mirror of https://github.com/portainer/portainer
fix(rbac): clean leftovers (#4265)
Chaim Lev-Ari
GitHub
parent
45cada05d5
commit
b4f97efb85
|
|
@ -155,11 +155,11 @@ func (transport *Transport) applyAccessControlOnResource(parameters *resourceOpe
|
|||
return err
|
||||
}
|
||||
|
||||
if resourceControl == nil && (executor.operationContext.isAdmin || executor.operationContext.endpointResourceAccess) {
|
||||
if resourceControl == nil && (executor.operationContext.isAdmin) {
|
||||
return responseutils.RewriteResponse(response, responseObject, http.StatusOK)
|
||||
}
|
||||
|
||||
if executor.operationContext.isAdmin || executor.operationContext.endpointResourceAccess || (resourceControl != nil && authorization.UserCanAccessResource(executor.operationContext.userID, executor.operationContext.userTeamIDs, resourceControl)) {
|
||||
if executor.operationContext.isAdmin || (resourceControl != nil && authorization.UserCanAccessResource(executor.operationContext.userID, executor.operationContext.userTeamIDs, resourceControl)) {
|
||||
responseObject = decorateObject(responseObject, resourceControl)
|
||||
return responseutils.RewriteResponse(response, responseObject, http.StatusOK)
|
||||
}
|
||||
|
|
@ -168,7 +168,7 @@ func (transport *Transport) applyAccessControlOnResource(parameters *resourceOpe
|
|||
}
|
||||
|
||||
func (transport *Transport) applyAccessControlOnResourceList(parameters *resourceOperationParameters, resourceData []interface{}, executor *operationExecutor) ([]interface{}, error) {
|
||||
if executor.operationContext.isAdmin || executor.operationContext.endpointResourceAccess {
|
||||
if executor.operationContext.isAdmin {
|
||||
return transport.decorateResourceList(parameters, resourceData, executor.operationContext.resourceControls)
|
||||
}
|
||||
|
||||
|
|
@ -241,13 +241,13 @@ func (transport *Transport) filterResourceList(parameters *resourceOperationPara
|
|||
}
|
||||
|
||||
if resourceControl == nil {
|
||||
if context.isAdmin || context.endpointResourceAccess {
|
||||
if context.isAdmin {
|
||||
filteredResourceData = append(filteredResourceData, resourceObject)
|
||||
}
|
||||
continue
|
||||
}
|
||||
|
||||
if context.isAdmin || context.endpointResourceAccess || authorization.UserCanAccessResource(context.userID, context.userTeamIDs, resourceControl) {
|
||||
if context.isAdmin || authorization.UserCanAccessResource(context.userID, context.userTeamIDs, resourceControl) {
|
||||
resourceObject = decorateObject(resourceObject, resourceControl)
|
||||
filteredResourceData = append(filteredResourceData, resourceObject)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -43,11 +43,10 @@ type (
|
|||
}
|
||||
|
||||
restrictedDockerOperationContext struct {
|
||||
isAdmin bool
|
||||
endpointResourceAccess bool
|
||||
userID portainer.UserID
|
||||
userTeamIDs []portainer.TeamID
|
||||
resourceControls []portainer.ResourceControl
|
||||
isAdmin bool
|
||||
userID portainer.UserID
|
||||
userTeamIDs []portainer.TeamID
|
||||
resourceControls []portainer.ResourceControl
|
||||
}
|
||||
|
||||
operationExecutor struct {
|
||||
|
|
@ -650,25 +649,14 @@ func (transport *Transport) createOperationContext(request *http.Request) (*rest
|
|||
}
|
||||
|
||||
operationContext := &restrictedDockerOperationContext{
|
||||
isAdmin: true,
|
||||
userID: tokenData.ID,
|
||||
resourceControls: resourceControls,
|
||||
endpointResourceAccess: false,
|
||||
isAdmin: true,
|
||||
userID: tokenData.ID,
|
||||
resourceControls: resourceControls,
|
||||
}
|
||||
|
||||
if tokenData.Role != portainer.AdministratorRole {
|
||||
operationContext.isAdmin = false
|
||||
|
||||
user, err := transport.dataStore.User().User(operationContext.userID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
