* refactor: delegate authorization to access checker in dualwriter
- Remove role-based authorization checks (editor/admin role checks)
- Delegate all authorization to access checker which checks resource-level permissions
- Update authorizeCreateFolder to use access checker instead of role-based checks
- Add comprehensive authorization tests for viewer, editor, and admin roles
- Tests cover GET, POST, PUT, DELETE operations and folder creation
This change ensures that authorization is consistently handled through
the access checker, which checks resource-level permissions rather than
just organization roles.
* fix: format files_test.go
* fix: check error return value of resp.Body.Close()
* fix: grant permissions to all dashboards for editor role in authorization test
Use SetPermissions with wildcard to grant permissions to Editor user
for all dashboards, not just the initial one. This ensures that dashboards
created during tests (like in DELETE operations) have the necessary
permissions for the editor role.
**What is this feature?**
Add `rule_matcher` filter to the Prometheus-compatible list rules API: `/api/prometheus/grafana/api/v1/rules`. It allows to filter rules by static labels (not by alert instance labels).
**Special notes:**
- Equality (`=`) and inequality (`!=`) matchers are pushed down to the database. Regex matchers (`=~`, `!~`) are applied in-memory at the API layer.
- SQLite: Uses GLOB pattern matching
- MySQL / PostgreSQL: Use JSON functions to compare label values
---------
Co-authored-by: Konrad Lalik <konradlalik@gmail.com>
Enhancement: Introduce optimized folder permission relations and new permission definitions
- Added `can_get_permissions` and `can_set_permissions` relations to enhance permission management.
- Implemented `FolderPermissionRelation` function to optimize permission checks for folder resources.
- Updated `checkTyped` and `listTyped` methods to utilize optimized relations for permission management.
- Introduced a new benchmark test file for performance evaluation of permission checks and listings.
* init
* it works! but what a mess
* nil ptr bug
* split up client.go
* split up search_request.go
* split up data_query.go
* split up response_parser
* fix merge
* update handling request
* raw dsl agg parser
* change rawQuery to rawDSLQuery
* agg parser works but needs work
* clean up agg parser
* fix bugs with raw dsl parsers
* feature toggle
* fix tests
* editor type selector
* editor type added
* add fix builder vs code by not using same query field
* clean up
* fix lint
* pretty
* editor type selection should be behind ft
* adam's feedback
* prettier
fix: allow editors to POST jobs in provisioning API
Editors should be able to post jobs in the 'jobs' endpoint for syncing
repositories. This aligns with the requirement that syncing a repository
requires editor privileges.
- Separated 'jobs' subresource authorization from repository/test
- Allow both admins and editors to POST jobs
- Added integration tests to verify permissions
Fixes authorization bug where editors were incorrectly denied access.
* Provisioning: Deprecate single file/folder move and delete on configured branch
Reject individual file and folder move/delete operations on the configured
branch via the single files endpoints (HTTP 405 MethodNotAllowed). Users
must use the bulk operations API (jobs API) instead.
Motivation:
- Reconciliation for these operations is not reliable as it must be
recursive and cannot run synchronously since it could take a long time
- Simplifies authorization logic - fewer operations to secure and validate
- Reduces complexity and surface area for potential bugs
- Bulk operations via jobs API provide better control and observability
Operations on non-configured branches (e.g., creating PRs) continue to work
as before since they don't update the Grafana database.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* fix: remove trailing whitespace in test file
* Fix behaviour to match current behavior
* Revert changes for individual files
---------
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Previous attempt to land this required this PR and a grafana-enterprise
PR to land at the ~same time.
This PR guards the use of `dsConfigHandlerRequestsDuration` with a nil
check, and doesn't change any existing APIs, so we can land it without
any timing issues with grafana-enterprise.
Once this has landed, we'll make a follow-up PR for grafana-enterprise.
* Fix race condition causing unhealthy repository message to be lost
This commit fixes a race condition in the provisioning repository controller
where the "Repository is unhealthy" message in the sync status could be lost
due to status updates being based on stale repository objects.
## Problem
The issue occurred in the `process` function when:
1. Repository object was fetched from cache with old status
2. `RefreshHealth` immediately patched the health status to "unhealthy"
3. `determineSyncStatusOps` used the stale object to check if unhealthy
message was already set
4. A second patch operation based on stale data would overwrite the
health status update
## Solution
Introduced `RefreshHealthWithPatchOps` method that returns patch operations
instead of immediately applying them. This allows batching all status updates
(health + sync) into a single atomic patch operation, eliminating the race
condition.
## Changes
- Added `HealthCheckerInterface` for better testability
- Added `RefreshHealthWithPatchOps` method to return patch ops without applying
- Updated `process` function to batch health and sync status updates
- Added comprehensive unit tests for the fix
Fixes the issue where unhealthy repositories don't show the "Repository is
unhealthy" message in their sync status.
* Fix staticcheck lint error: remove unnecessary nil check for slice
* `grafana-iam`: Fetch target parent folder
* WIP add different ParentProviders
* Add version
* Move code to a different file
* Instantiate resourceParentProvider
* same import name
* imports
* Add tests
* Remove unecessary test
* forgot wire
* WIP integration tests
* Add test to cover list
* Fix caching problem in integration tests
* comments
* Logger and comments
* Add lazy creation and caching
* Instantiate clients only once
* Rerun wire gen
Roberto Jiménez Sánchez
Alexander Akhmetov
mohammad-hamid
Sarah Zinger
Daniele Stefano Ferru
Andres Martinez Gotor
Yulia Shanyrova
Levente Balogh
Matheus Macabu
Georges Chaudy
Misi
Mustafa Sencer Özcan
Ryan McKinley
Costa Alexoglou
Santiago
Andrew Hackmann
alerting-team[bot]
Gabriel MABILLE
Will Assis
Gonzalo Trigueros Manzanas
Jean-Philippe Quéméner
Joe Elliott
colin-stuart
Renato Costa
Alexander Zobnin
William Wernert
Serge Zaitsev
Charandas
beejeebus
Gareth
Steve Simpson
Andres Torres
Ashley Harrison