* add useDocsUrl hook and update lint rule

* remove all uses of MetabaseSettings.docsUrl

* update tests

* revert non-docsurl change

== Goal ==

Hide attached DWH database details from anyone incl. admins:
* Do not show them in the UI
* Do not permit to change them
* Do not serialize them

The aim is that customers cannot gain access to (parts of) credentials,
and they cannot break a feature they are paying for by changing
connection details.

== Implementation ==

The Metabase backend already contains provisions in the implementation
of `metabase.models.interface/to-json` for `:model/Database` to hide the
`details` of the database in HTTP responses, if the user lacks write
permission on the database.  We utilize this by adding an
`is_attached_dwh` column to the `database` table and rejecting
`metabase.models.interface/can-write?` when this flag is enabled.  In
the "admin" UI, we show a replacement text instead of the edit form when
the flag is set.  (It might be correct to show this whenever `details`
is absent.  See below for possible follow-up work.)

However, several sections of the frontend code expected the `details`
field to always be present.  In order to make `details` optional, as the
backend seems to handle it, we fix the respective code to treat this
case in the way that appears appropriate in the context.

Database details are already generally excluded from H2 dump snapshots
(see `metabase.cmd.copy/*copy-h2-database-details*`), thus nothing
changes there.

== How to test ==

=== New behaviour ===

Setting the `is_attached_dwh` field hides the database details:

1. Configure a database as described in https://www.metabase.com/docs/latest/configuring-metabase/config-file#databases.
   - In addition to the fields you would normally set, also set
     `is_attached_dwh: true`.
   - This also works when adding this flag to a database that previously
     did not have this flag set.
2. Start your Metabase instance.
3. Verify the database shows up in the "admin" section
   (`/admin/databases`).
4. Verify that clicking the database to see its details only reveals
   "This database cannot be modified."
5. Verify that responses from the backend do not include a `details`
   field for this database.

=== Original behaviour ===

Behaviour without setting the `is_attached_dwh` field is unchanged:

1. Configure a database as described in https://www.metabase.com/docs/latest/configuring-metabase/config-file#databases.
   - Only set the fields you would normally set.  Do not set
     `is_attached_dwh` (or set it to `false`).
2. Start your Metabase instance.
3. Verify the database shows up in the "admin" section
   (`/admin/databases`).
4. Verify that clicking the database to see its details only reveal the
   regular edit form, showing connection fields like `host`, `user`,
   etc. with the values you configured.

== How this will be rolled out ==

1. Upgrade existing Metabase Cloud instances with data warehouse to a
   Metabase version that supports `is_attached_dwh`.
2. Set `is_attached_dwh` in the database section of the config file for
   Metabase Cloud instances with a data warehouse.

== Possible follow-up work ==

In https://github.com/metabase/metabase/issues/25715, absent
`database.details` was identified as a bug.  Since then, `details` was
made `NOT NULL` in the application database, so this bug can no longer
occur.  However, today backend responses can be missing the `details`
field, if the current user lacks write permission to the database
setting (see above).  Fully re-evaluating the fix to #25715 in this
context is outside the scope of this PR.

Closes: https://github.com/metabase/harbormaster/issues/5051

* refactor: sort import members inside destructuring

* Show an error message when the temporal unit is not applicable to a dashboard card (#46983)

* Fix tests

* Add tests

* Add tests

* Fix types

* Fix types

---------

Co-authored-by: Alexander Polyankin <alexander.polyankin@metabase.com>

* allow `:blocked` to be saved for table level perms

* Adds 2 tests for table level blocked permission settings

- N.B. these are NOT ENFORCED YET

* update test that asserted we cannot set block on tables (we can)

* WIP: Pairing on making perms checking less wild

* cleanup, update docs, and add a test for view-data perm only

- Added a test where we have data permissions, but not create query, and
  I think it is failing when we have create query and blocked data
  permissions.
- renamed some functions from check-x -> has-x? since they return a
  value instead of throwing now

* Revert "WIP: Pairing on making perms checking less wild"

Keep the same behavior, but stick with the saner flow control

This reverts commit 63bcb5b4.

