Add viewer grant to fixed:datasources:reader if viewers_can_edit is set to true (#44657)

2025-02-25 18:55:37 -06:00 · 2022-01-31 16:33:41 +01:00 · 2022-01-31 16:33:41 +01:00 · 5ca9d2895b
commit 5ca9d2895b
parent de1661e877
2 changed files with 38 additions and 35 deletions
--- a/pkg/api/roles.go
+++ b/pkg/api/roles.go
@ -3,6 +3,7 @@ package api
 import (
 	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
+	"github.com/grafana/grafana/pkg/setting"
 )

 // API related actions
@ -61,6 +62,26 @@ func (hs *HTTPServer) declareFixedRoles() error {
 		Grants: []string{accesscontrol.RoleGrafanaAdmin},
 	}

+	datasourcesExplorerRole := accesscontrol.RoleRegistration{
+		Role: accesscontrol.RoleDTO{
+			Version:     4,
+			Name:        "fixed:datasources:explorer",
+			DisplayName: "Data source explorer",
+			Description: "Enable the Explore feature. Data source permissions still apply; you can only query data sources for which you have query permissions.",
+			Group:       "Data sources",
+			Permissions: []accesscontrol.Permission{
+				{
+					Action: accesscontrol.ActionDatasourcesExplore,
+				},
+			},
+		},
+		Grants: []string{string(models.ROLE_EDITOR)},
+	}
+
+	if setting.ViewersCanEdit {
+		datasourcesExplorerRole.Grants = append(datasourcesExplorerRole.Grants, string(models.ROLE_VIEWER))
+	}
+
 	datasourcesReaderRole := accesscontrol.RoleRegistration{
 		Role: accesscontrol.RoleDTO{
 			Version:     3,
@ -226,7 +247,7 @@ func (hs *HTTPServer) declareFixedRoles() error {
 	return hs.AccessControl.DeclareFixedRoles(
 		provisioningWriterRole, datasourcesReaderRole, datasourcesWriterRole, datasourcesIdReaderRole,
 		datasourcesCompatibilityReaderRole, orgReaderRole, orgWriterRole,
-		orgMaintainerRole, teamsCreatorRole, teamsWriterRole,
+		orgMaintainerRole, teamsCreatorRole, teamsWriterRole, datasourcesExplorerRole,
 	)
 }

--- a/pkg/services/accesscontrol/roles.go
+++ b/pkg/services/accesscontrol/roles.go
@ -15,19 +15,6 @@ type RoleRegistry interface {

 // Roles definition
 var (
-	datasourcesExplorerRole = RoleDTO{
-		Version:     3,
-		Name:        datasourcesExplorer,
-		DisplayName: "Data source explorer",
-		Description: "Enable the Explore feature. Data source permissions still apply; you can only query data sources for which you have query permissions.",
-		Group:       "Data sources",
-		Permissions: []Permission{
-			{
-				Action: ActionDatasourcesExplore,
-			},
-		},
-	}
-
 	ldapReaderRole = RoleDTO{
 		Name:        ldapReader,
 		DisplayName: "LDAP reader",
@ -201,7 +188,6 @@ var (

 // Role names definitions
 const (
-	datasourcesExplorer = "fixed:datasources:explorer"
 	ldapReader     = "fixed:ldap:reader"
 	ldapWriter     = "fixed:ldap:writer"
 	orgUsersReader = "fixed:org.users:reader"
@ -220,7 +206,6 @@ var (
 	// resource. FixedRoleGrants lists which built-in roles are
 	// assigned which fixed roles in this list.
 	FixedRoles = map[string]RoleDTO{
-		datasourcesExplorer: datasourcesExplorerRole,
 		ldapReader:     ldapReaderRole,
 		ldapWriter:     ldapWriterRole,
 		orgUsersReader: orgUsersReaderRole,
@ -248,9 +233,6 @@ var (
 			orgUsersReader,
 			orgUsersWriter,
 		},
-		string(models.ROLE_EDITOR): {
-			datasourcesExplorer,
-		},
 	}
 )