* Nav: Add access to Connections section for plugin routes
* Nav: Fix whitespace lint in hasConnectionsPluginItems
* refactor(navtree): extract hasAccessibleInclude method
* Nav: create Connections section before addAppLinks
* fix(connections): show section to users with plugin children, not only datasource admins
Previously the Connections section was only added to the nav tree when
the user had ConfigurationPageAccess (datasources:create or read+write).
This meant plugin pages registered under the "connections" section ID
(e.g. grafana-collector-app, grafana-pdc-app) were invisible to viewers
who lacked datasource write permissions, even when they had access to
those plugins.
Changes:
- buildDataConnectionsNavLink now always returns the Connections section
so that addAppLinks can attach plugin children regardless of the
caller's datasource permissions. Core items (add-new-connection,
datasources) remain gated by ConfigurationPageAccess.
- NavTreeRoot.RemoveEmptyConnectionsSection prunes the section after all
app links and enterprise hooks have run if no children were registered.
Called from setIndexViewData alongside RemoveEmptyAdminSections.
- /connections landing page route relaxed to reqSignedIn. The page
derives its cards from the nav tree (grafana/grafana#122017), so any
signed-in user who has nav children can view it; sub-pages retain their
own per-route authorization.
- Tests added covering: admin sees core items, viewer gets empty section,
viewer with plugin attachment sees the section, and empty pruning.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: resolve cherry-pick conflicts remove duplicated test
---------
Co-authored-by: Jára Benc <jaroslav.benc@grafana.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* add redirect for resource endpoints
* update to use new goff ff system
* fix tests
* fix mispelling
* add explicit check in test
* Add more tests to verify
* add header forwarding tests
* fmt + lint
* Provisioning: relax auth for dashboard preview paths
Dashboard preview URLs under /admin/provisioning/*/dashboard/preview/*
now only require reqSignedIn instead of reqOrgAdmin. This allows
non-admin users to access preview links posted in pull-request comments
by the git-sync backend.
The rest of /admin/provisioning/* still requires OrgAdmin.
No URL changes are needed, so this fix is backward-compatible with all
frontend versions and avoids issues during the 8-week frontend rollout
window.
Fixesgrafana/git-ui-sync-project#963
Made-with: Cursor
* Accept reqOrgAdmin as web.Handler parameter
ProvisioningAuth now takes a web.Handler fallback instead of
constructing the role check internally, keeping the call site
consistent with other route registrations.
Made-with: Cursor
feat(secrets): add /admin/secrets/secure-values backend route
Add new /admin/secrets/secure-values route with SecureValues permissions
and update /admin/secrets to accept both SecureValues and Keepers
permissions for the redirect page.
Part of: grafana/grafana-operator-experience-squad#1737
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Register GET routes for /admin/secrets/keepers and /admin/secrets/keepers/*
behind the secretsManagementAppPlatformUI feature flag with keepers-specific
RBAC permissions, so direct page loads serve the SPA instead of returning 404.
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* add some integration tests for existing datasource crud endpoints
* implement GET by uid redirect handler
* fix apis authorizer
* add unit tests for connections client
* add tests for the k8s datasource handler
* use the correct group, and dont prettify group name in listConnections response
* FS: Move multiTenantFrontend evaluation to OpenFeature
* comment
* actually, just remove the toggle
* fix k8s prefs test using toggle
* replace frontend flag usage
* codeowners
* move isFrontendService just into core
* put back comment
* rename /mtfe route to /femt to match project name
* set correct navTree JSON property name
* call GetWebAssets in the request handler to prevent stale assets during development
* Call /bootdata and render grafana
* set nonce on script
* write csp header in index handler
* write report-only csp as well
* debug stuff
* more debug logging
* move importing app into a seperate, async-loaded module
* Clean up comments
* make /femt redirect to / in the frontend
* remove console.log
* remove stale commented code
* call __grafana_load_failed if bootstrap fails
* comment for __grafana_boot_data_promise
* remove console.log
* remove blank newline
* codeowners
* replace the usage of dashboard guardians with calling AC evaluators or checking access in middleware
* linting fixes
* fix test
* more test fixes
* remove a todo comment
* RBAC: Remove accessControlOnCall feature toggle
* Leave the other one in place
* Tests
* frontend
* Readd empty ft to frontend test
* Remove legacy RBAC check
* Fix test
* no need for context
* Remove unused variable
* Remove unecessary param
* remove unecessary param from tests
* More tests :D
* Move drilldown apps from Explore to a new navbar item "Drilldown"
* Commit make i18n-extract
* Update drilldown icon
* Added alert to explore with call out to drilldown apps
* Add isNew field for nav item which shows a "New!" badge on the navbar and expands it by default
* Fix e2e test
* CloudMigrations: delete unused code
* CloudMigrations: add access control and protect API + navtree with action
* CloudMigrations: register access control roles
* CloudMigrations: gate frontend based with access control
* CloudMigrations: fix api tests
* CloudMigrations: add docs on new actions and roles
* CloudMigrations: dont interpolate vars to make it more greppable
* CloudMigrations: run prettier
