IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add viewer grant to fixed:datasources:reader if viewers_can_edit is set to true (#44657)

Browse Source
This commit is contained in:
Karl Persson 2022-01-31 16:33:41 +01:00 committed by GitHub
parent de1661e877
commit 5ca9d2895b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 38 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
pkg/api/roles.go
View File

@ -3,6 +3,7 @@ package api
import ( import (
"github.com/grafana/grafana/pkg/models" "github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/services/accesscontrol" "github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/setting"
) )
// API related actions // API related actions
@ -61,6 +62,26 @@ func (hs *HTTPServer) declareFixedRoles() error {
Grants: []string{accesscontrol.RoleGrafanaAdmin}, Grants: []string{accesscontrol.RoleGrafanaAdmin},
} }
datasourcesExplorerRole := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Version: 4,
Name: "fixed:datasources:explorer",
DisplayName: "Data source explorer",
Description: "Enable the Explore feature. Data source permissions still apply; you can only query data sources for which you have query permissions.",
Group: "Data sources",
Permissions: []accesscontrol.Permission{
{
Action: accesscontrol.ActionDatasourcesExplore,
},
},
},
Grants: []string{string(models.ROLE_EDITOR)},
}
if setting.ViewersCanEdit {
datasourcesExplorerRole.Grants = append(datasourcesExplorerRole.Grants, string(models.ROLE_VIEWER))
}
datasourcesReaderRole := accesscontrol.RoleRegistration{ datasourcesReaderRole := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{ Role: accesscontrol.RoleDTO{
Version: 3, Version: 3,
@ -226,7 +247,7 @@ func (hs *HTTPServer) declareFixedRoles() error {
return hs.AccessControl.DeclareFixedRoles( return hs.AccessControl.DeclareFixedRoles(
provisioningWriterRole, datasourcesReaderRole, datasourcesWriterRole, datasourcesIdReaderRole, provisioningWriterRole, datasourcesReaderRole, datasourcesWriterRole, datasourcesIdReaderRole,
datasourcesCompatibilityReaderRole, orgReaderRole, orgWriterRole, datasourcesCompatibilityReaderRole, orgReaderRole, orgWriterRole,
orgMaintainerRole, teamsCreatorRole, teamsWriterRole, orgMaintainerRole, teamsCreatorRole, teamsWriterRole, datasourcesExplorerRole,
) )
} }

50
pkg/services/accesscontrol/roles.go
View File

@ -15,19 +15,6 @@ type RoleRegistry interface {
// Roles definition // Roles definition
var ( var (
datasourcesExplorerRole = RoleDTO{
Version: 3,
Name: datasourcesExplorer,
DisplayName: "Data source explorer",
Description: "Enable the Explore feature. Data source permissions still apply; you can only query data sources for which you have query permissions.",
Group: "Data sources",
Permissions: []Permission{
{
Action: ActionDatasourcesExplore,
},
},
}
ldapReaderRole = RoleDTO{ ldapReaderRole = RoleDTO{
Name: ldapReader, Name: ldapReader,
DisplayName: "LDAP reader", DisplayName: "LDAP reader",
@ -201,15 +188,14 @@ var (
// Role names definitions // Role names definitions
const ( const (
datasourcesExplorer = "fixed:datasources:explorer" ldapReader = "fixed:ldap:reader"
ldapReader = "fixed:ldap:reader" ldapWriter = "fixed:ldap:writer"
ldapWriter = "fixed:ldap:writer" orgUsersReader = "fixed:org.users:reader"
orgUsersReader = "fixed:org.users:reader" orgUsersWriter = "fixed:org.users:writer"
orgUsersWriter = "fixed:org.users:writer" settingsReader = "fixed:settings:reader"
settingsReader = "fixed:settings:reader" statsReader = "fixed:stats:reader"
statsReader = "fixed:stats:reader" usersReader = "fixed:users:reader"
usersReader = "fixed:users:reader" usersWriter = "fixed:users:writer"
usersWriter = "fixed:users:writer"
) )
var ( var (
@ -220,15 +206,14 @@ var (
// resource. FixedRoleGrants lists which built-in roles are // resource. FixedRoleGrants lists which built-in roles are
// assigned which fixed roles in this list. // assigned which fixed roles in this list.
FixedRoles = map[string]RoleDTO{ FixedRoles = map[string]RoleDTO{
datasourcesExplorer: datasourcesExplorerRole, ldapReader: ldapReaderRole,
ldapReader: ldapReaderRole, ldapWriter: ldapWriterRole,
ldapWriter: ldapWriterRole, orgUsersReader: orgUsersReaderRole,
orgUsersReader: orgUsersReaderRole, orgUsersWriter: orgUsersWriterRole,
orgUsersWriter: orgUsersWriterRole, settingsReader: settingsReaderRole,
settingsReader: settingsReaderRole, statsReader: statsReaderRole,
statsReader: statsReaderRole, usersReader: usersReaderRole,
usersReader: usersReaderRole, usersWriter: usersWriterRole,
usersWriter: usersWriterRole,
} }
// FixedRoleGrants specifies which built-in roles are assigned // FixedRoleGrants specifies which built-in roles are assigned
@ -248,9 +233,6 @@ var (
orgUsersReader, orgUsersReader,
orgUsersWriter, orgUsersWriter,
}, },
string(models.ROLE_EDITOR): {
datasourcesExplorer,
},
} }
) )