* update docs

* update test to be passing

- TODO: make sure it's correct w.r.t. perm settings

* Allow schema level blocked setting in permgraph

* remove invalid test cases

- continue to have a forcing function to test newly added perms

* conform function output

* ensure a single blocked table blocks native queries to its DB

* update error message

- we now catch this error in `metabase.models.query.permissions/has-perm-for-query?`

* we now check for data permissions to process query for card

* add more explanation to what we are testing

- to help see why it fails on CI and passes locally

* remove excess `def`

* Add test for table-level data X collection perms

- update test found to be in-error

* update param values qp permission check style

* set view-data and create-query explicitly

* set viewdata and createquery explicitly in qp test

* Respond to review comments (which fixes a case)

* setting a table to blocked: leave other tables the same

* [Permissions] Add "No access" schema/table permission (#46509)

* first pass

* refactors downgrading native permission logic and updates calculation so that "No access" downgrades native permissions to "No"

* stub for permissions help info on table block

* modal changes wip, updates downgrading create queries permissions to all happen at a single call site

* clean up, sandboxing modal copy changes, removes rekoke/limit access modal changes to make the diff smaller and move code to a seperate PR

* updates permissions help section to contain the final copy

* sandboxing copy fix and remove modal that was dropped from requirements

* adds blocked at the schema level, updates no access copy to blocked, updates permissions help section to contain new blocked and schema level changes

* fixes failed unit and e2e tests after sandboxing copy changes

* improve the block e2e test to include table blocking

* fixes failing blocked test, fixes other schemas create queries permissions getting correct with one schema was droped to blocked view data access, fixes a bug that prevents the save bar from going away when all permissions for group are set to the default values

* clean up

* remove color changes

* prevents parent being set to blocked preventing edits for children entities

* add new hasPermissionValueInSubgraph fn, adds modal to warn users we have to upgrade the view data permissions when they upgrade create queries permissions when a child entity is set to blocked

* adds test coverage for new modal

* removes unused function, adds new updateEntityPermission fn to help consolidate some logic elsewhere

* unit test fix and type fix

* most pr feedback

* updates the confirmation modal copy when changing a parent entity that contains a child with blocked permissions and/or sandboxed children, adds test coverage for that, adds test coverage for permission view data column not appearing in oss

* type fix

* [Permissions] Add e2e test coverage for blocked permissions enforcements (#46663)

* adds test coverage for enforcement of blocked permissions

* moves tests around based on pr feedback

* copy changes

* adds fix to make sure that blocked permissions are not removed from sibling tables that have the create queries permissions upgraded (#46854)

* Fix table name lookup for dbs w/ 1 schema per db

* add test for blank schema identifiers

* Refine sandboxed user perms for query builder access (#46939)

* Refine sandboxed user perms for query builder access

- Limit create-queries permissions to unblocked tables only
- Check user permissions for each table before granting query builder access
- Prevent querying of blocked joined tables from query builder for sandboxed users

* Adjust permissions for sandboxed users

- Grant view-data permissions only for unblocked tables
- Revert create-queries permissions to all tables in sandbox
- Remove unnecessary intermediate variable

* when sandboxing we no longer grant unrestricted view perms for blocked tables

* Update enterprise/backend/src/metabase_enterprise/sandbox/query_processor/middleware/row_level_restrictions.clj

remove blank line

Co-authored-by: Noah Moss <32746338+noahmoss@users.noreply.github.com>

* - make coalesce-test exhaustive (except for sandbox)

* Update enterprise/backend/src/metabase_enterprise/sandbox/query_processor/middleware/row_level_restrictions.clj

Co-authored-by: Noah Moss <32746338+noahmoss@users.noreply.github.com>

* t2/select ... -> database/table-id->database-id

* update comment

* [Permissions] Prevent "Granular" option in DB View Data options from changing permissions to unrestricted (#46976)

* fix

* adds back most of the code and limits it to only happen with impersonations, updates test to handle differing logic between the two flows

* removes test that is not longer needed

* more sandbox join table perms tests

---------

Co-authored-by: John Swanson <john.swanson@metabase.com>
Co-authored-by: Sloan Sparger <sloansparger@users.noreply.github.com>
Co-authored-by: Sloan Sparger <sloansparger@gmail.com>
Co-authored-by: Noah Moss <32746338+noahmoss@users.noreply.github.com>

