Use dynamic toggle based definition of Permissions class for a RBAC m…

…odel
grafana · Dec 27, 2024 · 195723c · 195723c
1 parent edd98f7
commit 195723c
Show file tree

Hide file tree

Showing 28 changed files with 364 additions and 340 deletions.
diff --git a/engine/apps/api/permissions.py b/engine/apps/api/permissions.py
@@ -261,13 +261,7 @@ class Permissions:
         )
 
         NOTIFICATIONS_READ = LegacyAccessControlCompatiblePermission(
-            Resources.NOTIFICATIONS,
-            Actions.READ,
-            (
-                LegacyAccessControlRole.VIEWER
-                if settings.FEATURE_ALLOW_VIEWERS_ON_CALL
-                else LegacyAccessControlRole.EDITOR
-            ),
+            Resources.NOTIFICATIONS, Actions.READ, LegacyAccessControlRole.EDITOR
         )
 
         NOTIFICATION_SETTINGS_READ = LegacyAccessControlCompatiblePermission(
@@ -305,6 +299,29 @@ class Permissions:
             Resources.LABEL, Actions.WRITE, LegacyAccessControlRole.EDITOR, prefix=PluginID.LABELS
         )
 
+    class ViewerOnCallPermissions(Permissions):
+        """
+        This class is used to define permissions for the "Viewer on Call" role. This role is used in the context of
+        the "Viewer on Call" feature flag.
+        The role is a subset of the "Viewer" role, and is used to define permissions for users who
+        are allowed be OnCall having only READ role in grafana.
+        """
+
+        ALERT_GROUPS_WRITE = LegacyAccessControlCompatiblePermission(
+            Resources.ALERT_GROUPS, Actions.WRITE, LegacyAccessControlRole.VIEWER
+        )
+        ALERT_GROUPS_DIRECT_PAGING = LegacyAccessControlCompatiblePermission(
+            Resources.ALERT_GROUPS, Actions.DIRECT_PAGING, LegacyAccessControlRole.VIEWER
+        )
+        SCHEDULES_WRITE = LegacyAccessControlCompatiblePermission(
+            Resources.SCHEDULES, Actions.WRITE, LegacyAccessControlRole.VIEWER
+        )
+        NOTIFICATIONS_READ = LegacyAccessControlCompatiblePermission(
+            Resources.NOTIFICATIONS, Actions.READ, LegacyAccessControlRole.VIEWER
+        )
+
+    permissions: Permissions = Permissions if not settings.FEATURE_ALLOW_VIEWERS_ON_CALL else ViewerOnCallPermissions
+
     # mypy complains about "Liskov substitution principle" here because request is `AuthenticatedRequest` object
     # and not rest_framework.request.Request
     # https://mypy.readthedocs.io/en/stable/common_issues.html#incompatible-overrides
@@ -356,12 +373,13 @@ def has_object_permission(self, request: AuthenticatedRequest, view: ViewSetOrAP
         return True
 
 
-ALL_PERMISSION_NAMES = [perm for perm in dir(RBACPermission.Permissions) if not perm.startswith("_")]
+ALL_PERMISSION_NAMES = [perm for perm in dir(RBACPermission.permissions) if not perm.startswith("_")]
 ALL_PERMISSION_CLASSES: LegacyAccessControlCompatiblePermissions = [
-    getattr(RBACPermission.Permissions, permission_name) for permission_name in ALL_PERMISSION_NAMES
+    getattr(RBACPermission.permissions, permission_name) for permission_name in ALL_PERMISSION_NAMES
 ]
 ALL_PERMISSION_CHOICES: typing.List[typing.Tuple[str, str]] = []
 for permission_class, permission_name in zip(ALL_PERMISSION_CLASSES, ALL_PERMISSION_NAMES):
+    print(permission_class, type(permission_class))
     ALL_PERMISSION_CHOICES += [
         (permission_class.value, permission_name),
         (convert_oncall_permission_to_irm(permission_class), permission_name),