upstream/harbor
1
0
Fork 0
mirror of https://github.com/goharbor/harbor synced 2024-09-20 16:35:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5399 from steven-zou/fix_access_control_issue

Browse Source 
Fix the access control checking issue
This commit is contained in:
Steven Zou 2018-07-26 15:27:30 +08:00 committed by GitHub
commit cfefcb7450
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 19 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
src/ui/api/chart_repository.go
View File

@ -284,39 +284,31 @@ func (cra *ChartRepositoryAPI) requireAccess(namespace string, accessLevel uint)
return true //do nothing
}
//At least, authentication is necessary when level > public
if !cra.SecurityCtx.IsAuthenticated() {
cra.HandleUnauthorized()
return false
}
theLevel := accessLevel
//If repo is empty, system admin role must be required
if len(namespace) == 0 {
theLevel = accessLevelSystem
}
var err error
switch theLevel {
//Should be system admin role
case accessLevelSystem:
if !cra.SecurityCtx.IsSysAdmin() {
cra.RenderError(http.StatusForbidden, fmt.Sprintf("system admin role is required but user '%s' is not", cra.SecurityCtx.GetUsername()))
return false
err = fmt.Errorf("system admin role is required but user '%s' is not", cra.SecurityCtx.GetUsername())
}
case accessLevelAll:
if !cra.SecurityCtx.HasAllPerm(namespace) {
cra.RenderError(http.StatusForbidden, fmt.Sprintf("project admin role is required but user '%s' does not have", cra.SecurityCtx.GetUsername()))
return false
err = fmt.Errorf("project admin role is required but user '%s' does not have", cra.SecurityCtx.GetUsername())
}
case accessLevelWrite:
if !cra.SecurityCtx.HasWritePerm(namespace) {
cra.RenderError(http.StatusForbidden, fmt.Sprintf("developer role is required but user '%s' does not have", cra.SecurityCtx.GetUsername()))
return false
err = fmt.Errorf("developer role is required but user '%s' does not have", cra.SecurityCtx.GetUsername())
}
case accessLevelRead:
if !cra.SecurityCtx.HasReadPerm(namespace) {
cra.RenderError(http.StatusForbidden, fmt.Sprintf("at least a guest role is required for user '%s'", cra.SecurityCtx.GetUsername()))
return false
err = fmt.Errorf("at least a guest role is required for user '%s'", cra.SecurityCtx.GetUsername())
}
default:
//access rejected for invalid scope
@ -324,6 +316,19 @@ func (cra *ChartRepositoryAPI) requireAccess(namespace string, accessLevel uint)
return false
}
//Access is not granted, check if user has authenticated
if err != nil {
//Unauthenticated, return 401
if !cra.SecurityCtx.IsAuthenticated() {
cra.HandleUnauthorized()
return false
}
//Authenticated, return 403
cra.RenderError(http.StatusForbidden, err.Error())
return false
}
return true
}