AccessControl: Restrict more the access to the data sources configuration tab (#38966)

Co-authored-by: Emil Tullstedt <sakjur@users.noreply.github.com>
2025-02-25 18:55:37 -06:00 · 2021-09-08 13:15:21 +02:00 · 2021-09-08 13:15:21 +02:00 · 8585273c29
commit 8585273c29
parent 5caf6cb369
1 changed files with 11 additions and 1 deletions
--- a/pkg/api/index.go
+++ b/pkg/api/index.go
@ -18,6 +18,16 @@ const (
 	darkName  = "dark"
 )

+// dataSourcesConfigurationAccessEvaluator is used to protect the "Configure > Data sources" tab access
+var dataSourcesConfigurationAccessEvaluator = ac.EvalAll(
+	ac.EvalPermission(ActionDatasourcesRead, ScopeDatasourcesAll),
+	ac.EvalAny(
+		ac.EvalPermission(ActionDatasourcesCreate),
+		ac.EvalPermission(ActionDatasourcesDelete),
+		ac.EvalPermission(ActionDatasourcesWrite),
+	),
+)
+
 func (hs *HTTPServer) getProfileNode(c *models.ReqContext) *dtos.NavLink {
 	// Only set login if it's different from the name
 	var login string
@ -253,7 +263,7 @@ func (hs *HTTPServer) getNavTree(c *models.ReqContext, hasEditPerm bool) ([]*dto

 	configNodes := []*dtos.NavLink{}

-	if hasAccess(ac.ReqOrgAdmin, ac.EvalPermission(ActionDatasourcesRead)) {
+	if hasAccess(ac.ReqOrgAdmin, dataSourcesConfigurationAccessEvaluator) {
 		configNodes = append(configNodes, &dtos.NavLink{
 			Text:        "Data sources",
 			Icon:        "database",