From 85c63e7ba285302d77f461c3c6f83e573d155103 Mon Sep 17 00:00:00 2001
From: Matias Bordese <mbordese@gmail.com>
Date: Wed, 31 Jul 2024 17:27:42 -0300
Subject: [PATCH] Fix refactored permissions sync (#4771)

---
 engine/apps/auth_token/auth.py                 | 9 +++++++--
 engine/apps/user_management/sync.py            | 4 ++--
 engine/apps/user_management/tests/test_sync.py | 6 +++++-
 3 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/engine/apps/auth_token/auth.py b/engine/apps/auth_token/auth.py
index 41d7f80a7f..bb419eb3af 100644
--- a/engine/apps/auth_token/auth.py
+++ b/engine/apps/auth_token/auth.py
@@ -11,7 +11,7 @@
 
 from apps.api.permissions import GrafanaAPIPermission, LegacyAccessControlRole, RBACPermission, user_is_authorized
 from apps.grafana_plugin.helpers.gcom import check_token
-from apps.grafana_plugin.sync_data import SyncUser
+from apps.grafana_plugin.sync_data import SyncPermission, SyncUser
 from apps.user_management.exceptions import OrganizationDeletedException, OrganizationMovedException
 from apps.user_management.models import User
 from apps.user_management.models.organization import Organization
@@ -165,6 +165,11 @@ def _get_user(request: Request, organization: Organization) -> User:
             except (ValueError, TypeError):
                 raise exceptions.AuthenticationFailed("User context must be JSON dict.")
             if user_data:
+                permissions = []
+                if user_data.get("permissions"):
+                    permissions = [
+                        SyncPermission(action=permission["action"]) for permission in user_data["permissions"]
+                    ]
                 user_sync_data = SyncUser(
                     id=user_data["id"],
                     name=user_data["name"],
@@ -172,7 +177,7 @@ def _get_user(request: Request, organization: Organization) -> User:
                     email=user_data["email"],
                     role=user_data["role"],
                     avatar_url=user_data["avatar_url"],
-                    permissions=user_data["permissions"] or [],
+                    permissions=permissions,
                     teams=user_data.get("teams", None),
                 )
                 return get_or_create_user(organization, user_sync_data)
diff --git a/engine/apps/user_management/sync.py b/engine/apps/user_management/sync.py
index 68bf8ffcc3..edc6821e41 100644
--- a/engine/apps/user_management/sync.py
+++ b/engine/apps/user_management/sync.py
@@ -121,7 +121,7 @@ def sync_users(client: GrafanaAPIClient, organization: Organization, **kwargs) -
             role=user["role"],
             avatar_url=user["avatarUrl"],
             teams=None,
-            permissions=[SyncPermission(action=permission["permission"]) for permission in user["permissions"]],
+            permissions=[SyncPermission(action=permission["action"]) for permission in user["permissions"]],
         )
         for user in api_users
     ]
@@ -328,7 +328,7 @@ def _sync_users_data(organization: Organization, sync_users: list[SyncUser], del
             username=user.login,
             role=getattr(LegacyAccessControlRole, user.role.upper(), LegacyAccessControlRole.NONE),
             avatar_url=user.avatar_url,
-            permissions=user.permissions or [],
+            permissions=[{"action": permission.action} for permission in user.permissions] or [],
         )
         for user in sync_users
     )
diff --git a/engine/apps/user_management/tests/test_sync.py b/engine/apps/user_management/tests/test_sync.py
index ee278cf5e1..ce0dd175b2 100644
--- a/engine/apps/user_management/tests/test_sync.py
+++ b/engine/apps/user_management/tests/test_sync.py
@@ -40,7 +40,7 @@ def patched_grafana_api_client(organization, is_rbac_enabled_for_organization=(F
                 "login": "test",
                 "role": "admin",
                 "avatarUrl": "test.test/test",
-                "permissions": [],
+                "permissions": [{"action": "permission:all"}] if is_rbac_enabled_for_organization[0] else [],
             },
         ]
         mock_client_instance.get_teams.return_value = (
@@ -288,6 +288,8 @@ def test_sync_organization_is_rbac_permissions_enabled_open_source(
 
     organization.refresh_from_db()
     assert organization.is_rbac_permissions_enabled == expected
+    expected_permissions = [{"action": "permission:all"}] if is_rbac_enabled_for_organization[0] else []
+    assert organization.users.get().permissions == expected_permissions
 
 
 @pytest.mark.parametrize(
@@ -327,6 +329,8 @@ def test_sync_organization_is_rbac_permissions_enabled_cloud(
     organization.refresh_from_db()
 
     assert organization.is_rbac_permissions_enabled == org_is_rbac_permissions_enabled_expected_value
+    expected_permissions = [{"action": "permission:all"}] if grafana_api_response[0] else []
+    assert organization.users.get().permissions == expected_permissions
 
     mock_gcom_client.return_value.is_stack_active.assert_called_once_with(stack_id)