Skip to content

Commit

Permalink
Merge branch 'main' into fix-subject
Browse files Browse the repository at this point in the history
  • Loading branch information
wy65701436 authored Sep 20, 2023
2 parents 8a2f5b5 + 4051b2b commit 9691eb4
Showing 1 changed file with 6 additions and 9 deletions.
15 changes: 6 additions & 9 deletions src/server/v2.0/handler/user.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@ import (
"github.com/goharbor/harbor/src/common"
commonmodels "github.com/goharbor/harbor/src/common/models"
"github.com/goharbor/harbor/src/common/rbac"
"github.com/goharbor/harbor/src/common/rbac/system"
"github.com/goharbor/harbor/src/common/security"
"github.com/goharbor/harbor/src/common/security/local"
"github.com/goharbor/harbor/src/common/utils"
Expand All @@ -44,8 +43,6 @@ import (
operation "github.com/goharbor/harbor/src/server/v2.0/restapi/operations/user"
)

var userResource = system.NewNamespace().Resource(rbac.ResourceUser)

type usersAPI struct {
BaseAPI
ctl user.Controller
Expand Down Expand Up @@ -108,7 +105,7 @@ func (u *usersAPI) CreateUser(ctx context.Context, params operation.CreateUserPa
}

func (u *usersAPI) ListUsers(ctx context.Context, params operation.ListUsersParams) middleware.Responder {
if err := u.RequireSystemAccess(ctx, rbac.ActionList, userResource); err != nil {
if err := u.RequireSystemAccess(ctx, rbac.ActionList, rbac.ResourceUser); err != nil {
return u.SendError(ctx, err)
}
query, err := u.BuildQuery(ctx, params.Q, params.Sort, params.Page, params.PageSize)
Expand Down Expand Up @@ -365,7 +362,7 @@ func (u *usersAPI) requireForCLISecret(ctx context.Context, id int) error {
if !ok || !sctx.IsAuthenticated() {
return errors.UnauthorizedError(nil)
}
if !matchUserID(sctx, id) && !sctx.Can(ctx, rbac.ActionUpdate, userResource) {
if !matchUserID(sctx, id) && !sctx.Can(ctx, rbac.ActionUpdate, rbac.ResourceUser) {
return errors.ForbiddenError(nil).WithMessage("Not authorized to update the CLI secret for user: %d", id)
}
return nil
Expand Down Expand Up @@ -400,7 +397,7 @@ func (u *usersAPI) requireReadable(ctx context.Context, id int) error {
if !ok || !sctx.IsAuthenticated() {
return errors.UnauthorizedError(nil)
}
if !matchUserID(sctx, id) && !sctx.Can(ctx, rbac.ActionRead, userResource) {
if !matchUserID(sctx, id) && !sctx.Can(ctx, rbac.ActionRead, rbac.ResourceUser) {
return errors.ForbiddenError(nil).WithMessage("Not authorized to read user: %d", id)
}
return nil
Expand All @@ -411,7 +408,7 @@ func (u *usersAPI) requireDeletable(ctx context.Context, id int) error {
if !ok || !sctx.IsAuthenticated() {
return errors.UnauthorizedError(nil)
}
if !sctx.Can(ctx, rbac.ActionDelete, userResource) {
if !sctx.Can(ctx, rbac.ActionDelete, rbac.ResourceUser) {
return errors.ForbiddenError(nil).WithMessage("Not authorized to delete users")
}
if matchUserID(sctx, id) || id == 1 {
Expand Down Expand Up @@ -439,10 +436,10 @@ func modifiable(ctx context.Context, authMode string, id int) bool {
sctx, _ := security.FromContext(ctx)
if authMode == common.DBAuth {
// In db auth, admin can update anyone's info, and regular user can update his own
return sctx.Can(ctx, rbac.ActionUpdate, userResource) || matchUserID(sctx, id)
return sctx.Can(ctx, rbac.ActionUpdate, rbac.ResourceUser) || matchUserID(sctx, id)
}
// In none db auth, only the local admin's password can be updated.
return id == 1 && sctx.Can(ctx, rbac.ActionUpdate, userResource)
return id == 1 && sctx.Can(ctx, rbac.ActionUpdate, rbac.ResourceUser)
}

func matchUserID(sctx security.Context, id int) bool {
Expand Down

0 comments on commit 9691eb4

Please sign in to comment.