From 9b9a57b427c9cad0038587c6453e537c9e902ef4 Mon Sep 17 00:00:00 2001 From: John Niang Date: Mon, 26 Dec 2022 14:26:32 +0800 Subject: [PATCH] Fix invalid attachment role templates (#3024) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit #### What type of PR is this? /kind bug /area core /milestone 2.1.x #### What this PR does / why we need it: - Add missing resources `"policies", "policytemplates", "groups"` in policy rules in attachment role templates. - Correct `nonResourceURLs` and `verbs` See https://github.com/halo-dev/halo/issues/3007 for more. #### Which issue(s) this PR fixes: Fixes https://github.com/halo-dev/halo/issues/3007 #### Special notes for your reviewer: Steps to test: 1. Start Halo and login with `admin` 2. Create a Role with `Attachment Manage` permission only 3. Create an user and assign the role to the user 4. Set password for the user 5. Log out current user and log in as the user created just now 6. Try to do various operations in attachment tab - Create and list policy - Create and list group - Upload and list attachments #### Does this PR introduce a user-facing change? ```release-note 修复附件权限定义的错误 ``` --- .../extensions/role-template-attachment.yaml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/main/resources/extensions/role-template-attachment.yaml b/src/main/resources/extensions/role-template-attachment.yaml index d2d039e94..8bc99670a 100644 --- a/src/main/resources/extensions/role-template-attachment.yaml +++ b/src/main/resources/extensions/role-template-attachment.yaml @@ -12,13 +12,16 @@ metadata: ["system:attachments:manage"] rules: - apiGroups: [ "storage.halo.run" ] - resources: [ "attachments" ] + resources: [ "attachments", "policies", "policytemplates", "groups" ] verbs: [ "*" ] - apiGroups: [ "api.console.halo.run" ] resources: [ "attachments" ] verbs: [ "*" ] - - nonResourceURLs: [ "/apis/api.console.halo.run/attachments/upload" ] - verbs: [ "post" ] + - apiGroups: [ "" ] + resources: [ "settings" ] + verbs: [ "get" ] + - nonResourceURLs: [ "/apis/api.console.halo.run/v1alpha1/attachments/upload" ] + verbs: [ "create" ] --- apiVersion: v1alpha1 kind: "Role" @@ -33,7 +36,7 @@ metadata: ["system:attachments:view"] rules: - apiGroups: [ "storage.halo.run" ] - resources: [ "attachments" ] + resources: [ "attachments", "policies", "policytemplates", "groups" ] verbs: [ "get", "list" ] - apiGroups: [ "api.console.halo.run" ] resources: [ "attachments" ]