Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package grafana for openSUSE:Factory checked in at 2025-05-27 18:44:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/grafana (Old) and /work/SRC/openSUSE:Factory/.grafana.new.2732 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "grafana" Tue May 27 18:44:19 2025 rev:73 rq:1280633 version:11.6.1+security01 Changes: -------- --- /work/SRC/openSUSE:Factory/grafana/grafana.changes 2025-05-22 16:55:35.214658071 +0200 +++ /work/SRC/openSUSE:Factory/.grafana.new.2732/grafana.changes 2025-05-27 18:44:36.922674206 +0200 @@ -1,0 +2,13 @@ +Tue May 27 12:46:15 UTC 2025 - Witek Bedyk <[email protected]> + +- Update to version 11.6.1+security-01: + * Security: + CVE-2025-4123: Fix cross-site scripting vulnerability + (bsc#1243714) +- CVE-2025-22872: Bump golang.org/x/net/html (bsc#1241809) + * Add 0003-Bump-x-net.patch +- CVE-2025-3580: Prevent unauthorized server admin deletion + (bsc#1243672) + * Add 0004-Fix-CVE-2025-3580.patch + +------------------------------------------------------------------- Old: ---- grafana-11.6.1.tar.gz New: ---- 0003-Bump-x-net.patch 0004-Fix-CVE-2025-3580.patch grafana-11.6.1+security01.tar.gz BETA DEBUG BEGIN: New:- CVE-2025-22872: Bump golang.org/x/net/html (bsc#1241809) * Add 0003-Bump-x-net.patch - CVE-2025-3580: Prevent unauthorized server admin deletion New: (bsc#1243672) * Add 0004-Fix-CVE-2025-3580.patch BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ grafana.spec ++++++ --- /var/tmp/diff_new_pack.ZLsGeU/_old 2025-05-27 18:44:38.550742714 +0200 +++ /var/tmp/diff_new_pack.ZLsGeU/_new 2025-05-27 18:44:38.554742882 +0200 @@ -22,7 +22,7 @@ %endif Name: grafana -Version: 11.6.1 +Version: 11.6.1+security01 Release: 0 Summary: The open-source platform for monitoring and observability License: AGPL-3.0-only @@ -37,6 +37,8 @@ Source4: Makefile Source5: 0001-Add-source-code-reference.patch Patch2: 0002-Use-bash-instead-of-env.patch +Patch3: 0003-Bump-x-net.patch +Patch4: 0004-Fix-CVE-2025-3580.patch BuildRequires: fdupes BuildRequires: git-core BuildRequires: wire ++++++ 0003-Bump-x-net.patch ++++++ diff --git a/go.mod b/go.mod index 7b228cdeabd..5a98e2340f8 100644 --- a/go.mod +++ b/go.mod @@ -169,13 +169,13 @@ require ( go.uber.org/goleak v1.3.0 // @grafana/grafana-search-and-storage go.uber.org/zap v1.27.0 // @grafana/identity-access-team gocloud.dev v0.40.0 // @grafana/grafana-app-platform-squad - golang.org/x/crypto v0.35.0 // @grafana/grafana-backend-group + golang.org/x/crypto v0.36.0 // @grafana/grafana-backend-group golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // @grafana/alerting-backend golang.org/x/mod v0.22.0 // indirect; @grafana/grafana-backend-group - golang.org/x/net v0.36.0 // @grafana/oss-big-tent @grafana/partner-datasources + golang.org/x/net v0.38.0 // @grafana/oss-big-tent @grafana/partner-datasources golang.org/x/oauth2 v0.27.0 // @grafana/identity-access-team - golang.org/x/sync v0.11.0 // @grafana/alerting-backend - golang.org/x/text v0.22.0 // @grafana/grafana-backend-group + golang.org/x/sync v0.12.0 // @grafana/alerting-backend + golang.org/x/text v0.23.0 // @grafana/grafana-backend-group golang.org/x/time v0.9.0 // @grafana/grafana-backend-group golang.org/x/tools v0.29.0 // indirect; @grafana/grafana-as-code gonum.org/v1/gonum v0.15.1 // @grafana/oss-big-tent @@ -527,8 +527,8 @@ require ( go.uber.org/mock v0.5.0 // indirect go.uber.org/multierr v1.11.0 // indirect go4.org/netipx v0.0.0-20230125063823-8449b0a6169f // indirect - golang.org/x/sys v0.30.0 // indirect - golang.org/x/term v0.29.0 // indirect + golang.org/x/sys v0.31.0 // indirect + golang.org/x/term v0.30.0 // indirect golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect google.golang.org/genproto v0.0.0-20250122153221-138b5a5a4fd4 // indirect diff --git a/go.sum b/go.sum index bf1e9486c22..5be3716a35f 100644 --- a/go.sum +++ b/go.sum @@ -2596,6 +2596,7 @@ golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1m golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs= golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ= +golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc= golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -2743,6 +2744,8 @@ golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= golang.org/x/net v0.36.0 h1:vWF2fRbw4qslQsQzgFqZff+BItCvGFQqKzKIzx1rmoA= golang.org/x/net v0.36.0/go.mod h1:bFmbeoIPfrw4sMHNhb4J9f6+tPziuGjq7Jk/38fxi1I= +golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8= +golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20181106182150-f42d05182288/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -2803,6 +2806,7 @@ golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w= golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -2931,6 +2935,7 @@ golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc= golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -2948,6 +2953,7 @@ golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU= golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s= +golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g= golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -2969,6 +2975,7 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM= golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY= +golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= diff --git a/go.work.sum b/go.work.sum index e97f797b128..a196cd7f7c1 100644 --- a/go.work.sum +++ b/go.work.sum @@ -1174,8 +1174,6 @@ github.com/rabbitmq/amqp091-go v1.9.0 h1:qrQtyzB4H8BQgEuJwhmVQqVHB9O4+MNDJCCAcpc github.com/rabbitmq/amqp091-go v1.9.0/go.mod h1:+jPrT9iY2eLjRaMSRHUhc3z14E/l85kv/f+6luSD3pc= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= -github.com/redis/go-redis/v9 v9.7.3 h1:YpPyAayJV+XErNsatSElgRZZVCwXX9QzkKYNvO7x0wM= -github.com/redis/go-redis/v9 v9.7.3/go.mod h1:bGUrSggJ9X9GUmZpZNEOQKaANxSGgOEBRltRTZHSvrA= github.com/relvacode/iso8601 v1.4.0 h1:GsInVSEJfkYuirYFxa80nMLbH2aydgZpIf52gYZXUJs= github.com/relvacode/iso8601 v1.4.0/go.mod h1:FlNp+jz+TXpyRqgmM7tnzHHzBnz776kmAH2h3sZCn0I= github.com/richardartoul/molecule v1.0.0 h1:+LFA9cT7fn8KF39zy4dhOnwcOwRoqKiBkPqKqya+8+U= @@ -1440,6 +1438,7 @@ golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc= golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M= +golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34= golang.org/x/exp v0.0.0-20230315142452-642cacee5cc0/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc= golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w= golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w= @@ -1479,6 +1478,7 @@ golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbht golang.org/x/oauth2 v0.26.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw= golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= @@ -1491,13 +1491,16 @@ golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik= golang.org/x/telemetry v0.0.0-20240521205824-bda55230c457 h1:zf5N6UOrA487eEFacMePxjXAJctxKmyjKUsjA11Uzuk= golang.org/x/telemetry v0.0.0-20240521205824-bda55230c457/go.mod h1:pRgIJT+bRLFKnoM1ldnzKoxTIn14Yxz928LQRYYgIN0= golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M= +golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y= golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/time v0.8.