From 71c7dacf42b2011045b1e457bae0b87bdf827554 Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Wed, 2 Oct 2024 15:55:02 +1300
Subject: [PATCH] fix access conditions when the restrict default namespace is
 enabled (#12281)

---
 api/http/handler/kubernetes/handler.go | 2 +-
 api/kubernetes/cli/access.go           | 8 ++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/api/http/handler/kubernetes/handler.go b/api/http/handler/kubernetes/handler.go
index 7b99a61fb..778f569d2 100644
--- a/api/http/handler/kubernetes/handler.go
+++ b/api/http/handler/kubernetes/handler.go
@@ -197,7 +197,7 @@ func (handler *Handler) kubeClientMiddleware(next http.Handler) http.Handler {
 				return
 			}
 
-			nonAdminNamespaces, err = pcli.GetNonAdminNamespaces(int(user.ID))
+			nonAdminNamespaces, err = pcli.GetNonAdminNamespaces(int(user.ID), endpoint.Kubernetes.Configuration.RestrictDefaultNamespace)
 			if err != nil {
 				httperror.WriteError(w, http.StatusInternalServerError, "an error occurred during the KubeClientMiddleware operation, unable to retrieve non-admin namespaces. Error: ", err)
 				return
diff --git a/api/kubernetes/cli/access.go b/api/kubernetes/cli/access.go
index 3688357fa..f435ef655 100644
--- a/api/kubernetes/cli/access.go
+++ b/api/kubernetes/cli/access.go
@@ -124,13 +124,17 @@ func (kcl *KubeClient) UpdateNamespaceAccessPolicies(accessPolicies map[string]p
 }
 
 // GetNonAdminNamespaces retrieves namespaces for a non-admin user, excluding the default namespace if restricted.
-func (kcl *KubeClient) GetNonAdminNamespaces(userID int) ([]string, error) {
+func (kcl *KubeClient) GetNonAdminNamespaces(userID int, isRestrictDefaultNamespace bool) ([]string, error) {
 	accessPolicies, err := kcl.GetNamespaceAccessPolicies()
 	if err != nil {
 		return nil, fmt.Errorf("an error occurred during the getNonAdminNamespaces operation, unable to get namespace access policies via portainer-config. check if portainer-config configMap exists in the Kubernetes cluster: %w", err)
 	}
 
-	nonAdminNamespaces := []string{defaultNamespace}
+	nonAdminNamespaces := []string{}
+	if !isRestrictDefaultNamespace {
+		nonAdminNamespaces = append(nonAdminNamespaces, defaultNamespace)
+	}
+
 	for namespace, accessPolicy := range accessPolicies {
 		if hasUserAccessToNamespace(userID, nil, accessPolicy) {
 			nonAdminNamespaces = append(nonAdminNamespaces, namespace)