mirror of
https://github.com/netbirdio/netbird.git
synced 2025-06-21 02:08:40 +02:00
Allow service users with user role read-only access to all resources (#1484)
We allow service users with user role read-only access to all resources so users can create service user and propagate PATs without having to give full admin permissions.
This commit is contained in:
parent
4771fed64f
commit
399493a954
@ -102,11 +102,11 @@ type AccountManager interface {
|
|||||||
SaveRoute(accountID, userID string, route *route.Route) error
|
SaveRoute(accountID, userID string, route *route.Route) error
|
||||||
DeleteRoute(accountID, routeID, userID string) error
|
DeleteRoute(accountID, routeID, userID string) error
|
||||||
ListRoutes(accountID, userID string) ([]*route.Route, error)
|
ListRoutes(accountID, userID string) ([]*route.Route, error)
|
||||||
GetNameServerGroup(accountID, nsGroupID string) (*nbdns.NameServerGroup, error)
|
GetNameServerGroup(accountID, userID, nsGroupID string) (*nbdns.NameServerGroup, error)
|
||||||
CreateNameServerGroup(accountID string, name, description string, nameServerList []nbdns.NameServer, groups []string, primary bool, domains []string, enabled bool, userID string, searchDomainsEnabled bool) (*nbdns.NameServerGroup, error)
|
CreateNameServerGroup(accountID string, name, description string, nameServerList []nbdns.NameServer, groups []string, primary bool, domains []string, enabled bool, userID string, searchDomainsEnabled bool) (*nbdns.NameServerGroup, error)
|
||||||
SaveNameServerGroup(accountID, userID string, nsGroupToSave *nbdns.NameServerGroup) error
|
SaveNameServerGroup(accountID, userID string, nsGroupToSave *nbdns.NameServerGroup) error
|
||||||
DeleteNameServerGroup(accountID, nsGroupID, userID string) error
|
DeleteNameServerGroup(accountID, nsGroupID, userID string) error
|
||||||
ListNameServerGroups(accountID string) ([]*nbdns.NameServerGroup, error)
|
ListNameServerGroups(accountID string, userID string) ([]*nbdns.NameServerGroup, error)
|
||||||
GetDNSDomain() string
|
GetDNSDomain() string
|
||||||
StoreEvent(initiatorID, targetID, accountID string, activityID activity.Activity, meta map[string]any)
|
StoreEvent(initiatorID, targetID, accountID string, activityID activity.Activity, meta map[string]any)
|
||||||
GetEvents(accountID, userID string) ([]*activity.Event, error)
|
GetEvents(accountID, userID string) ([]*activity.Event, error)
|
||||||
|
@ -934,7 +934,7 @@ func TestAccountManager_AddPeer(t *testing.T) {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
userID := "account_creator"
|
userID := "testingUser"
|
||||||
account, err := createAccount(manager, "test_account", userID, "netbird.cloud")
|
account, err := createAccount(manager, "test_account", userID, "netbird.cloud")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
|
@ -48,7 +48,7 @@ func (am *DefaultAccountManager) GetDNSSettings(accountID string, userID string)
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if !user.HasAdminPower() {
|
if !(user.HasAdminPower() || user.IsServiceUser) {
|
||||||
return nil, status.Errorf(status.PermissionDenied, "only users with admin power are allowed to view DNS settings")
|
return nil, status.Errorf(status.PermissionDenied, "only users with admin power are allowed to view DNS settings")
|
||||||
}
|
}
|
||||||
dnsSettings := account.DNSSettings.Copy()
|
dnsSettings := account.DNSSettings.Copy()
|
||||||
|
@ -7,10 +7,28 @@ import (
|
|||||||
log "github.com/sirupsen/logrus"
|
log "github.com/sirupsen/logrus"
|
||||||
|
|
||||||
"github.com/netbirdio/netbird/management/server/activity"
|
"github.com/netbirdio/netbird/management/server/activity"
|
||||||
|
"github.com/netbirdio/netbird/management/server/status"
|
