mirror of https://github.com/portainer/portainer
fix(rbac): clean leftovers (#4265)
Chaim Lev-Ari
GitHub
parent
45cada05d5
commit
b4f97efb85
|
|
@ -155,11 +155,11 @@ func (transport *Transport) applyAccessControlOnResource(parameters *resourceOpe
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if resourceControl == nil && (executor.operationContext.isAdmin || executor.operationContext.endpointResourceAccess) {
|
if resourceControl == nil && (executor.operationContext.isAdmin) {
|
||||||
return responseutils.RewriteResponse(response, responseObject, http.StatusOK)
|
return responseutils.RewriteResponse(response, responseObject, http.StatusOK)
|
||||||
}
|
}
|
||||||
|
|
||||||
if executor.operationContext.isAdmin || executor.operationContext.endpointResourceAccess || (resourceControl != nil && authorization.UserCanAccessResource(executor.operationContext.userID, executor.operationContext.userTeamIDs, resourceControl)) {
|
if executor.operationContext.isAdmin || (resourceControl != nil && authorization.UserCanAccessResource(executor.operationContext.userID, executor.operationContext.userTeamIDs, resourceControl)) {
|
||||||
responseObject = decorateObject(responseObject, resourceControl)
|
responseObject = decorateObject(responseObject, resourceControl)
|
||||||
return responseutils.RewriteResponse(response, responseObject, http.StatusOK)
|
return responseutils.RewriteResponse(response, responseObject, http.StatusOK)
|
||||||
}
|
}
|
||||||
|
|
@ -168,7 +168,7 @@ func (transport *Transport) applyAccessControlOnResource(parameters *resourceOpe
|
||||||
}
|
}
|
||||||
|
|
||||||
func (transport *Transport) applyAccessControlOnResourceList(parameters *resourceOperationParameters, resourceData []interface{}, executor *operationExecutor) ([]interface{}, error) {
|
func (transport *Transport) applyAccessControlOnResourceList(parameters *resourceOperationParameters, resourceData []interface{}, executor *operationExecutor) ([]interface{}, error) {
|
||||||
if executor.operationContext.isAdmin || executor.operationContext.endpointResourceAccess {
|
if executor.operationContext.isAdmin {
|
||||||
return transport.decorateResourceList(parameters, resourceData, executor.operationContext.resourceControls)
|
return transport.decorateResourceList(parameters, resourceData, executor.operationContext.resourceControls)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -241,13 +241,13 @@ func (transport *Transport) filterResourceList(parameters *resourceOperationPara
|
||||||
}
|
}
|
||||||
|
|
||||||
if resourceControl == nil {
|
if resourceControl == nil {
|
||||||
if context.isAdmin || context.endpointResourceAccess {
|
if context.isAdmin {
|
||||||
filteredResourceData = append(filteredResourceData, resourceObject)
|
filteredResourceData = append(filteredResourceData, resourceObject)
|
||||||
}
|
}
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
if context.isAdmin || context.endpointResourceAccess || authorization.UserCanAccessResource(context.userID, context.userTeamIDs, resourceControl) {
|
if context.isAdmin || authorization.UserCanAccessResource(context.userID, context.userTeamIDs, resourceControl) {
|
||||||
resourceObject = decorateObject(resourceObject, resourceControl)
|
resourceObject = decorateObject(resourceObject, resourceControl)
|
||||||
filteredResourceData = append(filteredResourceData, resourceObject)
|
filteredResourceData = append(filteredResourceData, resourceObject)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -44,7 +44,6 @@ type (
|
||||||
|
|
||||||
restrictedDockerOperationContext struct {
|
restrictedDockerOperationContext struct {
|
||||||
isAdmin bool
|
isAdmin bool
|
||||||
endpointResourceAccess bool
|
|
||||||
userID portainer.UserID
|
userID portainer.UserID
|
||||||
userTeamIDs []portainer.TeamID
|
userTeamIDs []portainer.TeamID
|
||||||
resourceControls []portainer.ResourceControl
|
resourceControls []portainer.ResourceControl
|
||||||
|
|
@ -653,22 +652,11 @@ func (transport *Transport) createOperationContext(request *http.Request) (*rest
|
||||||
isAdmin: true,
|
isAdmin: true,
|
||||||
userID: tokenData.ID,
|
userID: tokenData.ID,
|
||||||
resourceControls: resourceControls,
|
resourceControls: resourceControls,
|
||||||
endpointResourceAccess: false,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if tokenData.Role != portainer.AdministratorRole {
|
if tokenData.Role != portainer.AdministratorRole {
|
||||||
operationContext.isAdmin = false
|
operationContext.isAdmin = false
|
||||||
|
|
||||||
user, err := transport.dataStore.User().User(operationContext.userID)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
_, ok := user.EndpointAuthorizations[transport.endpoint.ID][portainer.EndpointResourcesAccess]
|
|
||||||
if ok {
|
|
||||||
operationContext.endpointResourceAccess = true
