dashboard acl stuff

pkg/services/guardian/guardian.go

@@ -25,18 +25,18 @@ func NewDashboardGuardian(dashId int64, orgId int64, user *m.SignedInUser) *Dash
 }
 
 func (g *DashboardGuardian) CanSave() (bool, error) {
-	return g.HasPermission(m.PERMISSION_EDIT, m.ROLE_EDITOR)
+	return g.HasPermission(m.PERMISSION_EDIT)
 }
 
 func (g *DashboardGuardian) CanEdit() (bool, error) {
-	return g.HasPermission(m.PERMISSION_EDIT, m.ROLE_READ_ONLY_EDITOR)
+	return g.HasPermission(m.PERMISSION_EDIT)
 }
 
 func (g *DashboardGuardian) CanView() (bool, error) {
-	return g.HasPermission(m.PERMISSION_VIEW, m.ROLE_VIEWER)
+	return g.HasPermission(m.PERMISSION_VIEW)
 }
 
-func (g *DashboardGuardian) HasPermission(permission m.PermissionType, fallbackRole m.RoleType) (bool, error) {
+func (g *DashboardGuardian) HasPermission(permission m.PermissionType) (bool, error) {
 	if g.user.OrgRole == m.ROLE_ADMIN {
 		return true, nil
 	}
@@ -46,11 +46,6 @@ func (g *DashboardGuardian) HasPermission(permission m.PermissionType, fallbackR
 		return false, err
 	}
 
-	// if no acl use org role to determine permission
-	if len(acl) == 0 {
-		return g.user.HasRole(fallbackRole), nil
-	}
-
 	userGroups, err := g.getUserGroups()
 	if err != nil {
 		return false, err
@@ -66,6 +61,12 @@ func (g *DashboardGuardian) HasPermission(permission m.PermissionType, fallbackR
 				return true, nil
 			}
 		}
+
+		if p.Role.IsValid() {
+			if p.Role == g.user.OrgRole && p.Permission >= permission {
+				return true, nil
+			}
+		}
 	}
 
 	return false, nil

pkg/services/sqlstore/dashboard_acl.go

@@ -132,6 +132,7 @@ func GetInheritedDashboardAcl(query *m.GetInheritedDashboardAclQuery) error {
   da.dashboard_id,
   da.user_id,
   da.user_group_id,
+  da.role,
   da.permission,
   da.created,
   da.updated