mirror of https://github.com/portainer/portainer
61 lines
1.3 KiB
Go
61 lines
1.3 KiB
Go
package access
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
portainer "github.com/portainer/portainer/api"
|
|
"github.com/portainer/portainer/api/dataservices"
|
|
"github.com/portainer/portainer/api/http/security"
|
|
)
|
|
|
|
func hasPermission(
|
|
dataStore dataservices.DataStore,
|
|
userID portainer.UserID,
|
|
endpointID portainer.EndpointID,
|
|
registry *portainer.Registry,
|
|
) (hasPermission bool, err error) {
|
|
user, err := dataStore.User().Read(userID)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
if user.Role == portainer.AdministratorRole {
|
|
return true, err
|
|
}
|
|
|
|
teamMemberships, err := dataStore.TeamMembership().TeamMembershipsByUserID(userID)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
hasPermission = security.AuthorizedRegistryAccess(registry, user, teamMemberships, endpointID)
|
|
|
|
return
|
|
}
|
|
|
|
// GetAccessibleRegistry get the registry if the user has permission
|
|
func GetAccessibleRegistry(
|
|
dataStore dataservices.DataStore,
|
|
userID portainer.UserID,
|
|
endpointID portainer.EndpointID,
|
|
registryID portainer.RegistryID,
|
|
) (registry *portainer.Registry, err error) {
|
|
|
|
registry, err = dataStore.Registry().Read(registryID)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
hasPermission, err := hasPermission(dataStore, userID, endpointID, registry)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
if !hasPermission {
|
|
err = fmt.Errorf("user does not has permission to get the registry")
|
|
return nil, err
|
|
}
|
|
|
|
return
|
|
}
|