AccessControl: Let users with data source create permissions list non-core plugins (#48897)

* Only require create and permissions for new data source page * Let users with permissions to create data sources list non-core plugins * Keep the admin check as fallback when using rbac as well
4 years ago · 60bc3e4e5c
parent 555867135b
commit 60bc3e4e5c
3 changed files with 8 additions and 6 deletions
--- a/pkg/api/plugins.go
+++ b/pkg/api/plugins.go
@ -13,6 +13,9 @@ import (
 	"sort"
 	"strings"

+	"github.com/grafana/grafana/pkg/services/accesscontrol"
+	"github.com/grafana/grafana/pkg/services/datasources"
+
 	"github.com/grafana/grafana-plugin-sdk-go/backend"
 	"github.com/grafana/grafana/pkg/api/dtos"
 	"github.com/grafana/grafana/pkg/api/response"
@ -32,8 +35,10 @@ func (hs *HTTPServer) GetPluginList(c *models.ReqContext) response.Response {
 	embeddedFilter := c.Query("embedded")
 	coreFilter := c.Query("core")

-	// For users with viewer role we only return core plugins
-	if !c.HasRole(models.ROLE_ADMIN) {
+	// When using access control anyone that can create a data source should be able to list all data sources installed
+	// Fallback to only letting admins list non-core plugins
+	hasAccess := accesscontrol.HasAccess(hs.AccessControl, c)
+	if !hasAccess(accesscontrol.ReqOrgAdmin, accesscontrol.EvalPermission(datasources.ActionCreate)) || c.HasRole(models.ROLE_ADMIN) {
 		coreFilter = "1"
 	}

--- a/pkg/services/datasources/accesscontrol.go
+++ b/pkg/services/datasources/accesscontrol.go
@ -37,7 +37,6 @@ var (
 	NewPageAccess = accesscontrol.EvalAll(
 		accesscontrol.EvalPermission(ActionRead),
 		accesscontrol.EvalPermission(ActionCreate),
-		accesscontrol.EvalPermission(ActionWrite),
 	)

 	// EditPageAccess is used to protect the "Configure > Data sources > Edit" page access
--- a/public/app/features/datasources/DataSourcesListPage.tsx
+++ b/public/app/features/datasources/DataSourcesListPage.tsx
@ -60,9 +60,7 @@ export class DataSourcesListPage extends PureComponent<Props> {
    const { dataSources, dataSourcesCount, navModel, layoutMode, searchQuery, setDataSourcesSearchQuery, hasFetched } =
      this.props;

-    const canCreateDataSource =
-      contextSrv.hasPermission(AccessControlAction.DataSourcesCreate) &&
-      contextSrv.hasPermission(AccessControlAction.DataSourcesWrite);
+    const canCreateDataSource = contextSrv.hasPermission(AccessControlAction.DataSourcesCreate);

    const linkButton = {
      href: 'datasources/new',