From db371d2a5dfaae37ed36f9d8fea761e7f2ac69e1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torkel=20=C3=96degaard?= <torkel.odegaard@gmail.com>
Date: Mon, 26 Jan 2015 20:26:17 +0100
Subject: [PATCH] API: added admin role requirement for account changes,
 datasource admin, and api keys admin

---
 pkg/api/api.go | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/pkg/api/api.go b/pkg/api/api.go
index 71837c0fce6..8b1d641a0ed 100644
--- a/pkg/api/api.go
+++ b/pkg/api/api.go
@@ -14,6 +14,7 @@ func Register(r *macaron.Macaron) {
 	reqSignedIn := middleware.Auth(&middleware.AuthOptions{ReqSignedIn: true})
 	reqGrafanaAdmin := middleware.Auth(&middleware.AuthOptions{ReqSignedIn: true, ReqGrafanaAdmin: true})
 	reqEditorRole := middleware.RoleAuth(m.ROLE_EDITOR, m.ROLE_ADMIN)
+	reqAccountAdmin := middleware.RoleAuth(m.ROLE_ADMIN)
 	bind := binding.Bind
 
 	// not logged in views
@@ -55,7 +56,8 @@ func Register(r *macaron.Macaron) {
 			r.Post("/users", bind(m.AddAccountUserCommand{}), AddAccountUser)
 			r.Get("/users", GetAccountUsers)
 			r.Delete("/users/:id", RemoveAccountUser)
-		})
+		}, reqAccountAdmin)
+
 		// Token
 		r.Group("/tokens", func() {
 			r.Combo("/").
@@ -63,20 +65,24 @@ func Register(r *macaron.Macaron) {
 				Post(bind(m.AddTokenCommand{}), AddToken).
 				Put(bind(m.UpdateTokenCommand{}), UpdateToken)
 			r.Delete("/:id", DeleteToken)
-		})
+		}, reqAccountAdmin)
+
 		// Data sources
 		r.Group("/datasources", func() {
 			r.Combo("/").Get(GetDataSources).Put(AddDataSource).Post(UpdateDataSource)
 			r.Delete("/:id", DeleteDataSource)
 			r.Any("/proxy/:id/*", reqSignedIn, ProxyDataSourceRequest)
-		})
+		}, reqAccountAdmin)
+
 		// Dashboard
 		r.Group("/dashboard", func() {
 			r.Combo("/:slug").Get(GetDashboard).Delete(DeleteDashboard)
 			r.Post("/", reqEditorRole, bind(m.SaveDashboardCommand{}), PostDashboard)
 		})
+
 		// Search
 		r.Get("/search/", Search)
+
 		// metrics
 		r.Get("/metrics/test", GetTestMetrics)
 	}, reqSignedIn)