From 24d0b43e620d3a9d9e6b7b3df4eed64edfc2588a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torkel=20=C3=96degaard?= <torkel@grafana.com>
Date: Tue, 19 Jun 2018 11:10:17 +0200
Subject: [PATCH] fix: fixed permission issue with api key with viewer role in
 dashboards with default permissions

---
 pkg/services/guardian/guardian.go           |  2 +-
 pkg/services/guardian/guardian_test.go      |  7 ++++++-
 pkg/services/guardian/guardian_util_test.go | 21 +++++++++++++++++++++
 3 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/pkg/services/guardian/guardian.go b/pkg/services/guardian/guardian.go
index bf455adc7ca..cfd8f5c3a6e 100644
--- a/pkg/services/guardian/guardian.go
+++ b/pkg/services/guardian/guardian.go
@@ -83,7 +83,7 @@ func (g *dashboardGuardianImpl) checkAcl(permission m.PermissionType, acl []*m.D
 
 	for _, p := range acl {
 		// user match
-		if !g.user.IsAnonymous {
+		if !g.user.IsAnonymous && p.UserId > 0 {
 			if p.UserId == g.user.UserId && p.Permission >= permission {
 				return true, nil
 			}
diff --git a/pkg/services/guardian/guardian_test.go b/pkg/services/guardian/guardian_test.go
index 5e56b1d88c3..bd257473feb 100644
--- a/pkg/services/guardian/guardian_test.go
+++ b/pkg/services/guardian/guardian_test.go
@@ -162,6 +162,11 @@ func TestGuardianViewer(t *testing.T) {
 			sc.parentFolderPermissionScenario(VIEWER, m.PERMISSION_EDIT, EDITOR_ACCESS)
 			sc.parentFolderPermissionScenario(VIEWER, m.PERMISSION_VIEW, VIEWER_ACCESS)
 		})
+
+		apiKeyScenario("Given api key with viewer role", t, m.ROLE_VIEWER, func(sc *scenarioContext) {
+			// dashboard has default permissions
+			sc.defaultPermissionScenario(VIEWER, m.PERMISSION_EDIT, VIEWER_ACCESS)
+		})
 	})
 }
 
@@ -267,7 +272,7 @@ func (sc *scenarioContext) verifyExpectedPermissionsFlags() {
 			actualFlag = NO_ACCESS
 		}
 
-		if sc.expectedFlags&actualFlag != sc.expectedFlags {
+		if actualFlag&sc.expectedFlags != actualFlag {
 			sc.reportFailure(tc, sc.expectedFlags.String(), actualFlag.String())
 		}
 
diff --git a/pkg/services/guardian/guardian_util_test.go b/pkg/services/guardian/guardian_util_test.go
index b065c4194ad..3d839e71b74 100644
--- a/pkg/services/guardian/guardian_util_test.go
+++ b/pkg/services/guardian/guardian_util_test.go
@@ -48,6 +48,27 @@ func orgRoleScenario(desc string, t *testing.T, role m.RoleType, fn scenarioFunc
 	})
 }
 
+func apiKeyScenario(desc string, t *testing.T, role m.RoleType, fn scenarioFunc) {
+	user := &m.SignedInUser{
+		UserId:   0,
+		OrgId:    orgID,
+		OrgRole:  role,
+		ApiKeyId: 10,
+	}
+	guard := New(dashboardID, orgID, user)
+	sc := &scenarioContext{
+		t:                t,
+		orgRoleScenario:  desc,
+		givenUser:        user,
+		givenDashboardID: dashboardID,
+		g:                guard,
+	}
+
+	Convey(desc, func() {
+		fn(sc)
+	})
+}
+
 func permissionScenario(desc string, dashboardID int64, sc *scenarioContext, permissions []*m.DashboardAclInfoDTO, fn scenarioFunc) {
 	bus.ClearBusHandlers()