diff --git a/pkg/api/api.go b/pkg/api/api.go index b5214f93d35..50700108394 100644 --- a/pkg/api/api.go +++ b/pkg/api/api.go @@ -14,6 +14,7 @@ func (hs *HTTPServer) registerRoutes() { reqGrafanaAdmin := middleware.ReqGrafanaAdmin reqEditorRole := middleware.ReqEditorRole reqOrgAdmin := middleware.ReqOrgAdmin + reqAdminOrEditorCanAdmin := middleware.EditorCanAdmin(hs.Cfg.EditorsCanOwn) redirectFromLegacyDashboardURL := middleware.RedirectFromLegacyDashboardURL() redirectFromLegacyDashboardSoloURL := middleware.RedirectFromLegacyDashboardSoloURL() quota := middleware.Quota(hs.QuotaService) @@ -41,8 +42,8 @@ func (hs *HTTPServer) registerRoutes() { r.Get("/org/users", reqOrgAdmin, hs.Index) r.Get("/org/users/new", reqOrgAdmin, hs.Index) r.Get("/org/users/invite", reqOrgAdmin, hs.Index) - r.Get("/org/teams", reqOrgAdmin, hs.Index) - r.Get("/org/teams/*", reqOrgAdmin, hs.Index) + r.Get("/org/teams", reqAdminOrEditorCanAdmin, hs.Index) + r.Get("/org/teams/*", reqAdminOrEditorCanAdmin, hs.Index) r.Get("/org/apikeys/", reqOrgAdmin, hs.Index) r.Get("/dashboard/import/", reqSignedIn, hs.Index) r.Get("/configuration", reqGrafanaAdmin, hs.Index) @@ -161,7 +162,7 @@ func (hs *HTTPServer) registerRoutes() { teamsRoute.Delete("/:teamId/members/:userId", Wrap(RemoveTeamMember)) teamsRoute.Get("/:teamId/preferences", Wrap(GetTeamPreferences)) teamsRoute.Put("/:teamId/preferences", bind(dtos.UpdatePrefsCmd{}), Wrap(UpdateTeamPreferences)) - }, reqOrgAdmin) + }, reqAdminOrEditorCanAdmin) // team without requirement of user to be org admin apiRoute.Group("/teams", func(teamsRoute routing.RouteRegister) { diff --git a/pkg/middleware/auth.go b/pkg/middleware/auth.go index e06409211eb..6bf37e7fd50 100644 --- a/pkg/middleware/auth.go +++ b/pkg/middleware/auth.go @@ -86,3 +86,20 @@ func Auth(options *AuthOptions) macaron.Handler { } } } + +func EditorCanAdmin(enabled bool) macaron.Handler { + return func(c *m.ReqContext) { + ok := false + if c.OrgRole == m.ROLE_ADMIN { + ok = true + } + + if c.OrgRole == m.ROLE_EDITOR && enabled { + ok = true + } + + if !ok { + accessForbidden(c) + } + } +} diff --git a/public/app/routes/routes.ts b/public/app/routes/routes.ts index 442fb5acb0c..06af66d7d5d 100644 --- a/public/app/routes/routes.ts +++ b/public/app/routes/routes.ts @@ -207,7 +207,7 @@ export function setupAngularRoutes($routeProvider, $locationProvider) { .when('/org/teams/edit/:id/:page?', { template: '', resolve: { - roles: () => ['Admin'], + roles: () => (config.editorsCanOwn ? ['Editor', 'Admin'] : ['Admin']), component: () => TeamPages, }, })