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= ++++++ 0004-Fix-CVE-2025-3580.patch ++++++ >From 679039d5257daddb6891ccffd99d46175eab177b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com> Date: Wed, 21 May 2025 21:12:30 +0000 Subject: [PATCH] apply security patch: release-11.6.2/404-202504151210.patch --- pkg/services/org/orgimpl/store.go | 11 ++- pkg/services/org/orgimpl/store_test.go | 128 +++++++++++++++++++++++-- 2 files changed, 129 insertions(+), 10 deletions(-) diff --git a/pkg/services/org/orgimpl/store.go b/pkg/services/org/orgimpl/store.go index 5d247ffeb9bd..b6faf583154e 100644 --- a/pkg/services/org/orgimpl/store.go +++ b/pkg/services/org/orgimpl/store.go @@ -683,6 +683,15 @@ func (ss *sqlStore) RemoveOrgUser(ctx context.Context, cmd *org.RemoveOrgUserCom return user.ErrUserNotFound } + // check if user belongs to org + var orgUser org.OrgUser + if exists, err := sess.Where("org_id=? AND user_id=?", cmd.OrgID, cmd.UserID).Get(&orgUser); err != nil { + return err + } else if !exists { + ss.log.Debug("User not in org, nothing to do", "user_id", cmd.UserID, "org_id", cmd.OrgID) + return nil + } + deletes := []string{ "DELETE FROM org_user WHERE org_id=? and user_id=?", "DELETE FROM dashboard_acl WHERE org_id=? and user_id = ?", @@ -729,7 +738,7 @@ func (ss *sqlStore) RemoveOrgUser(ctx context.Context, cmd *org.RemoveOrgUserCom return err } } - } else if cmd.ShouldDeleteOrphanedUser { + } else if cmd.ShouldDeleteOrphanedUser && !usr.IsAdmin { // no other orgs, delete the full user if err := ss.deleteUserInTransaction(sess, &user.DeleteUserCommand{UserID: usr.ID}); err != nil { return err diff --git a/pkg/services/org/orgimpl/store_test.go b/pkg/services/org/orgimpl/store_test.go index abc4e217418f..b53ee8fe3bad 100644 --- a/pkg/services/org/orgimpl/store_test.go +++ b/pkg/services/org/orgimpl/store_test.go @@ -12,6 +12,7 @@ import ( "github.com/grafana/grafana/pkg/apimachinery/identity" "github.com/grafana/grafana/pkg/infra/db" + "github.com/grafana/grafana/pkg/infra/log" "github.com/grafana/grafana/pkg/infra/tracing" "github.com/grafana/grafana/pkg/services/accesscontrol" "github.com/grafana/grafana/pkg/services/org" @@ -40,6 +41,7 @@ func TestIntegrationOrgDataAccess(t *testing.T) { orgStore := sqlStore{ db: ss, dialect: ss.GetDialect(), + log: log.NewNopLogger(), } t.Run("org not found", func(t *testing.T) { @@ -281,6 +283,7 @@ func TestIntegrationOrgUserDataAccess(t *testing.T) { orgUserStore := sqlStore{ db: ss, dialect: ss.GetDialect(), + log: log.NewNopLogger(), } t.Run("org user inserted", func(t *testing.T) { @@ -356,7 +359,7 @@ func TestIntegrationOrgUserDataAccess(t *testing.T) { ss, cfg := db.InitTestDBWithCfg(t) _, usrSvc := createOrgAndUserSvc(t, ss, cfg) ac1cmd := &user.CreateUserCommand{Login: "ac1", Email: "[email protected]", Name: "ac1 name"} - ac2cmd := &user.CreateUserCommand{Login: "ac2", Email: "[email protected]", Name: "ac2 name", IsAdmin: true} + ac2cmd := &user.CreateUserCommand{Login: "ac2", Email: "[email protected]", Name: "ac2 name"} ac1, err := usrSvc.Create(context.Background(), ac1cmd) require.NoError(t, err) ac2, err := usrSvc.Create(context.Background(), ac2cmd) @@ -483,6 +486,15 @@ func