* only send permissions updates for groups that have been modified in the graph

* Support partial permission graph updates on the BE (#44797)

* handles keeping track of advanced permissions changes to send relevant group data when updating the graph, merges response

* tests and optimizations

* respect group-ids set when fetching connection impersonations, sandboxes, and admin group perms

* fix typo

* add e2e test

* fix BE test

* impls pr feedback, reduces code needed since advanced permissions state is always reset on save

* last fixes

---------

Co-authored-by: Noah Moss <32746338+noahmoss@users.noreply.github.com>
Co-authored-by: Noah Moss <noahbmoss@gmail.com>

* Add test

* Fix `xDomain` calculation in QB selectors

* Make database `features` optional

* Update reproductions-3.cy.spec.js

Co-authored-by: Uladzimir Havenchyk <125459446+uladzimirdev@users.noreply.github.com>

---------

Co-authored-by: Uladzimir Havenchyk <125459446+uladzimirdev@users.noreply.github.com>

Co-authored-by: Noah Moss <noahbmoss@gmail.com>
Co-authored-by: Noah Moss <32746338+noahmoss@users.noreply.github.com>
Co-authored-by: Nick Fitzpatrick <nick@metabase.com>
Co-authored-by: John Swanson <john.swanson@metabase.com>
Co-authored-by: Sloan Sparger <sloansparger@users.noreply.github.com>
Co-authored-by: Sloan Sparger <sloansparger@gmail.com>

This reverts commit e0e4ade0.

Co-authored-by: Noah Moss <noahbmoss@gmail.com>
Co-authored-by: Noah Moss <32746338+noahmoss@users.noreply.github.com>
Co-authored-by: Nick Fitzpatrick <nick@metabase.com>
Co-authored-by: John Swanson <john.swanson@metabase.com>
Co-authored-by: Sloan Sparger <sloansparger@users.noreply.github.com>
Co-authored-by: Sloan Sparger <sloansparger@gmail.com>

* no implicit any on callbacks

* cleaning up use of any

* small adjustments

* PR feedback and unit test adjustment

* typing click handler

* upgrades @testing-library/user-event to v14, updates test to accomidate events always returning promises and other breaking API changes

* Fixing up broken suites. Half way

* rest of tests

* green plz

* Fix new entries of userEvent usage

* unit test adjustments

---------

Co-authored-by: Nick Fitzpatrick <nickfitz.582@gmail.com>
Co-authored-by: Uladzimir Havenchyk <uladzimir.dev@gmail.com>

* v1

* v1

* v1

* Move sync code

* Small refactor

* Upgrade eslint-plugin-import

* Configure import/order rule for consistent, predictable imports

* Change "eslint-disable-next-line no-restricted-imports" into "eslint-disable-line"

* Ensure imports are in a single block

* Move or remove informative comments between import statements

* Remove imports-grouping comments

* Configure groups
- the difference between the default setting is the presence of "internal" group

* Manually fix imports order and disable "import/order" rule in files with possible circular dependencies

* Move comment to the same line as import

* Run "yarn eslint-fix" 5 times
- Remaining: 16 problems (16 errors, 0 warnings)

* Manually fix imports order in remaining files

* Run "yarn prettier"

* Fix import

* Fix circular dependency

* Fix circular dependency

* Remove unused action creator (it was inlined in 702988ec3f8bd4c6bf6bbbdf169dca25a0ca5a13 due to circular dependency)

* Re-add accidentally removed code

* Fix typing

* ESLint

* Use fetchMock.flush() to prevent tests from interfering with each other

* Revert "Use fetchMock.flush() to prevent tests from interfering with each other"

This reverts commit 03f1277cf2bf481ac36db212e15b4f29511a386b.

* Add typing for requests in the redux store

* Fix QueryBuilder flakes by introducing waitForLoadingRequests

* Simplify interface

* Add mocks for requests in redux store, update types

* Simplify code

* Increase timeout

* Fix case where Metabase links are render inside template strings

* Add `no-literal-metabase-strings` ESLint rule

* Fix all Metabase string errors

* Address review: Fix the rule

The rule was checking if we have imported the selector
`getApplicationName` then ignore all Metabase strings. This is different
than `no-unconditional-metabase-links-render` because in that rule, when
fixed the Documentation URLs are still in the file, but in this rule,
when fixed, there should be no Metabase strings left in the file.

