* Auth: Google OAuth consent prompt takes precedence when use_refresh_token is true
* Auth: Disable login prompt option for Google OAuth when use_refresh_token is true
* yarn run prettier:check --write
* feedback: validate login prompt when use_refresh_token is true
* Alerting: Protect sensitive fields of contact points from
unauthorized modification
- Introduce a new permission alert.notifications.receivers.protected:write. The permission is granted to contact point administrators.
- Introduce field Protected to NotifierOption
- Introduce DiffReport for models.Integrations with focus on Settings. The diff report is extended with methods that return all keys that are different between two settings.
- Add new annotation 'grafana.com/access/CanModifyProtected' to Receiver model
- Update receiver service to enforce the permission and return status 403 if unauthorized user modifies protected field
- Update receiver testing API to enforce permission and return status 403 if unauthorized user modifies protected field.
- Update UI to disable protected fields if user cannot modify them
* Alerting: Improve ASH Loki query efficiency by including folderUID
Previously, the folderUID label was only included when ruleUID was not specified
and the user did not have full alert rule read permissions.
To improve ASH Loki query efficiency, this PR includes the folderUID in the ASH
Loki query when ruleUID is specified, even if the user has full alert rule read
permissions.
Some non-obvious considerations:
- The naive implementation of just including the current folder UID would have
the unintended side-effect of no longer returning history after a rule is moved
between folders.
- The previous implementation made the trade-off of only checking RBAC on the
current folder, including any history from old folders that may exist.
To solve both of the above, we make an extra query to the database to check the
alert rule's previous versions so we can include any old folderUIDs, checking
RBAC at the same time.
The querying and inclusion of history from old folders is done best-effort, any
issues that might arise are logged and ignored so as not to prevent the current
folder history.
* Fix merge conflicts
* Reduce scanning on GetAlertRuleVersionFolders by grouping in query
* refactor: delegate authorization to access checker in dualwriter
- Remove role-based authorization checks (editor/admin role checks)
- Delegate all authorization to access checker which checks resource-level permissions
- Update authorizeCreateFolder to use access checker instead of role-based checks
- Add comprehensive authorization tests for viewer, editor, and admin roles
- Tests cover GET, POST, PUT, DELETE operations and folder creation
This change ensures that authorization is consistently handled through
the access checker, which checks resource-level permissions rather than
just organization roles.
* fix: format files_test.go
* fix: check error return value of resp.Body.Close()
* fix: grant permissions to all dashboards for editor role in authorization test
Use SetPermissions with wildcard to grant permissions to Editor user
for all dashboards, not just the initial one. This ensures that dashboards
created during tests (like in DELETE operations) have the necessary
permissions for the editor role.
**What is this feature?**
Add `rule_matcher` filter to the Prometheus-compatible list rules API: `/api/prometheus/grafana/api/v1/rules`. It allows to filter rules by static labels (not by alert instance labels).
**Special notes:**
- Equality (`=`) and inequality (`!=`) matchers are pushed down to the database. Regex matchers (`=~`, `!~`) are applied in-memory at the API layer.
- SQLite: Uses GLOB pattern matching
- MySQL / PostgreSQL: Use JSON functions to compare label values
---------
Co-authored-by: Konrad Lalik <konradlalik@gmail.com>
Enhancement: Introduce optimized folder permission relations and new permission definitions
- Added `can_get_permissions` and `can_set_permissions` relations to enhance permission management.
- Implemented `FolderPermissionRelation` function to optimize permission checks for folder resources.
- Updated `checkTyped` and `listTyped` methods to utilize optimized relations for permission management.
- Introduced a new benchmark test file for performance evaluation of permission checks and listings.
* init
* it works! but what a mess
* nil ptr bug
* split up client.go
* split up search_request.go
* split up data_query.go
* split up response_parser
* fix merge
* update handling request
* raw dsl agg parser
* change rawQuery to rawDSLQuery
* agg parser works but needs work
* clean up agg parser
* fix bugs with raw dsl parsers
* feature toggle
* fix tests
* editor type selector
* editor type added
* add fix builder vs code by not using same query field
* clean up
* fix lint
* pretty
* editor type selection should be behind ft
* adam's feedback
* prettier
fix: allow editors to POST jobs in provisioning API
Editors should be able to post jobs in the 'jobs' endpoint for syncing
repositories. This aligns with the requirement that syncing a repository
requires editor privileges.
- Separated 'jobs' subresource authorization from repository/test
- Allow both admins and editors to POST jobs
- Added integration tests to verify permissions
Fixes authorization bug where editors were incorrectly denied access.
* Provisioning: Deprecate single file/folder move and delete on configured branch
Reject individual file and folder move/delete operations on the configured
branch via the single files endpoints (HTTP 405 MethodNotAllowed). Users
must use the bulk operations API (jobs API) instead.
Motivation:
- Reconciliation for these operations is not reliable as it must be
recursive and cannot run synchronously since it could take a long time
- Simplifies authorization logic - fewer operations to secure and validate
- Reduces complexity and surface area for potential bugs
- Bulk operations via jobs API provide better control and observability
Operations on non-configured branches (e.g., creating PRs) continue to work
as before since they don't update the Grafana database.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* fix: remove trailing whitespace in test file
* Fix behaviour to match current behavior
* Revert changes for individual files
---------
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Previous attempt to land this required this PR and a grafana-enterprise
PR to land at the ~same time.
This PR guards the use of `dsConfigHandlerRequestsDuration` with a nil
check, and doesn't change any existing APIs, so we can land it without
any timing issues with grafana-enterprise.
Once this has landed, we'll make a follow-up PR for grafana-enterprise.
Mustafa Sencer Özcan
Victor Cinaglia
Ryan McKinley
Rafael Bortolon Paulovic
dependabot[bot]
Ivan Ortega Alba
Renato Costa
Yuri Tseretyan
Matthew Jacobson
Daniele Stefano Ferru
Roberto Jiménez Sánchez
Alexander Akhmetov
mohammad-hamid
Sarah Zinger
Andres Martinez Gotor
Yulia Shanyrova
Levente Balogh
Matheus Macabu
Georges Chaudy
Misi
Costa Alexoglou
Santiago
Andrew Hackmann
alerting-team[bot]
Gabriel MABILLE
Will Assis
Gonzalo Trigueros Manzanas
Jean-Philippe Quéméner
Joe Elliott
colin-stuart
Alexander Zobnin
William Wernert
Serge Zaitsev
Charandas
beejeebus