TestIntegrationOrgUserDataAccess(t *testing.T) { err := orgUserStore.Delete(context.Background(), &org.DeleteOrgCommand{ID: ac2.OrgID}) require.NoError(t, err) + // make sure ac2 is in ac1 org + cmd := org.AddOrgUserCommand{ + OrgID: ac1.OrgID, + UserID: ac2.ID, + Role: org.RoleViewer, + } + err = orgUserStore.AddOrgUser(context.Background(), &cmd) + require.NoError(t, err) + // remove ac2 user from ac1 org remCmd := org.RemoveOrgUserCommand{OrgID: ac1.OrgID, UserID: ac2.ID, ShouldDeleteOrphanedUser: true} err = orgUserStore.RemoveOrgUser(context.Background(), &remCmd) @@ -568,6 +580,7 @@ func TestIntegrationSQLStore_AddOrgUser(t *testing.T) { orgUserStore := sqlStore{ db: store, dialect: store.GetDialect(), + log: log.NewNopLogger(), } orgSvc, usrSvc := createOrgAndUserSvc(t, store, cfg) @@ -633,6 +646,7 @@ func TestIntegration_SQLStore_GetOrgUsers(t *testing.T) { orgUserStore := sqlStore{ db: store, dialect: store.GetDialect(), + log: log.NewNopLogger(), } cfg.IsEnterprise = true defer func() { @@ -751,6 +765,7 @@ func TestIntegration_SQLStore_GetOrgUsers_PopulatesCorrectly(t *testing.T) { orgUserStore := sqlStore{ db: store, dialect: store.GetDialect(), + log: log.NewNopLogger(), } _, usrSvc := createOrgAndUserSvc(t, store, cfg) @@ -812,6 +827,7 @@ func TestIntegration_SQLStore_SearchOrgUsers(t *testing.T) { orgUserStore := sqlStore{ db: store, dialect: store.GetDialect(), + log: log.NewNopLogger(), } // orgUserStore.cfg.Skip orgSvc, userSvc := createOrgAndUserSvc(t, store, cfg) @@ -888,12 +904,18 @@ func TestIntegration_SQLStore_RemoveOrgUser(t *testing.T) { orgUserStore := sqlStore{ db: store, dialect: store.GetDialect(), + log: log.NewNopLogger(), } + orgSvc, usrSvc := createOrgAndUserSvc(t, store, cfg) o, err := orgSvc.CreateWithMember(context.Background(), &org.CreateOrgCommand{Name: MainOrgName}) require.NoError(t, err) + // create 2nd org + o2, err := orgSvc.CreateWithMember(context.Background(), &org.CreateOrgCommand{Name: "test org 2"}) + require.NoError(t, err) + // create org and admin _, err = usrSvc.Create(context.Background(), &user.CreateUserCommand{ Login: "admin", @@ -902,28 +924,116 @@ func TestIntegration_SQLStore_RemoveOrgUser(t *testing.T) { require.NoError(t, err) // create a user with no org - _, err = usrSvc.Create(context.Background(), &user.CreateUserCommand{ - Login: "user", - OrgID: 1, + viewer, err := usrSvc.Create(context.Background(), &user.CreateUserCommand{ + Login: "viewer", SkipOrgSetup: true, }) require.NoError(t, err) + // create a user with no org + viewer2, err := usrSvc.Create(context.Background(), &user.CreateUserCommand{ + Login: "viewer2", + SkipOrgSetup: true, + }) + require.NoError(t, err) + + // create a user with no org + viewer3, err := usrSvc.Create(context.Background(), &user.CreateUserCommand{ + Login: "viewer3", + SkipOrgSetup: true, + }) + require.NoError(t, err) + + // create an admin user with no org + admin, err := usrSvc.Create(context.Background(), &user.CreateUserCommand{ + Login: "serverAdmin", + SkipOrgSetup: true, + IsAdmin: true, + }) + require.NoError(t, err) + // assign the user to the org err = orgUserStore.AddOrgUser(context.Background(), &org.AddOrgUserCommand{ Role: "Viewer", - OrgID: 1, - UserID: 2, + OrgID: o.ID, + UserID: viewer.ID, + }) + require.NoError(t, err) + + // assign the admin user to the org + err = orgUserStore.AddOrgUser(context.Background(), &org.AddOrgUserCommand{ + Role: "Admin", + OrgID: o.ID, + UserID: admin.ID, + }) + require.NoError(t, err) + + // assign the