorm:"uid"`
+	OrgID         int64           `json:"orgId" xorm:"org_id"`
+	Name          string          `json:"name"`
+	Email         string          `json:"email"`
+	AvatarURL     string          `json:"avatarUrl"`
+	MemberCount   int64           `json:"memberCount"`
+	Permission    PermissionType  `json:"permission"`
+	AccessControl map[string]bool `json:"accessControl"`
+}
+
+type PermissionType int
+
+const (
+	PermissionTypeMember PermissionType = 0
+	PermissionTypeAdmin  PermissionType = 4
+)
+
+func (p PermissionType) String() string {
+	if p == PermissionTypeAdmin {
+		return "Admin"
+	}
+	return "Member"
 }
 
 type SearchTeamQueryResult struct {
@@ -116,7 +126,7 @@ type TeamMember struct {
 	TeamID     int64 `xorm:"team_id"`
 	UserID     int64 `xorm:"user_id"`
 	External   bool  // Signals that the membership has been created by an external systems, such as LDAP
-	Permission dashboardaccess.PermissionType
+	Permission PermissionType
 
 	Created time.Time
 	Updated time.Time
@@ -126,12 +136,12 @@ type TeamMember struct {
 // COMMANDS
 
 type AddTeamMemberCommand struct {
-	UserID     int64                          `json:"userId" binding:"Required"`
-	Permission dashboardaccess.PermissionType `json:"-"`
+	UserID     int64          `json:"userId" binding:"Required"`
+	Permission PermissionType `json:"-"`
 }
 
 type UpdateTeamMemberCommand struct {
-	Permission dashboardaccess.PermissionType `json:"permission"`
+	Permission PermissionType `json:"permission"`
 }
 
 type SetTeamMembershipsCommand struct {
@@ -161,16 +171,16 @@ type GetTeamMembersQuery struct {
 // Projections and DTOs
 
 type TeamMemberDTO struct {
-	OrgID      int64                          `json:"orgId" xorm:"org_id"`
-	TeamID     int64                          `json:"teamId" xorm:"team_id"`
-	TeamUID    string                         `json:"teamUID" xorm:"uid"`
-	UserID     int64                          `json:"userId" xorm:"user_id"`
-	External   bool                           `json:"-"`
-	AuthModule string                         `json:"auth_module"`
-	Email      string                         `json:"email"`
-	Name       string                         `json:"name"`
-	Login      string                         `json:"login"`
-	AvatarURL  string                         `json:"avatarUrl" xorm:"avatar_url"`
-	Labels     []string                       `json:"labels"`
-	Permission dashboardaccess.PermissionType `json:"permission"`
+	OrgID      int64          `json:"orgId" xorm:"org_id"`
+	TeamID     int64          `json:"teamId" xorm:"team_id"`
+	TeamUID    string         `json:"teamUID" xorm:"uid"`
+	UserID     int64          `json:"userId" xorm:"user_id"`
+	External   bool           `json:"-"`
+	AuthModule string         `json:"auth_module"`
+	Email      string         `json:"email"`
+	Name       string         `json:"name"`
+	Login      string         `json:"login"`
+	AvatarURL  string         `json:"avatarUrl" xorm:"avatar_url"`
+	Labels     []string       `json:"labels"`
+	Permission PermissionType `json:"permission"`
 }

pkg/services/team/teamapi/team_members.go

@@ -12,7 +12,6 @@ import (
 	"github.com/grafana/grafana/pkg/apimachinery/identity"
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
 	contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
-	"github.com/grafana/grafana/pkg/services/dashboards/dashboardaccess"
 	"github.com/grafana/grafana/pkg/services/login"
 	"github.com/grafana/grafana/pkg/services/team"
 	"github.com/grafana/grafana/pkg/services/user"
@@ -92,7 +91,10 @@ func (tapi *TeamAPI) addTeamMember(c *contextmodel.ReqContext) response.Response
 		return response.Error(http.StatusBadRequest, "User is already added to this team", nil)
 	}
 
