@@ -907,31 +907,15 @@ func (handler UserRestHandlerImpl) DeleteRoleGroup(w http.ResponseWriter, r *htt
907907 common .WriteJsonResp (w , err , "" , http .StatusInternalServerError )
908908 return
909909 }
910-
911910 token := r .Header .Get ("token" )
912- isActionUserSuperAdmin := false
913- if ok := handler .enforcer .Enforce (token , casbin .ResourceGlobal , casbin .ActionGet , "*" ); ok {
914- isActionUserSuperAdmin = true
911+ isAuthorised , err := handler .checkRBACForRoleGroupDelete (token , userGroup .RoleFilters )
912+ if err != nil {
913+ common .WriteJsonResp (w , err , "" , http .StatusInternalServerError )
914+ return
915915 }
916- if userGroup .RoleFilters != nil && len (userGroup .RoleFilters ) > 0 {
917- for _ , filter := range userGroup .RoleFilters {
918- if filter .AccessType == bean .APP_ACCESS_TYPE_HELM && ! isActionUserSuperAdmin {
919- common .WriteJsonResp (w , errors .New ("unauthorized" ), nil , http .StatusForbidden )
920- return
921- }
922- if len (filter .Team ) > 0 {
923- if ok := handler .enforcer .Enforce (token , casbin .ResourceUser , casbin .ActionDelete , filter .Team ); ! ok {
924- common .WriteJsonResp (w , errors .New ("unauthorized" ), nil , http .StatusForbidden )
925- return
926- }
927- }
928- if filter .Entity == bean .CLUSTER_ENTITIY {
929- if isValidAuth := handler .userCommonService .CheckRbacForClusterEntity (filter .Cluster , filter .Namespace , filter .Group , filter .Kind , filter .Resource , token , handler .CheckManagerAuth ); ! isValidAuth {
930- common .WriteJsonResp (w , errors .New ("unauthorized" ), nil , http .StatusForbidden )
931- return
932- }
933- }
934- }
916+ if ! isAuthorised {
917+ response .WriteResponse (http .StatusForbidden , "FORBIDDEN" , w , errors .New ("unauthorized" ))
918+ return
935919 }
936920 //RBAC enforcer Ends
937921
@@ -1278,3 +1262,32 @@ func (handler UserRestHandlerImpl) checkRBACForUserUpdate(token string, userInfo
12781262 }
12791263 return isAuthorised , nil
12801264}
1265+
1266+ func (handler UserRestHandlerImpl ) checkRBACForRoleGroupDelete (token string , groupRoles []bean.RoleFilter ) (isAuthorised bool , err error ) {
1267+ isActionUserSuperAdmin := handler .enforcer .Enforce (token , casbin .ResourceGlobal , casbin .ActionGet , "*" )
1268+ isAuthorised = isActionUserSuperAdmin
1269+ if ! isAuthorised {
1270+ if groupRoles != nil && len (groupRoles ) > 0 { //auth check inside roleFilters
1271+ for _ , filter := range groupRoles {
1272+ switch {
1273+ case filter .Action == bean .ACTION_SUPERADMIN :
1274+ isAuthorised = isActionUserSuperAdmin
1275+ case filter .AccessType == bean .APP_ACCESS_TYPE_HELM || filter .Entity == bean2 .EntityJobs :
1276+ isAuthorised = isActionUserSuperAdmin
1277+ case len (filter .Team ) > 0 :
1278+ isAuthorised = handler .enforcer .Enforce (token , casbin .ResourceUser , casbin .ActionCreate , filter .Team )
1279+ case filter .Entity == bean .CLUSTER_ENTITIY :
1280+ isAuthorised = handler .userCommonService .CheckRbacForClusterEntity (filter .Cluster , filter .Namespace , filter .Group , filter .Kind , filter .Resource , token , handler .CheckManagerAuth )
1281+ case filter .Entity == bean .CHART_GROUP_ENTITY :
1282+ isAuthorised = true
1283+ default :
1284+ isAuthorised = false
1285+ }
1286+ if ! isAuthorised {
1287+ break
1288+ }
1289+ }
1290+ }
1291+ }
1292+ return isAuthorised , nil
1293+ }
0 commit comments