AccessControl: Let users with data source create permissions list non-core plugins (#48897)

* Only require create and permissions for new data source page

* Let users with permissions to create data sources list non-core plugins

* Keep the admin check as fallback when using rbac as well

pkg/api/plugins.go

@@ -13,6 +13,9 @@ import (
 	"sort"
 	"strings"
 
+	"github.com/grafana/grafana/pkg/services/accesscontrol"
+	"github.com/grafana/grafana/pkg/services/datasources"
+
 	"github.com/grafana/grafana-plugin-sdk-go/backend"
 	"github.com/grafana/grafana/pkg/api/dtos"
 	"github.com/grafana/grafana/pkg/api/response"
@@ -32,8 +35,10 @@ func (hs *HTTPServer) GetPluginList(c *models.ReqContext) response.Response {
 	embeddedFilter := c.Query("embedded")
 	coreFilter := c.Query("core")
 
-	// For users with viewer role we only return core plugins
+	// When using access control anyone that can create a data source should be able to list all data sources installed
-	if !c.HasRole(models.ROLE_ADMIN) {
+	// Fallback to only letting admins list non-core plugins
+	hasAccess := accesscontrol.HasAccess(hs.AccessControl, c)
+	if !hasAccess(accesscontrol.ReqOrgAdmin, accesscontrol.EvalPermission(datasources.ActionCreate)) || c.HasRole(models.ROLE_ADMIN) {
 		coreFilter = "1"
 	}
 

pkg/services/datasources/accesscontrol.go

@@ -37,7 +37,6 @@ var (
 	NewPageAccess = accesscontrol.EvalAll(
 		accesscontrol.EvalPermission(ActionRead),
 		accesscontrol.EvalPermission(ActionCreate),
-		accesscontrol.EvalPermission(ActionWrite),
 	)
 
 	// EditPageAccess is used to protect the "Configure > Data sources > Edit" page access

public/app/features/datasources/DataSourcesListPage.tsx

@@ -60,9 +60,7 @@ export class DataSourcesListPage extends PureComponent<Props> {
     const { dataSources, dataSourcesCount, navModel, layoutMode, searchQuery, setDataSourcesSearchQuery, hasFetched } =
       this.props;
 
-    const canCreateDataSource =
+    const canCreateDataSource = contextSrv.hasPermission(AccessControlAction.DataSourcesCreate);
-      contextSrv.hasPermission(AccessControlAction.DataSourcesCreate) &&
-      contextSrv.hasPermission(AccessControlAction.DataSourcesWrite);
 
     const linkButton = {
       href: 'datasources/new',