Cherrypick #2936 #2957 (#2958)

jamsman94 · Min Min · web-flow · commit a454c3cb9d99 · 2023-08-11T15:11:37.000+08:00
* fix panic bug &amp; minor permission problem

Signed-off-by: Min Min &lt;minmin@koderover.com&gt;

* users api debug and edge case fix

Signed-off-by: Min Min &lt;minmin@koderover.com&gt;

---------

Signed-off-by: Min Min &lt;minmin@koderover.com&gt;
Co-authored-by: Min Min &lt;minmin@koderover.com&gt;
diff --git a/pkg/microservice/aslan/core/build/handler/build.go b/pkg/microservice/aslan/core/build/handler/build.go
@@ -81,9 +81,7 @@ func ListBuildModules(c *gin.Context) {
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
+	} else if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
 		// first check if the user is projectAdmin
 		if projectAuthInfo.IsProjectAdmin {
 			permitted = true
@@ -130,14 +128,10 @@ func ListBuildModulesByServiceModule(c *gin.Context) {
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if ctx.Resources.SystemActions.Template.Create ||
+	} else if ctx.Resources.SystemActions.Template.Create ||
 		ctx.Resources.SystemActions.Template.Edit {
 		permitted = true
-	}
-
-	if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
+	} else if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
 		// first check if the user is projectAdmin
 		if projectAuthInfo.IsProjectAdmin {
 			permitted = true
diff --git a/pkg/microservice/aslan/core/build/handler/target.go b/pkg/microservice/aslan/core/build/handler/target.go
@@ -46,9 +46,7 @@ func ListDeployTarget(c *gin.Context) {
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
+	} else if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
 		// first check if the user is projectAdmin
 		if projectAuthInfo.IsProjectAdmin {
 			permitted = true
@@ -94,9 +92,7 @@ func ListBuildModulesForProduct(c *gin.Context) {
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectedAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
+	} else if projectedAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
 		if projectedAuthInfo.IsProjectAdmin {
 			permitted = true
 		}
diff --git a/pkg/microservice/aslan/core/environment/handler/configmap.go b/pkg/microservice/aslan/core/environment/handler/configmap.go
@@ -93,8 +93,11 @@ func ListProductionConfigMaps(c *gin.Context) {
 		}
 		if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
 			!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.View {
-			ctx.UnAuthorized = true
-			return
+			permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.ProductionEnvActionView)
+			if err != nil || !permitted {
+				ctx.UnAuthorized = true
+				return
+			}
 		}
 	}
 
diff --git a/pkg/microservice/aslan/core/environment/handler/environment.go b/pkg/microservice/aslan/core/environment/handler/environment.go
@@ -95,12 +95,12 @@ func ListProducts(c *gin.Context) {
 			projectInfo.Env.View {
 			hasPermission = true
 		}
-	} else {
-		permittedEnv, _ := internalhandler.ListCollaborationEnvironmentsPermission(ctx.UserID, projectName)
-		if permittedEnv != nil && len(permittedEnv.ReadEnvList) > 0 {
-			hasPermission = true
-			envFilter = permittedEnv.ReadEnvList
-		}
+	}
+
+	permittedEnv, _ := internalhandler.ListCollaborationEnvironmentsPermission(ctx.UserID, projectName)
+	if !hasPermission && permittedEnv != nil && len(permittedEnv.ReadEnvList) > 0 {
+		hasPermission = true
+		envFilter = permittedEnv.ReadEnvList
 	}
 
