From 5ca9d2895bd2c14a600bc5951ae77bd0e39f101e Mon Sep 17 00:00:00 2001
From: Karl Persson <kalle.persson@grafana.com>
Date: Mon, 31 Jan 2022 16:33:41 +0100
Subject: [PATCH] Add viewer grant to `fixed:datasources:reader` if
 viewers_can_edit is set to true (#44657)

---
 pkg/api/roles.go                    | 23 ++++++++++++-
 pkg/services/accesscontrol/roles.go | 50 +++++++++--------------------
 2 files changed, 38 insertions(+), 35 deletions(-)

diff --git a/pkg/api/roles.go b/pkg/api/roles.go
index fc0ed14ca7f..15b741d17a3 100644
--- a/pkg/api/roles.go
+++ b/pkg/api/roles.go
@@ -3,6 +3,7 @@ package api
 import (
 	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
+	"github.com/grafana/grafana/pkg/setting"
 )
 
 // API related actions
@@ -61,6 +62,26 @@ func (hs *HTTPServer) declareFixedRoles() error {
 		Grants: []string{accesscontrol.RoleGrafanaAdmin},
 	}
 
+	datasourcesExplorerRole := accesscontrol.RoleRegistration{
+		Role: accesscontrol.RoleDTO{
+			Version:     4,
+			Name:        "fixed:datasources:explorer",
+			DisplayName: "Data source explorer",
+			Description: "Enable the Explore feature. Data source permissions still apply; you can only query data sources for which you have query permissions.",
+			Group:       "Data sources",
+			Permissions: []accesscontrol.Permission{
+				{
+					Action: accesscontrol.ActionDatasourcesExplore,
+				},
+			},
+		},
+		Grants: []string{string(models.ROLE_EDITOR)},
+	}
+
+	if setting.ViewersCanEdit {
+		datasourcesExplorerRole.Grants = append(datasourcesExplorerRole.Grants, string(models.ROLE_VIEWER))
+	}
+
 	datasourcesReaderRole := accesscontrol.RoleRegistration{
 		Role: accesscontrol.RoleDTO{
 			Version:     3,
@@ -226,7 +247,7 @@ func (hs *HTTPServer) declareFixedRoles() error {
 	return hs.AccessControl.DeclareFixedRoles(
 		provisioningWriterRole, datasourcesReaderRole, datasourcesWriterRole, datasourcesIdReaderRole,
 		datasourcesCompatibilityReaderRole, orgReaderRole, orgWriterRole,
-		orgMaintainerRole, teamsCreatorRole, teamsWriterRole,
+		orgMaintainerRole, teamsCreatorRole, teamsWriterRole, datasourcesExplorerRole,
 	)
 }
 
diff --git a/pkg/services/accesscontrol/roles.go b/pkg/services/accesscontrol/roles.go
index 6e1107faf3d..5bbb6b8a633 100644
--- a/pkg/services/accesscontrol/roles.go
+++ b/pkg/services/accesscontrol/roles.go
@@ -15,19 +15,6 @@ type RoleRegistry interface {
 
 // Roles definition
 var (
-	datasourcesExplorerRole = RoleDTO{
-		Version:     3,
-		Name:        datasourcesExplorer,
-		DisplayName: "Data source explorer",
-		Description: "Enable the Explore feature. Data source permissions still apply; you can only query data sources for which you have query permissions.",
-		Group:       "Data sources",
-		Permissions: []Permission{
-			{
-				Action: ActionDatasourcesExplore,
-			},
-		},
-	}
-
 	ldapReaderRole = RoleDTO{
 		Name:        ldapReader,
 		DisplayName: "LDAP reader",
@@ -201,15 +188,14 @@ var (
 
 // Role names definitions
 const (
-	datasourcesExplorer = "fixed:datasources:explorer"
-	ldapReader          = "fixed:ldap:reader"
-	ldapWriter          = "fixed:ldap:writer"
-	orgUsersReader      = "fixed:org.users:reader"
-	orgUsersWriter      = "fixed:org.users:writer"
-	settingsReader      = "fixed:settings:reader"
-	statsReader         = "fixed:stats:reader"
-	usersReader         = "fixed:users:reader"
-	usersWriter         = "fixed:users:writer"
+	ldapReader     = "fixed:ldap:reader"
+	ldapWriter     = "fixed:ldap:writer"
+	orgUsersReader = "fixed:org.users:reader"
+	orgUsersWriter = "fixed:org.users:writer"
+	settingsReader = "fixed:settings:reader"
+	statsReader    = "fixed:stats:reader"
+	usersReader    = "fixed:users:reader"
+	usersWriter    = "fixed:users:writer"
 )
 
 var (
@@ -220,15 +206,14 @@ var (
 	// resource. FixedRoleGrants lists which built-in roles are
 	// assigned which fixed roles in this list.
 	FixedRoles = map[string]RoleDTO{
-		datasourcesExplorer: datasourcesExplorerRole,
-		ldapReader:          ldapReaderRole,
-		ldapWriter:          ldapWriterRole,
-		orgUsersReader:      orgUsersReaderRole,
-		orgUsersWriter:      orgUsersWriterRole,
-		settingsReader:      settingsReaderRole,
-		statsReader:         statsReaderRole,
-		usersReader:         usersReaderRole,
-		usersWriter:         usersWriterRole,
+		ldapReader:     ldapReaderRole,
+		ldapWriter:     ldapWriterRole,
+		orgUsersReader: orgUsersReaderRole,
+		orgUsersWriter: orgUsersWriterRole,
+		settingsReader: settingsReaderRole,
+		statsReader:    statsReaderRole,
+		usersReader:    usersReaderRole,
+		usersWriter:    usersWriterRole,
 	}
 
 	// FixedRoleGrants specifies which built-in roles are assigned
@@ -248,9 +233,6 @@ var (
 			orgUsersReader,
 			orgUsersWriter,
 		},
-		string(models.ROLE_EDITOR): {
-			datasourcesExplorer,
-		},
 	}
 )