fix: fixed permission issue with api key with viewer role in dashboards with default permissions

pkg/services/guardian/guardian.go

@@ -83,7 +83,7 @@ func (g *dashboardGuardianImpl) checkAcl(permission m.PermissionType, acl []*m.D
 
 	for _, p := range acl {
 		// user match
-		if !g.user.IsAnonymous {
+		if !g.user.IsAnonymous && p.UserId > 0 {
 			if p.UserId == g.user.UserId && p.Permission >= permission {
 				return true, nil
 			}

pkg/services/guardian/guardian_test.go

@@ -162,6 +162,11 @@ func TestGuardianViewer(t *testing.T) {
 			sc.parentFolderPermissionScenario(VIEWER, m.PERMISSION_EDIT, EDITOR_ACCESS)
 			sc.parentFolderPermissionScenario(VIEWER, m.PERMISSION_VIEW, VIEWER_ACCESS)
 		})
+
+		apiKeyScenario("Given api key with viewer role", t, m.ROLE_VIEWER, func(sc *scenarioContext) {
+			// dashboard has default permissions
+			sc.defaultPermissionScenario(VIEWER, m.PERMISSION_EDIT, VIEWER_ACCESS)
+		})
 	})
 }
 
@@ -267,7 +272,7 @@ func (sc *scenarioContext) verifyExpectedPermissionsFlags() {
 			actualFlag = NO_ACCESS
 		}
 
-		if sc.expectedFlags&actualFlag != sc.expectedFlags {
+		if actualFlag&sc.expectedFlags != actualFlag {
 			sc.reportFailure(tc, sc.expectedFlags.String(), actualFlag.String())
 		}
 

pkg/services/guardian/guardian_util_test.go

@@ -48,6 +48,27 @@ func orgRoleScenario(desc string, t *testing.T, role m.RoleType, fn scenarioFunc
 	})
 }
 
+func apiKeyScenario(desc string, t *testing.T, role m.RoleType, fn scenarioFunc) {
+	user := &m.SignedInUser{
+		UserId:   0,
+		OrgId:    orgID,
+		OrgRole:  role,
+		ApiKeyId: 10,
+	}
+	guard := New(dashboardID, orgID, user)
+	sc := &scenarioContext{
+		t:                t,
+		orgRoleScenario:  desc,
+		givenUser:        user,
+		givenDashboardID: dashboardID,
+		g:                guard,
+	}
+
+	Convey(desc, func() {
+		fn(sc)
+	})
+}
+
 func permissionScenario(desc string, dashboardID int64, sc *scenarioContext, permissions []*m.DashboardAclInfoDTO, fn scenarioFunc) {
 	bus.ClearBusHandlers()