_, ok := user.EndpointAuthorizations[transport.endpoint.ID][portainer.EndpointResourcesAccess]
|
||||
if ok {
|
||||
operationContext.endpointResourceAccess = true
|
||||
}
|
||||
|
||||
teamMemberships, err := transport.dataStore.TeamMembership().TeamMembershipsByUserID(tokenData.ID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@ angular.module('portainer.app').controller('StacksDatatableController', [
|
|||
return false;
|
||||
}
|
||||
|
||||
return !(item.External && !this.isAdmin && !this.isEndpointAdmin);
|
||||
return !(item.External && !this.isAdmin);
|
||||
};
|
||||
|
||||
this.applyFilters = applyFilters.bind(this);
|
||||
|
|
@ -41,7 +41,6 @@ angular.module('portainer.app').controller('StacksDatatableController', [
|
|||
|
||||
this.$onInit = function () {
|
||||
this.isAdmin = Authentication.isAdmin();
|
||||
this.isEndpointAdmin = Authentication.hasAuthorizations(['EndpointResourcesAccess']);
|
||||
this.setDefaults();
|
||||
this.prepareTableFromDataset();
|
||||
|
||||
|
|
|
|||
|
|
@ -2,8 +2,6 @@ export function UserViewModel(data) {
|
|||
this.Id = data.Id;
|
||||
this.Username = data.Username;
|
||||
this.Role = data.Role;
|
||||
this.EndpointAuthorizations = data.EndpointAuthorizations;
|
||||
this.PortainerAuthorizations = data.PortainerAuthorizations;
|
||||
if (data.Role === 1) {
|
||||
this.RoleName = 'administrator';
|
||||
} else {
|
||||
|
|
|
|||
|
|
@ -7,8 +7,7 @@ angular.module('portainer.app').factory('Authentication', [
|
|||
'LocalStorage',
|
||||
'StateManager',
|
||||
'EndpointProvider',
|
||||
'UserService',
|
||||
function AuthenticationFactory($async, $state, Auth, OAuth, jwtHelper, LocalStorage, StateManager, EndpointProvider, UserService) {
|
||||
function AuthenticationFactory($async, $state, Auth, OAuth, jwtHelper, LocalStorage, StateManager, EndpointProvider) {
|
||||
'use strict';
|
||||
|
||||
var service = {};
|
||||
|
|
@ -21,7 +20,6 @@ angular.module('portainer.app').factory('Authentication', [
|
|||
service.isAuthenticated = isAuthenticated;
|
||||
service.getUserDetails = getUserDetails;
|
||||
service.isAdmin = isAdmin;
|
||||
service.hasAuthorizations = hasAuthorizations;
|
||||
|
||||
async function initAsync() {
|
||||
try {
|
||||
|
|
@ -81,19 +79,12 @@ angular.module('portainer.app').factory('Authentication', [
|
|||
return user;
|
||||
}
|
||||
|
||||
async function retrievePermissions() {
|
||||
const data = await UserService.user(user.ID);
|
||||
user.endpointAuthorizations = data.EndpointAuthorizations;
|
||||
user.portainerAuthorizations = data.PortainerAuthorizations;
|
||||
}
|
||||
|
||||
async function setUser(jwt) {
|
||||
LocalStorage.storeJWT(jwt);
|
||||
var tokenPayload = jwtHelper.decodeToken(jwt);
|
||||
user.username = tokenPayload.username;
|
||||
user.ID = tokenPayload.id;
|
||||
user.role = tokenPayload.role;
|
||||
await retrievePermissions();
|
||||
}
|
||||
|
||||
function isAdmin() {
|
||||
|
|
@ -103,23 +94,6 @@ angular.module('portainer.app').factory('Authentication', [
|
|||
return false;
|
||||
}
|
||||
|
||||
function hasAuthorizations(authorizations) {
|
||||
const endpointId = EndpointProvider.endpointID();
|
||||
if (isAdmin()) {
|
||||
return true;
|
||||
}
|
||||
if (!user.endpointAuthorizations || (user.endpointAuthorizations && !user.endpointAuthorizations[endpointId])) {
|
||||
return false;
|
||||
}
|
||||
for (var i = 0; i < authorizations.length; i++) {
|
||||
var authorization = authorizations[i];
|
||||
if (user.endpointAuthorizations[endpointId][authorization]) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
return service;
|
||||
},
|
||||
]);
|
||||
|
|
|
|||
Loading…
Reference in New Issue