* Alerting: Protect sensitive fields of contact points from
unauthorized modification
- Introduce a new permission alert.notifications.receivers.protected:write. The permission is granted to contact point administrators.
- Introduce field Protected to NotifierOption
- Introduce DiffReport for models.Integrations with focus on Settings. The diff report is extended with methods that return all keys that are different between two settings.
- Add new annotation 'grafana.com/access/CanModifyProtected' to Receiver model
- Update receiver service to enforce the permission and return status 403 if unauthorized user modifies protected field
- Update receiver testing API to enforce permission and return status 403 if unauthorized user modifies protected field.
- Update UI to disable protected fields if user cannot modify them
* refactor: delegate authorization to access checker in dualwriter
- Remove role-based authorization checks (editor/admin role checks)
- Delegate all authorization to access checker which checks resource-level permissions
- Update authorizeCreateFolder to use access checker instead of role-based checks
- Add comprehensive authorization tests for viewer, editor, and admin roles
- Tests cover GET, POST, PUT, DELETE operations and folder creation
This change ensures that authorization is consistently handled through
the access checker, which checks resource-level permissions rather than
just organization roles.
* fix: format files_test.go
* fix: check error return value of resp.Body.Close()
* fix: grant permissions to all dashboards for editor role in authorization test
Use SetPermissions with wildcard to grant permissions to Editor user
for all dashboards, not just the initial one. This ensures that dashboards
created during tests (like in DELETE operations) have the necessary
permissions for the editor role.
**What is this feature?**
Add `rule_matcher` filter to the Prometheus-compatible list rules API: `/api/prometheus/grafana/api/v1/rules`. It allows to filter rules by static labels (not by alert instance labels).
**Special notes:**
- Equality (`=`) and inequality (`!=`) matchers are pushed down to the database. Regex matchers (`=~`, `!~`) are applied in-memory at the API layer.
- SQLite: Uses GLOB pattern matching
- MySQL / PostgreSQL: Use JSON functions to compare label values
---------
Co-authored-by: Konrad Lalik <konradlalik@gmail.com>
fix: allow editors to POST jobs in provisioning API
Editors should be able to post jobs in the 'jobs' endpoint for syncing
repositories. This aligns with the requirement that syncing a repository
requires editor privileges.
- Separated 'jobs' subresource authorization from repository/test
- Allow both admins and editors to POST jobs
- Added integration tests to verify permissions
Fixes authorization bug where editors were incorrectly denied access.
* Provisioning: Deprecate single file/folder move and delete on configured branch
Reject individual file and folder move/delete operations on the configured
branch via the single files endpoints (HTTP 405 MethodNotAllowed). Users
must use the bulk operations API (jobs API) instead.
Motivation:
- Reconciliation for these operations is not reliable as it must be
recursive and cannot run synchronously since it could take a long time
- Simplifies authorization logic - fewer operations to secure and validate
- Reduces complexity and surface area for potential bugs
- Bulk operations via jobs API provide better control and observability
Operations on non-configured branches (e.g., creating PRs) continue to work
as before since they don't update the Grafana database.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* fix: remove trailing whitespace in test file
* Fix behaviour to match current behavior
* Revert changes for individual files
---------
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
* `grafana-iam`: Fetch target parent folder
* WIP add different ParentProviders
* Add version
* Move code to a different file
* Instantiate resourceParentProvider
* same import name
* imports
* Add tests
* Remove unecessary test
* forgot wire
* WIP integration tests
* Add test to cover list
* Fix caching problem in integration tests
* comments
* Logger and comments
* Add lazy creation and caching
* Instantiate clients only once
* Rerun wire gen
* feat: legacy ListIterator with batches
* chore: address code review
* chore: remove nil check in nextBatch
* chore: move close before count check
* chore: add err field to batchingIterator for its own errors
* chore: remove unused import
* Reapply "K8s: read resource configs from API Enablement for API Builders" (#114475)
This reverts commit 4130bd9cd3.
* revert part that broke things
* FF service changes are gonna come later
* MTFF: allow viewers access to MTFF by enforcing runtime_config for custom routes
* unused var
* removed now
* pass the test, include defaults
* revert sample.ini change
* add legacy search (wip)
* fix search field name
* implement team search endpoint
* generate openapi spec
* generate endpoints for frontend
* minor fixes
* fix issues found while testing
* add more fields to search result
* add basic unit tests
* add more unit tests
* improve getColumns() func in legacy search
* configure search endpoint in team.cue
* add team search handler
* add the searchTeams endpoint to manifest.cue
* make gofmt
* update openapi spec
* generate frontend endpoints
* remove unused field
* move fields defiitions to separate builder
* fix legacy search
* fix unit tests
* fix unit test
* address feedback
* fix unit test
* update openapi specs
* yarn generate-apis
* add missing unit tests
* Update docs
* Remove 406 response since now it is converted
* fix linter
---------
Co-authored-by: Stephanie Hingtgen <stephanie.hingtgen@grafana.com>
* Alerting: Add expression type to webhook valueString
- Add Type field to NumberValueCapture struct
- Implement AlertQuery.GetExpressionType() method
- Update valueString format to include type information
* Alerting: Add expression type to webhook valueString
- Fix tests
* Alerting: Add expression type to webhook valueString
- Update default annotations in notifier templates to include type field
* Alerting: Add expression type to webhook valueString
- Add type='math' to webhook and email test expectations
* feat(provisioning): add generic version handling for dashboard export
- Update export job to handle any dashboard version generically (v0, v1, v2, v3, etc.)
- Dynamically construct GroupVersionResource for any stored version
- Cache version-specific clients for efficiency
- Add comprehensive table-driven unit tests for multiple versions
- Add integration test to verify version handling end-to-end
- Remove unnecessary version shim from clean operation (deletion works by name)
* test: add unit test for v2 dashboard version (no suffix)
* fix: add missing transformation for scenes -> save model v2
* fix: link placement transformation on the backend between schemas
* fix: update the openapi spec in the tests
* tes: add tests for `transformSceneToSaveModelSchemaV2`
* tests: extend conversion_test.go to cover link placements
Rafael Bortolon Paulovic
Yuri Tseretyan
Daniele Stefano Ferru
Roberto Jiménez Sánchez
Alexander Akhmetov
Gonzalo Trigueros Manzanas
Gabriel MABILLE
Misi
Ryan McKinley
Galen Kistler
Todd Treece
Kristina Demeshchik
Mihai Doarna
Renato Costa
Charandas
Austin Pond
Ivan Ortega Alba
Dominik Prokop
Seunghun Shin
Ezequiel Victorero
Liza Detrick
Steve Simpson
Levente Balogh
Tito Lins
Tom Ratcliffe
Will Browne
alerting-team[bot]
Dave Henderson
Jean-Philippe Quéméner