Access Control: Add fine-grained access control to explore (#35883)

* add fixed role for datasource read operations * Add action for datasource explore * add authorize middleware to explore index route * add fgac support for explore navlink * update hasAccessToExplore to check if accesscontrol is enable and evalute action if it is * add getExploreRoles to evalute roles based onaccesscontrol, viewersCanEdit and default * create function to evaluate permissions or using fallback if accesscontrol is disabled * change hasAccess to prop and derive the value in mapStateToProps * add test case to ensure buttons is not rendered when user does not have access * Only hide return with changes button * remove internal links if user does not have access to explorer Co-authored-by: Ivana Huckova <30407135+ivanahuckova@users.noreply.github.com>
2025-02-25 18:55:37 -06:00 · 2021-07-02 14:43:12 +02:00
parent ef05596e07
commit 2fd7031102
13 changed files with 150 additions and 34 deletions
--- a/public/app/routes/routes.tsx
+++ b/public/app/routes/routes.tsx
@@ -3,11 +3,12 @@ import LdapPage from 'app/features/admin/ldap/LdapPage';
 import UserAdminPage from 'app/features/admin/UserAdminPage';
 import { LoginPage } from 'app/core/components/Login/LoginPage';
 import config from 'app/core/config';
-import { DashboardRoutes } from 'app/types';
+import { AccessControlAction, DashboardRoutes } from 'app/types';
 import { SafeDynamicImport } from '../core/components/DynamicImports/SafeDynamicImport';
 import { RouteDescriptor } from '../core/navigation/types';
 import { Redirect } from 'react-router-dom';
 import ErrorPage from 'app/core/components/ErrorPage/ErrorPage';
+import { contextSrv } from 'app/core/services/context_srv';

 export const extraRoutes: RouteDescriptor[] = [];

@@ -135,7 +136,11 @@ export function getAppRoutes(): RouteDescriptor[] {
    {
      path: '/explore',
      pageClass: 'page-explore',
-      roles: () => (config.viewersCanEdit ? [] : ['Editor', 'Admin']),
+      roles: () =>
+        evaluatePermission(
+          () => (config.viewersCanEdit ? [] : ['Editor', 'Admin']),
+          AccessControlAction.DataSourcesExplore
+        ),
      component: SafeDynamicImport(() => import(/* webpackChunkName: "explore" */ 'app/features/explore/Wrapper')),
    },
    {
@@ -515,3 +520,16 @@ export function getAppRoutes(): RouteDescriptor[] {
    // ...playlistRoutes,
  ];
 }
+
+// evaluates access control permission, using fallback if access control is disabled
+const evaluatePermission = (fallback: () => string[], action: AccessControlAction): string[] => {
+  if (!config.featureToggles['accesscontrol']) {
+    return fallback();
+  }
+  if (contextSrv.hasPermission(action)) {
+    return [];
+  } else {
+    // Hack to reject when user does not have permission
+    return ['Reject'];
+  }
+};