Fix refactored permissions sync (#4771)

engine/apps/auth_token/auth.py

@@ -11,7 +11,7 @@
 
 from apps.api.permissions import GrafanaAPIPermission, LegacyAccessControlRole, RBACPermission, user_is_authorized
 from apps.grafana_plugin.helpers.gcom import check_token
-from apps.grafana_plugin.sync_data import SyncUser
+from apps.grafana_plugin.sync_data import SyncPermission, SyncUser
 from apps.user_management.exceptions import OrganizationDeletedException, OrganizationMovedException
 from apps.user_management.models import User
 from apps.user_management.models.organization import Organization
@@ -165,14 +165,19 @@ def _get_user(request: Request, organization: Organization) -> User:
             except (ValueError, TypeError):
                 raise exceptions.AuthenticationFailed("User context must be JSON dict.")
             if user_data:
+                permissions = []
+                if user_data.get("permissions"):
+                    permissions = [
+                        SyncPermission(action=permission["action"]) for permission in user_data["permissions"]
+                    ]
                 user_sync_data = SyncUser(
                     id=user_data["id"],
                     name=user_data["name"],
                     login=user_data["login"],
                     email=user_data["email"],
                     role=user_data["role"],
                     avatar_url=user_data["avatar_url"],
-                    permissions=user_data["permissions"] or [],
+                    permissions=permissions,
                     teams=user_data.get("teams", None),
                 )
                 return get_or_create_user(organization, user_sync_data)

engine/apps/user_management/sync.py

@@ -121,7 +121,7 @@ def sync_users(client: GrafanaAPIClient, organization: Organization, **kwargs) -
             role=user["role"],
             avatar_url=user["avatarUrl"],
             teams=None,
-            permissions=[SyncPermission(action=permission["permission"]) for permission in user["permissions"]],
+            permissions=[SyncPermission(action=permission["action"]) for permission in user["permissions"]],
         )
         for user in api_users
     ]
@@ -328,7 +328,7 @@ def _sync_users_data(organization: Organization, sync_users: list[SyncUser], del
             username=user.login,
             role=getattr(LegacyAccessControlRole, user.role.upper(), LegacyAccessControlRole.NONE),
             avatar_url=user.avatar_url,
-            permissions=user.permissions or [],
+            permissions=[{"action": permission.action} for permission in user.permissions] or [],
         )
         for user in sync_users
     )

engine/apps/user_management/tests/test_sync.py

@@ -40,7 +40,7 @@ def patched_grafana_api_client(organization, is_rbac_enabled_for_organization=(F
                 "login": "test",
                 "role": "admin",
                 "avatarUrl": "test.test/test",
-                "permissions": [],
+                "permissions": [{"action": "permission:all"}] if is_rbac_enabled_for_organization[0] else [],
             },
         ]
         mock_client_instance.get_teams.return_value = (
@@ -288,6 +288,8 @@ def test_sync_organization_is_rbac_permissions_enabled_open_source(
 
     organization.refresh_from_db()
     assert organization.is_rbac_permissions_enabled == expected
+    expected_permissions = [{"action": "permission:all"}] if is_rbac_enabled_for_organization[0] else []
+    assert organization.users.get().permissions == expected_permissions
 
 
 @pytest.mark.parametrize(
@@ -327,6 +329,8 @@ def test_sync_organization_is_rbac_permissions_enabled_cloud(
     organization.refresh_from_db()
 
     assert organization.is_rbac_permissions_enabled == org_is_rbac_permissions_enabled_expected_value
+    expected_permissions = [{"action": "permission:all"}] if grafana_api_response[0] else []
+    assert organization.users.get().permissions == expected_permissions
 
     mock_gcom_client.return_value.is_stack_active.assert_called_once_with(stack_id)