viewer3 user to the 2nd org + err = orgUserStore.AddOrgUser(context.Background(), &org.AddOrgUserCommand{ + Role: "Viewer", + OrgID: o2.ID, + UserID: viewer3.ID, }) require.NoError(t, err) // remove the user org err = orgUserStore.RemoveOrgUser(context.Background(), &org.RemoveOrgUserCommand{ - UserID: 2, - OrgID: 1, - ShouldDeleteOrphanedUser: false, + UserID: viewer.ID, + OrgID: o.ID, + ShouldDeleteOrphanedUser: true, + }) + require.NoError(t, err) + + // remove the admin user + err = orgUserStore.RemoveOrgUser(context.Background(), &org.RemoveOrgUserCommand{ + UserID: admin.ID, + OrgID: o.ID, + ShouldDeleteOrphanedUser: true, + }) + require.NoError(t, err) + + // remove the viewer3 user from first org they don't belong to + err = orgUserStore.RemoveOrgUser(context.Background(), &org.RemoveOrgUserCommand{ + UserID: viewer3.ID, + OrgID: o.ID, + ShouldDeleteOrphanedUser: true, + }) + require.NoError(t, err) + + // remove the viewer2 user from first org they don't belong to + err = orgUserStore.RemoveOrgUser(context.Background(), &org.RemoveOrgUserCommand{ + UserID: viewer2.ID, + OrgID: o.ID, + ShouldDeleteOrphanedUser: true, + }) + require.NoError(t, err) + + // verify the user is deleted + _, err = usrSvc.GetByID(context.Background(), &user.GetUserByIDQuery{ + ID: viewer.ID, + }) + require.ErrorIs(t, err, user.ErrUserNotFound) + + // verify the admin user is not deleted + usr, err := usrSvc.GetByID(context.Background(), &user.GetUserByIDQuery{ + ID: admin.ID, + }) + require.NoError(t, err) + assert.NotNil(t, usr) + + // verify the viewer2 user is not deleted + _, err = usrSvc.GetByID(context.Background(), &user.GetUserByIDQuery{ + ID: viewer2.ID, + }) + require.NoError(t, err) + assert.NotNil(t, usr) + + // verify the viewer3 user is not deleted + _, err = usrSvc.GetByID(context.Background(), &user.GetUserByIDQuery{ + ID: viewer3.ID, }) require.NoError(t, err) + assert.NotNil(t, usr) } func createOrgAndUserSvc(t *testing.T, store db.DB, cfg *setting.Cfg) (org.Service, user.Service) { ++++++ Makefile ++++++ --- /var/tmp/diff_new_pack.ZLsGeU/_old 2025-05-27 18:44:38.610745239 +0200 +++ /var/tmp/diff_new_pack.ZLsGeU/_new 2025-05-27 18:44:38.614745407 +0200 @@ -26,6 +26,7 @@ patch --no-backup-if-mismatch -p1 -i ../../0001-Add-source-code-reference.patch && \ # End patches section \ # Patches for Go modules go after here \ + patch --no-backup-if-mismatch -p1 -i ../../0003-Bump-x-net.patch && \ # End of Go modules patches section \ go mod download && \ go mod verify && \ ++++++ _service ++++++ --- /var/tmp/diff_new_pack.ZLsGeU/_old 2025-05-27 18:44:38.654747090 +0200 +++ /var/tmp/diff_new_pack.ZLsGeU/_new 2025-05-27 18:44:38.658747258 +0200 @@ -4,8 +4,9 @@ <param name="scm">git</param> <param name="exclude">.git</param> <param name="versionformat">@PARENT_TAG@</param> - <param name="versionrewrite-pattern">v(.*)</param> - <param name="revision">v11.6.1</param> + <param name="versionrewrite-pattern">v(.*)-(.*)</param> + <param name="versionrewrite-replacement">\1\2</param> + <param name="revision">v11.6.1+security-01</param> </service> <service name="recompress" mode="manual"> <param name="compression">gz</param> @@ -13,6 +14,7 @@ </service> <service name="set_version" mode="manual"> <param name="basename">grafana</param> + <param name="version">11.6.1+security01</param> </service> </services> ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/grafana/vendor.tar.gz /work/SRC/openSUSE:Factory/.grafana.new.2732/vendor.tar.gz differ: char 5, line 1