 	if !hasPermission {
@@ -1511,9 +1511,7 @@ func updateMultiK8sEnv(c *gin.Context, request *service.UpdateEnvRequest, produc
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[request.ProjectName]; ok {
+	} else if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[request.ProjectName]; ok {
 		if projectAuthInfo.IsProjectAdmin {
 			permitted = true
 		}
@@ -1567,9 +1565,7 @@ func updateMultiHelmEnv(c *gin.Context, request *service.UpdateEnvRequest, produ
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[request.ProjectName]; ok {
+	} else if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[request.ProjectName]; ok {
 		if projectAuthInfo.IsProjectAdmin {
 			permitted = true
 		}
@@ -1625,9 +1621,7 @@ func updateMultiHelmChartEnv(c *gin.Context, request *service.UpdateEnvRequest,
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[request.ProjectName]; ok {
+	} else if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[request.ProjectName]; ok {
 		if projectAuthInfo.IsProjectAdmin {
 			permitted = true
 		}
diff --git a/pkg/microservice/aslan/core/environment/handler/image.go b/pkg/microservice/aslan/core/environment/handler/image.go
@@ -120,9 +120,7 @@ func UpdateDeploymentContainerImage(c *gin.Context) {
 	permitted := false
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[args.ProductName]; ok {
+	} else if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[args.ProductName]; ok {
 		if projectAuthInfo.IsProjectAdmin {
 			permitted = true
 		}
@@ -189,9 +187,7 @@ func UpdateProductionDeploymentContainerImage(c *gin.Context) {
 	permitted := false
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[args.ProductName]; ok {
+	} else if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[args.ProductName]; ok {
 		if projectAuthInfo.IsProjectAdmin {
 			permitted = true
 		}
diff --git a/pkg/microservice/aslan/core/environment/handler/ingress.go b/pkg/microservice/aslan/core/environment/handler/ingress.go
@@ -89,8 +89,11 @@ func ListProductionIngresses(c *gin.Context) {
 		}
 		if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
 			!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.View {
-			ctx.UnAuthorized = true
-			return
+			permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.ProductionEnvActionView)
+			if err != nil || !permitted {
+				ctx.UnAuthorized = true
+				return
+			}
 		}
 	}
 
diff --git a/pkg/microservice/aslan/core/environment/handler/pvc.go b/pkg/microservice/aslan/core/environment/handler/pvc.go
@@ -89,8 +89,11 @@ func ListProductionPvcs(c *gin.Context) {
 		}
 		if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
 			!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.View {
-			ctx.UnAuthorized = true
-			return
+			permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionView)
+			if err != nil || !permitted {
+				ctx.UnAuthorized = true
+				return
+			}
 		}
 	}
 
diff --git a/pkg/microservice/aslan/core/environment/handler/renderset.go b/pkg/microservice/aslan/core/environment/handler/renderset.go
@@ -337,9 +337,7 @@ func GetGlobalVariables(c *gin.Context) {
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectedAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
+	} else if projectedAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
 		if projectedAuthInfo.IsProjectAdmin {
 			permitted = true
 		}
diff --git a/pkg/microservice/aslan/core/environment/handler/secret.go b/pkg/microservice/aslan/core/environment/handler/secret.go
@@ -89,8 +89,11 @@ func ListProductionSecrets(c *gin.Context) {
 		}
 		if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
 			!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.View {
-			ctx.UnAuthorized = true
-			return
+			permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.ProductionEnvActionView)
+			if err != nil || !permitted {
+				ctx.UnAuthorized = true
+				return
+			}
 		}
 	}
 
diff --git a/pkg/microservice/aslan/core/environment/handler/service.go b/pkg/microservice/aslan/core/environment/handler/service.go
@@ -59,9 +59,7 @@ func ListSvcsInEnv(c *gin.Context) {
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectedAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
+	} else if projectedAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
 		if projectedAuthInfo.IsProjectAdmin {
 			permitted = true
 		}
@@ -160,9 +158,7 @@ func GetProductionService(c *gin.Context) {
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectedAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
+	} else if projectedAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
 		if projectedAuthInfo.IsProjectAdmin {
 			permitted = true
 		}
diff --git a/pkg/microservice/aslan/core/project/handler/product.go b/pkg/microservice/aslan/core/project/handler/product.go
@@ -491,9 +491,7 @@ func GetGlobalVariables(c *gin.Context) {
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectedAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
+	} else if projectedAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
 		if projectedAuthInfo.IsProjectAdmin {
 			permitted = true
 		}
diff --git a/pkg/microservice/aslan/core/service/handler/service.go b/pkg/microservice/aslan/core/service/handler/service.go
@@ -151,9 +151,7 @@ func GetServiceTemplateOption(c *gin.Context) {
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectName]; ok {
+	} else if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectName]; ok {
 		// first check if the user is projectAdmin
 		if projectAuthInfo.IsProjectAdmin {
 			permitted = true
diff --git a/pkg/microservice/aslan/core/workflow/handler/workflow.go b/pkg/microservice/aslan/core/workflow/handler/workflow.go
@@ -80,9 +80,7 @@ func AutoCreateWorkflow(c *gin.Context) {
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
+	} else if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
 		// first check if the user is projectAdmin
 		if projectAuthInfo.IsProjectAdmin {
 			permitted = true
diff --git a/pkg/microservice/aslan/core/workflow/testing/handler/scanning.go b/pkg/microservice/aslan/core/workflow/testing/handler/scanning.go
@@ -193,9 +193,7 @@ func ListScanningModule(c *gin.Context) {
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
+	} else if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
 		// first check if the user is projectAdmin
 		if projectAuthInfo.IsProjectAdmin {
 			permitted = true
diff --git a/pkg/microservice/aslan/core/workflow/testing/handler/testing.go b/pkg/microservice/aslan/core/workflow/testing/handler/testing.go
@@ -205,9 +205,7 @@ func GetTestModule(c *gin.Context) {
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
+	} else if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
 		// first check if the user is projectAdmin
 		if projectAuthInfo.IsProjectAdmin {
 			permitted = true
diff --git a/pkg/microservice/picket/core/filter/handler/project.go b/pkg/microservice/picket/core/filter/handler/project.go
@@ -56,9 +56,7 @@ func CreateProject(c *gin.Context) {
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if ctx.Resources.SystemActions.Project.Create {
+	} else if ctx.Resources.SystemActions.Project.Create {
 		permitted = true
 	}
 