* Fix errors from the new lint rule

* Connection Impersonation for Redshift

* redshift test based on the existing postgres one

* fix test

* fix test

* change impersonation UI for redshift

* copy/style updates

* update tests for new copy

* update copy

* lets tweak it even more

---------

Co-authored-by: Noah Moss <noahbmoss@gmail.com>

* [WIP] ESLint for detecting the use of Metabase links

* Add a rule to detect the use of Metabase links

* Add tests to the new eslint lint rule that detect Metabase links

* Fix all places where errors are caused by the new ESLint rule

* Review: Disable rule for admin folder

* Review: Remove rule disable reason from files under admin folder

* Introduce waitForLoadingSpinnerToDisappear

* Use waitForLoadingSpinnerToDisappear in QueryBuilder tests

* Use waitForLoadingSpinnerToDisappear in ObjectDetailWrapper tests

* Use waitForLoadingSpinnerToDisappear in DashboardApp tests

* Use waitForLoadingSpinnerToDisappear in ActionCreatorModal tests

* Use waitForLoadingSpinnerToDisappear in DatabaseEditApp tests

* Use waitForLoadingSpinnerToDisappear in MetricApp tests

* Use waitForLoadingSpinnerToDisappear in SegmentApp tests

* Use waitForLoadingSpinnerToDisappear in DatabasesPermissionsPage tests

* Use waitForLoadingSpinnerToDisappear in GroupsPermissionsPage tests

* Use waitForLoadingSpinnerToDisappear in PremiumEmbeddingLicensePage tests

* Use waitForLoadingSpinnerToDisappear in TableBrowser tests

* Use waitForLoadingSpinnerToDisappear in FieldValuesWidget tests

* Use waitForLoadingSpinnerToDisappear in DataPicker-Models tests

* Use waitForLoadingSpinnerToDisappear in DataPicker-Questions tests

* Use waitForLoadingSpinnerToDisappear in DataPicker-RawData tests

* Use waitForLoadingSpinnerToDisappear in ActionSidebar tests

* Use waitForLoadingSpinnerToDisappear in DashboardHeader tests

* Use waitForLoadingSpinnerToDisappear in SearchBar tests

* Use waitForLoadingSpinnerToDisappear in SearchResults tests

* Use waitForLoadingSpinnerToDisappear in SearchResultsDropdown tests

* Use waitForLoadingSpinnerToDisappear in MainNavbar tests

* Use waitForLoadingSpinnerToDisappear in Navbar tests

* Use waitForLoadingSpinnerToDisappear in PublicAction tests

* Use waitForLoadingSpinnerToDisappear in DefaultPicker tests

* Use waitForLoadingSpinnerToDisappear in TypeFilterContent tests

* Use waitForLoadingSpinnerToDisappear in SearchApp tests

* Replace waitForElementToBeRemoved(() => screen.queryByText("Loading...")) with waitForLoadingSpinnerToDisappear();

* Replace waitForElementToBeRemoved(() => screen.queryByText(/loading/)) with waitForLoadingSpinnerToDisappear();

* Remove all remaining waitForElementToBeRemoved usages

* Replace all spinner queries by text with queries by test-id

* Make spinner existence assertions consistent

* Consolidate imports

* Connect comment to code

* Add explanatory comment

* Rename waitForLoadingSpinnerToDisappear to waitForLoaderToBeRemoved

* throw exception if impersonated db doesn't have default role

* change text in snowflake plugin file

* fix bugs and add tests

* FE changes

* inline enabled? call

* add new driver feature connection-impersonation-requires-role

* use variant=brand

* break out impersonation-enabled-for-db? into a defenterprise helper function

* Update react related imports

* Update places with combined default and named type

* Autofix type imports

* Fix unused eslint-disable

* Include cljs_release to eslintignore

* Autofix type imports

* Add typescript rule

* update prettier

* update prettier styling

* always show permission help

* fix permission page layout

* Move block permission under advanced permissions flag

* fix flag name