Revert "Authz: Removes setting viewers_can_edit" (#101528)

Revert "Authz: Removes setting `viewers_can_edit` (#101265)" This reverts commit 4ce41acade.
2025-03-03 18:26:55 +00:00
parent 22d39f585d
commit 5f6b00a72f
5 changed files with 44 additions and 12 deletions
@@ -221,6 +221,10 @@ func (a *accessControlDashboardGuardian) CanEdit() (bool, error) {
 		return false, ErrGuardianDashboardNotFound.Errorf("failed to check edit permissions for dashboard")
 	}

+	if a.cfg.ViewersCanEdit {
+		return a.CanView()
+	}
+
 	return a.evaluate(
 		accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.UID)),
 	)
@@ -231,6 +235,10 @@ func (a *accessControlFolderGuardian) CanEdit() (bool, error) {
 		return false, ErrGuardianFolderNotFound.Errorf("failed to check edit permissions for folder")
 	}

+	if a.cfg.ViewersCanEdit {
+		return a.CanView()
+	}
+
 	return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.folder.UID)))
 }

@@ -36,10 +36,11 @@ var (
 )

 type accessControlGuardianTestCase struct {
-	desc        string
-	dashboard   *dashboards.Dashboard
-	permissions []accesscontrol.Permission
-	expected    bool
+	desc           string
+	dashboard      *dashboards.Dashboard
+	permissions    []accesscontrol.Permission
+	viewersCanEdit bool
+	expected       bool
 }

 func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
@@ -256,6 +257,18 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
 			},
 			expected: false,
 		},
+		{
+			desc:      "should be able to edit dashboard with read action when viewer_can_edit is true",
+			dashboard: dashboard,
+			permissions: []accesscontrol.Permission{
+				{
+					Action: dashboards.ActionDashboardsRead,
+					Scope:  "dashboards:uid:1",
+				},
+			},
+			viewersCanEdit: true,
+			expected:       true,
+		},
 		{
 			desc:      "should not be able to edit folder with folder write and dashboard wildcard scope",
 			dashboard: fldr,
@@ -311,11 +324,24 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
 			},
 			expected: false,
 		},
+		{
+			desc:      "should be able to edit folder with folder read action when viewer_can_edit is true",
+			dashboard: fldr,
+			permissions: []accesscontrol.Permission{
+				{
+					Action: dashboards.ActionFoldersRead,
+					Scope:  folderUIDScope,
+				},
+			},
+			viewersCanEdit: true,
+			expected:       true,
+		},
 	}

 	for _, tt := range tests {
 		t.Run(tt.desc, func(t *testing.T) {
 			cfg := setting.NewCfg()
+			cfg.ViewersCanEdit = tt.viewersCanEdit
 			guardian := setupAccessControlGuardianTest(t, tt.dashboard, tt.permissions, cfg)

 			can, err := guardian.CanEdit()
@@ -30,7 +30,7 @@ type CallbackHandler func(c *contextmodel.ReqContext) response.Response
 func (s *QueryHistoryService) permissionsMiddleware(handler CallbackHandler, errorMessage string) CallbackHandler {
 	return func(c *contextmodel.ReqContext) response.Response {
 		hasAccess := ac.HasAccess(s.accessControl, c)
-		if c.GetOrgRole() == org.RoleViewer && !hasAccess(ac.EvalPermission(ac.ActionDatasourcesExplore)) {
+		if c.GetOrgRole() == org.RoleViewer && !s.Cfg.ViewersCanEdit && !hasAccess(ac.EvalPermission(ac.ActionDatasourcesExplore)) {
 			return response.Error(http.StatusUnauthorized, errorMessage, nil)
 		}
 		return handler(c)