diff --git a/pkg/shared/client/user/user.go b/pkg/shared/client/user/user.go
@@ -39,7 +39,9 @@ type usersResp struct {
 }
 
 type SearchArgs struct {
-	UIDs []string `json:"uids"`
+	UIDs    []string `json:"uids"`
+	PerPage int      `json:"per_page,omitempty"`
+	Page    int      `json:"page,omitempty"`
 }
 
 func (c *Client) ListUsers(args *SearchArgs) ([]*User, error) {

Original file line number	Diff line number	Diff line change
`@@ -93,8 +93,11 @@ func ListProductionConfigMaps(c *gin.Context) {`
`93`	`93`	`}`
`94`	`94`	`if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&`
`95`	`95`	`!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.View {`
`96`		`- ctx.UnAuthorized = true`
`97`		`- return`
	`96`	`+ permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.ProductionEnvActionView)`
	`97`	`+ if err != nil \|\| !permitted {`
	`98`	`+ ctx.UnAuthorized = true`
	`99`	`+ return`
	`100`	`+ }`
`98`	`101`	`}`
`99`	`102`	`}`
`100`	`103`
Original file line number	Diff line number	Diff line change
`@@ -89,8 +89,11 @@ func ListProductionIngresses(c *gin.Context) {`
`89`	`89`	`}`
`90`	`90`	`if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&`
`91`	`91`	`!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.View {`
`92`		`- ctx.UnAuthorized = true`
`93`		`- return`
	`92`	`+ permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.ProductionEnvActionView)`
	`93`	`+ if err != nil \|\| !permitted {`
	`94`	`+ ctx.UnAuthorized = true`
	`95`	`+ return`
	`96`	`+ }`
`94`	`97`	`}`
`95`	`98`	`}`
`96`	`99`
Original file line number	Diff line number	Diff line change
`@@ -89,8 +89,11 @@ func ListProductionPvcs(c *gin.Context) {`
`89`	`89`	`}`
`90`	`90`	`if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&`
`91`	`91`	`!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.View {`
`92`		`- ctx.UnAuthorized = true`
`93`		`- return`
	`92`	`+ permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionView)`
	`93`	`+ if err != nil \|\| !permitted {`
	`94`	`+ ctx.UnAuthorized = true`
	`95`	`+ return`
	`96`	`+ }`
`94`	`97`	`}`
`95`	`98`	`}`
`96`	`99`
Original file line number	Diff line number	Diff line change
`@@ -89,8 +89,11 @@ func ListProductionSecrets(c *gin.Context) {`
`89`	`89`	`}`
`90`	`90`	`if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&`
`91`	`91`	`!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.View {`
`92`		`- ctx.UnAuthorized = true`
`93`		`- return`
	`92`	`+ permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.ProductionEnvActionView)`
	`93`	`+ if err != nil \|\| !permitted {`
	`94`	`+ ctx.UnAuthorized = true`
	`95`	`+ return`
	`96`	`+ }`
`94`	`97`	`}`
`95`	`98`	`}`
`96`	`99`