Prevent Viewer role from overriding temp vars from URL query

ui/src/dashboards/actions/index.ts

@@ -3,6 +3,8 @@ import {replace} from 'react-router-redux'
 import _ from 'lodash'
 import queryString from 'query-string'
 
+import {isUserAuthorized, EDITOR_ROLE} from 'src/auth/Authorized'
+
 import {
   getDashboards as getDashboardsAJAX,
   getDashboard as getDashboardAJAX,
@@ -21,6 +23,7 @@ import {errorThrown} from 'src/shared/actions/errors'
 
 import {
   generateURLQueryFromTempVars,
+  findUpdatedTempVarsInURLQuery,
   findInvalidTempVarsInURLQuery,
 } from 'src/dashboards/utils/tempVars'
 import {validTimeRange, validAbsoluteTimeRange} from 'src/dashboards/utils/time'
@@ -39,6 +42,7 @@ import {
   notifyInvalidTempVarValueInURLQuery,
   notifyInvalidZoomedTimeRangeValueInURLQuery,
   notifyInvalidTimeRangeValueInURLQuery,
+  notifyViewerUnauthorizedToSetTempVars,
 } from 'src/shared/copy/notifications'
 
 import {CellType} from 'src/types/dashboard'
@@ -778,9 +782,23 @@ const syncDashboardTempVarsFromURLQueries = (dashboardID, urlQueries) => (
   dispatch,
   getState
 ) => {
-  const dashboard = getState().dashboardUI.dashboards.find(
+  const {
-    d => d.id === dashboardID
+    dashboardUI,
+    auth: {isUsingAuth, me},
+  } = getState()
+  const dashboard = dashboardUI.dashboards.find(d => d.id === dashboardID)
+
+  // viewers are not currently allowed to select temp vars and/or use overrides
+  if (isUsingAuth && !isUserAuthorized(me.role, EDITOR_ROLE)) {
+    const urlQueryTempVarsWithUpdatedValues = findUpdatedTempVarsInURLQuery(
+      dashboard.templates,
+      urlQueries
     )
+    if (urlQueryTempVarsWithUpdatedValues.length) {
+      dispatch(notify(notifyViewerUnauthorizedToSetTempVars()))
+      return
+    }
+  }
 
   const urlQueryTempVarsWithInvalidValues = findInvalidTempVarsInURLQuery(
     dashboard.templates,

ui/src/dashboards/utils/tempVars.ts

@@ -134,6 +134,29 @@ export const applyDashboardTempVarOverrides = (
   ),
 })
 
+export const findUpdatedTempVarsInURLQuery = (tempVars, urlQueries) => {
+  const urlQueryTempVarsWithInvalidValues = _.reduce(
+    urlQueries,
+    (acc, v, k) => {
+      const matchedTempVar = tempVars.find(
+        ({tempVar}) => stripTempVar(tempVar) === k
+      )
+      if (matchedTempVar) {
+        const isDifferentTempVarValue = !!matchedTempVar.values.find(
+          ({value, selected}) => selected && value !== v
+        )
+        if (isDifferentTempVarValue) {
+          acc.push({key: k, value: v})
+        }
+      }
+      return acc
+    },
+    []
+  )
+
+  return urlQueryTempVarsWithInvalidValues
+}
+
 export const findInvalidTempVarsInURLQuery = (tempVars, urlQueries) => {
   const urlQueryTempVarsWithInvalidValues = _.reduce(
     urlQueries,

ui/src/shared/copy/notifications.ts

@@ -202,6 +202,11 @@ export const notifyJSONFeedFailed = url => ({
   message: `Failed to fetch JSON Feed for News Feed from '${url}'`,
 })
 
+export const notifyViewerUnauthorizedToSetTempVars = () => ({
+  ...defaultErrorNotification,
+  message: `Viewer role unauthorized to override template variable values from URL.`,
+})
+
 //  Chronograf Admin Notifications
 //  ----------------------------------------------------------------------------
 export const notifyMappingDeleted = (id, scheme) => ({