|
|
||||||
}
|
|
||||||
|
|
||||||
teamMemberships, err := transport.dataStore.TeamMembership().TeamMembershipsByUserID(tokenData.ID)
|
teamMemberships, err := transport.dataStore.TeamMembership().TeamMembershipsByUserID(tokenData.ID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
|
|
||||||
|
|
@ -23,7 +23,7 @@ angular.module('portainer.app').controller('StacksDatatableController', [
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
return !(item.External && !this.isAdmin && !this.isEndpointAdmin);
|
return !(item.External && !this.isAdmin);
|
||||||
};
|
};
|
||||||
|
|
||||||
this.applyFilters = applyFilters.bind(this);
|
this.applyFilters = applyFilters.bind(this);
|
||||||
|
|
@ -41,7 +41,6 @@ angular.module('portainer.app').controller('StacksDatatableController', [
|
||||||
|
|
||||||
this.$onInit = function () {
|
this.$onInit = function () {
|
||||||
this.isAdmin = Authentication.isAdmin();
|
this.isAdmin = Authentication.isAdmin();
|
||||||
this.isEndpointAdmin = Authentication.hasAuthorizations(['EndpointResourcesAccess']);
|
|
||||||
this.setDefaults();
|
this.setDefaults();
|
||||||
this.prepareTableFromDataset();
|
this.prepareTableFromDataset();
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -2,8 +2,6 @@ export function UserViewModel(data) {
|
||||||
this.Id = data.Id;
|
this.Id = data.Id;
|
||||||
this.Username = data.Username;
|
this.Username = data.Username;
|
||||||
this.Role = data.Role;
|
this.Role = data.Role;
|
||||||
this.EndpointAuthorizations = data.EndpointAuthorizations;
|
|
||||||
this.PortainerAuthorizations = data.PortainerAuthorizations;
|
|
||||||
if (data.Role === 1) {
|
if (data.Role === 1) {
|
||||||
this.RoleName = 'administrator';
|
this.RoleName = 'administrator';
|
||||||
} else {
|
} else {
|
||||||
|
|
|
||||||
|
|
@ -7,8 +7,7 @@ angular.module('portainer.app').factory('Authentication', [
|
||||||
'LocalStorage',
|
'LocalStorage',
|
||||||
'StateManager',
|
'StateManager',
|
||||||
'EndpointProvider',
|
'EndpointProvider',
|
||||||
'UserService',
|
function AuthenticationFactory($async, $state, Auth, OAuth, jwtHelper, LocalStorage, StateManager, EndpointProvider) {
|
||||||
function AuthenticationFactory($async, $state, Auth, OAuth, jwtHelper, LocalStorage, StateManager, EndpointProvider, UserService) {
|
|
||||||
'use strict';
|
'use strict';
|
||||||
|
|
||||||
var service = {};
|
var service = {};
|
||||||
|
|
@ -21,7 +20,6 @@ angular.module('portainer.app').factory('Authentication', [
|
||||||
service.isAuthenticated = isAuthenticated;
|
service.isAuthenticated = isAuthenticated;
|
||||||
service.getUserDetails = getUserDetails;
|
service.getUserDetails = getUserDetails;
|
||||||
service.isAdmin = isAdmin;
|
service.isAdmin = isAdmin;
|
||||||
service.hasAuthorizations = hasAuthorizations;
|
|
||||||
|
|
||||||
async function initAsync() {
|
async function initAsync() {
|
||||||
try {
|
try {
|
||||||
|
|
@ -81,19 +79,12 @@ angular.module('portainer.app').factory('Authentication', [
|
||||||
return user;
|
return user;
|
||||||
}
|
}
|
||||||
|
|
||||||
async function retrievePermissions() {
|
|
||||||
const data = await UserService.user(user.ID);
|
|
||||||
user.endpointAuthorizations = data.EndpointAuthorizations;
|
|
||||||
user.portainerAuthorizations = data.PortainerAuthorizations;
|
|
||||||
}
|
|
||||||
|
|
||||||
async function setUser(jwt) {
|
async function setUser(jwt) {
|
||||||
LocalStorage.storeJWT(jwt);
|
LocalStorage.storeJWT(jwt);
|
||||||
var tokenPayload = jwtHelper.decodeToken(jwt);
|
var tokenPayload = jwtHelper.decodeToken(jwt);
|
||||||
user.username = tokenPayload.username;
|
user.username = tokenPayload.username;
|
||||||
user.ID = tokenPayload.id;
|
user.ID = tokenPayload.id;
|
||||||
user.role = tokenPayload.role;
|
user.role = tokenPayload.role;
|
||||||
await retrievePermissions();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
function isAdmin() {
|
function isAdmin() {
|
||||||
|
|
@ -103,23 +94,6 @@ angular.module('portainer.app').factory('Authentication', [
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
function hasAuthorizations(authorizations) {
|
|
||||||
const endpointId = EndpointProvider.endpointID();
|
|
||||||
if (isAdmin()) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
if (!user.endpointAuthorizations || (user.endpointAuthorizations && !user.endpointAuthorizations[endpointId])) {
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
for (var i = 0; i < authorizations.length; i++) {
|
|
||||||
var authorization = authorizations[i];
|
|
||||||
if (user.endpointAuthorizations[endpointId][authorization]) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
return service;
|
return service;
|
||||||
},
|
},
|
||||||
]);
|
]);
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue