diff --git a/pkg/api/plugins.go b/pkg/api/plugins.go index 48f938b83ea..466093c8ac1 100644 --- a/pkg/api/plugins.go +++ b/pkg/api/plugins.go @@ -13,6 +13,9 @@ import ( "sort" "strings" + "github.com/grafana/grafana/pkg/services/accesscontrol" + "github.com/grafana/grafana/pkg/services/datasources" + "github.com/grafana/grafana-plugin-sdk-go/backend" "github.com/grafana/grafana/pkg/api/dtos" "github.com/grafana/grafana/pkg/api/response" @@ -32,8 +35,10 @@ func (hs *HTTPServer) GetPluginList(c *models.ReqContext) response.Response { embeddedFilter := c.Query("embedded") coreFilter := c.Query("core") - // For users with viewer role we only return core plugins - if !c.HasRole(models.ROLE_ADMIN) { + // When using access control anyone that can create a data source should be able to list all data sources installed + // Fallback to only letting admins list non-core plugins + hasAccess := accesscontrol.HasAccess(hs.AccessControl, c) + if !hasAccess(accesscontrol.ReqOrgAdmin, accesscontrol.EvalPermission(datasources.ActionCreate)) || c.HasRole(models.ROLE_ADMIN) { coreFilter = "1" } diff --git a/pkg/services/datasources/accesscontrol.go b/pkg/services/datasources/accesscontrol.go index 30dc2d1d213..4b16ab1479c 100644 --- a/pkg/services/datasources/accesscontrol.go +++ b/pkg/services/datasources/accesscontrol.go @@ -37,7 +37,6 @@ var ( NewPageAccess = accesscontrol.EvalAll( accesscontrol.EvalPermission(ActionRead), accesscontrol.EvalPermission(ActionCreate), - accesscontrol.EvalPermission(ActionWrite), ) // EditPageAccess is used to protect the "Configure > Data sources > Edit" page access diff --git a/public/app/features/datasources/DataSourcesListPage.tsx b/public/app/features/datasources/DataSourcesListPage.tsx index ca8c5d3ec20..f03e7ede1af 100644 --- a/public/app/features/datasources/DataSourcesListPage.tsx +++ b/public/app/features/datasources/DataSourcesListPage.tsx @@ -60,9 +60,7 @@ export class DataSourcesListPage extends PureComponent { const { dataSources, dataSourcesCount, navModel, layoutMode, searchQuery, setDataSourcesSearchQuery, hasFetched } = this.props; - const canCreateDataSource = - contextSrv.hasPermission(AccessControlAction.DataSourcesCreate) && - contextSrv.hasPermission(AccessControlAction.DataSourcesWrite); + const canCreateDataSource = contextSrv.hasPermission(AccessControlAction.DataSourcesCreate); const linkButton = { href: 'datasources/new',