-	err = addOrUpdateTeamMember(c.Req.Context(), tapi.teamPermissionsService, cmd.UserID, c.SignedInUser.GetOrgID(), teamID, team.MemberPermissionName)
+	err = addOrUpdateTeamMember(
+		c.Req.Context(), tapi.teamPermissionsService,
+		cmd.UserID, c.SignedInUser.GetOrgID(), teamID, team.PermissionTypeMember.String(),
+	)
 	if err != nil {
 		return response.Error(http.StatusInternalServerError, "Failed to add Member to Team", err)
 	}
@@ -135,7 +137,7 @@ func (tapi *TeamAPI) updateTeamMember(c *contextmodel.ReqContext) response.Respo
 		return response.Error(http.StatusNotFound, "Team member not found.", nil)
 	}
 
-	err = addOrUpdateTeamMember(c.Req.Context(), tapi.teamPermissionsService, userId, orgId, teamId, getPermissionName(cmd.Permission))
+	err = addOrUpdateTeamMember(c.Req.Context(), tapi.teamPermissionsService, userId, orgId, teamId, cmd.Permission.String())
 	if err != nil {
 		return response.Error(http.StatusInternalServerError, "Failed to update team member.", err)
 	}
@@ -202,13 +204,13 @@ func (tapi *TeamAPI) getTeamMembershipUpdates(ctx context.Context, orgID, teamID
 	membersToRemove := make([]int64, 0)
 	for _, member := range currentMemberships {
 		if _, ok := adminEmails[member.Email]; ok {
-			if getPermissionName(member.Permission) == team.AdminPermissionName {
+			if member.Permission == team.PermissionTypeAdmin {
 				delete(adminEmails, member.Email)
 			}
 			continue
 		}
 		if _, ok := memberEmails[member.Email]; ok {
-			if getPermissionName(member.Permission) == team.MemberPermissionName {
+			if member.Permission == team.PermissionTypeMember {
 				delete(memberEmails, member.Email)
 			}
 			continue
@@ -227,10 +229,10 @@ func (tapi *TeamAPI) getTeamMembershipUpdates(ctx context.Context, orgID, teamID
 
 	teamMemberships := make([]accesscontrol.SetResourcePermissionCommand, 0, len(adminIDs)+len(memberIDs)+len(membersToRemove))
 	for _, admin := range adminIDs {
-		teamMemberships = append(teamMemberships, accesscontrol.SetResourcePermissionCommand{Permission: team.AdminPermissionName, UserID: admin})
+		teamMemberships = append(teamMemberships, accesscontrol.SetResourcePermissionCommand{Permission: team.PermissionTypeAdmin.String(), UserID: admin})
 	}
 	for _, member := range memberIDs {
-		teamMemberships = append(teamMemberships, accesscontrol.SetResourcePermissionCommand{Permission: team.MemberPermissionName, UserID: member})
+		teamMemberships = append(teamMemberships, accesscontrol.SetResourcePermissionCommand{Permission: team.PermissionTypeMember.String(), UserID: member})
 	}
 	for _, member := range membersToRemove {
 		teamMemberships = append(teamMemberships, accesscontrol.SetResourcePermissionCommand{Permission: "", UserID: member})
@@ -252,16 +254,6 @@ func (tapi *TeamAPI) getUserIDs(ctx context.Context, emails map[string]struct{})
 	return userIDs, nil
 }
 
-func getPermissionName(permission dashboardaccess.PermissionType) string {
-	permissionName := permission.String()
-	// Team member permission is 0, which maps to an empty string.
-	// However, we want the team permission service to display "Member" for team members. This is a hack to make it work.
-	if permissionName == "" {
-		permissionName = team.MemberPermissionName
-	}
-	return permissionName
-}
-
 // swagger:route DELETE /teams/{team_id}/members/{user_id} teams removeTeamMember
 //
 // Remove Member From Team.