Skip to content

Commit 2cfdde7

Browse files
alexandr-ku-MAalexandr-ku-MA
committed
Add dynamic access model assignment
1 parent 0c824dc commit 2cfdde7

28 files changed

+367
-344
lines changed

engine/apps/api/permissions.py

+26-9
Original file line numberDiff line numberDiff line change
@@ -261,13 +261,7 @@ class Permissions:
261261
)
262262

263263
NOTIFICATIONS_READ = LegacyAccessControlCompatiblePermission(
264-
Resources.NOTIFICATIONS,
265-
Actions.READ,
266-
(
267-
LegacyAccessControlRole.VIEWER
268-
if settings.FEATURE_ALLOW_VIEWERS_ON_CALL
269-
else LegacyAccessControlRole.EDITOR
270-
),
264+
Resources.NOTIFICATIONS, Actions.READ, LegacyAccessControlRole.EDITOR
271265
)
272266

273267
NOTIFICATION_SETTINGS_READ = LegacyAccessControlCompatiblePermission(
@@ -305,6 +299,29 @@ class Permissions:
305299
Resources.LABEL, Actions.WRITE, LegacyAccessControlRole.EDITOR, prefix=PluginID.LABELS
306300
)
307301

302+
class ViewerOnCallPermissions(Permissions):
303+
"""
304+
This class is used to define permissions for the "Viewer on Call" role. This role is used in the context of
305+
the "Viewer on Call" feature flag.
306+
The role is a subset of the "Viewer" role, and is used to define permissions for users who
307+
are allowed be OnCall having only READ role in grafana.
308+
"""
309+
310+
ALERT_GROUPS_WRITE = LegacyAccessControlCompatiblePermission(
311+
Resources.ALERT_GROUPS, Actions.WRITE, LegacyAccessControlRole.VIEWER
312+
)
313+
ALERT_GROUPS_DIRECT_PAGING = LegacyAccessControlCompatiblePermission(
314+
Resources.ALERT_GROUPS, Actions.DIRECT_PAGING, LegacyAccessControlRole.VIEWER
315+
)
316+
SCHEDULES_WRITE = LegacyAccessControlCompatiblePermission(
317+
Resources.SCHEDULES, Actions.WRITE, LegacyAccessControlRole.VIEWER
318+
)
319+
NOTIFICATIONS_READ = LegacyAccessControlCompatiblePermission(
320+
Resources.NOTIFICATIONS, Actions.READ, LegacyAccessControlRole.VIEWER
321+
)
322+
323+
permissions: Permissions = Permissions if not settings.FEATURE_ALLOW_VIEWERS_ON_CALL else ViewerOnCallPermissions
324+
308325
# mypy complains about "Liskov substitution principle" here because request is `AuthenticatedRequest` object
309326
# and not rest_framework.request.Request
310327
# https://mypy.readthedocs.io/en/stable/common_issues.html#incompatible-overrides
@@ -356,9 +373,9 @@ def has_object_permission(self, request: AuthenticatedRequest, view: ViewSetOrAP
356373
return True
357374

358375

359-
ALL_PERMISSION_NAMES = [perm for perm in dir(RBACPermission.Permissions) if not perm.startswith("_")]
376+
ALL_PERMISSION_NAMES = [perm for perm in dir(RBACPermission.permissions) if not perm.startswith("_")]
360377
ALL_PERMISSION_CLASSES: LegacyAccessControlCompatiblePermissions = [
361-
getattr(RBACPermission.Permissions, permission_name) for permission_name in ALL_PERMISSION_NAMES
378+
getattr(RBACPermission.permissions, permission_name) for permission_name in ALL_PERMISSION_NAMES
362379
]
363380
ALL_PERMISSION_CHOICES: typing.List[typing.Tuple[str, str]] = []
364381
for permission_class, permission_name in zip(ALL_PERMISSION_CLASSES, ALL_PERMISSION_NAMES):

0 commit comments

Comments
 (0)