||||||
)
|
)
|
||||||
|
|
||||||
// GetEvents returns a list of activity events of an account
|
// GetEvents returns a list of activity events of an account
|
||||||
func (am *DefaultAccountManager) GetEvents(accountID, userID string) ([]*activity.Event, error) {
|
func (am *DefaultAccountManager) GetEvents(accountID, userID string) ([]*activity.Event, error) {
|
||||||
|
unlock := am.Store.AcquireAccountLock(accountID)
|
||||||
|
defer unlock()
|
||||||
|
|
||||||
|
account, err := am.Store.GetAccount(accountID)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
user, err := account.FindUser(userID)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if !(user.HasAdminPower() || user.IsServiceUser) {
|
||||||
|
return nil, status.Errorf(status.PermissionDenied, "only users with admin power can view events")
|
||||||
|
}
|
||||||
|
|
||||||
events, err := am.eventStore.Get(accountID, 0, 10000, true)
|
events, err := am.eventStore.Get(accountID, 0, 10000, true)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
@ -41,7 +41,7 @@ func (h *AccountsHandler) GetAllAccounts(w http.ResponseWriter, r *http.Request)
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if !user.HasAdminPower() {
|
if !(user.HasAdminPower() || user.IsServiceUser) {
|
||||||
util.WriteError(status.Errorf(status.PermissionDenied, "the user has no permission to access account data"), w)
|
util.WriteError(status.Errorf(status.PermissionDenied, "the user has no permission to access account data"), w)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -36,14 +36,14 @@ func NewNameserversHandler(accountManager server.AccountManager, authCfg AuthCfg
|
|||||||
// GetAllNameservers returns the list of nameserver groups for the account
|
// GetAllNameservers returns the list of nameserver groups for the account
|
||||||
func (h *NameserversHandler) GetAllNameservers(w http.ResponseWriter, r *http.Request) {
|
func (h *NameserversHandler) GetAllNameservers(w http.ResponseWriter, r *http.Request) {
|
||||||
claims := h.claimsExtractor.FromRequestContext(r)
|
claims := h.claimsExtractor.FromRequestContext(r)
|
||||||
account, _, err := h.accountManager.GetAccountFromToken(claims)
|
account, user, err := h.accountManager.GetAccountFromToken(claims)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Error(err)
|
log.Error(err)
|
||||||
http.Redirect(w, r, "/", http.StatusInternalServerError)
|
http.Redirect(w, r, "/", http.StatusInternalServerError)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
nsGroups, err := h.accountManager.ListNameServerGroups(account.Id)
|
nsGroups, err := h.accountManager.ListNameServerGroups(account.Id, user.Id)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
util.WriteError(err, w)
|
util.WriteError(err, w)
|
||||||
return
|
return
|
||||||
@ -168,7 +168,7 @@ func (h *NameserversHandler) DeleteNameserverGroup(w http.ResponseWriter, r *htt
|
|||||||
// GetNameserverGroup handles a nameserver group Get request identified by ID
|
// GetNameserverGroup handles a nameserver group Get request identified by ID
|
||||||
func (h *NameserversHandler) GetNameserverGroup(w http.ResponseWriter, r *http.Request) {
|
func (h *NameserversHandler) GetNameserverGroup(w http.ResponseWriter, r *http.Request) {
|
||||||
claims := h.claimsExtractor.FromRequestContext(r)
|
claims := h.claimsExtractor.FromRequestContext(r)
|
||||||
account, _, err := h.accountManager.GetAccountFromToken(claims)
|
account, user, err := h.accountManager.GetAccountFromToken(claims)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Error(err)
|
log.Error(err)
|
||||||
http.Redirect(w, r, "/", http.StatusInternalServerError)
|
http.Redirect(w, r, "/", http.StatusInternalServerError)
|
||||||
@ -181,7 +181,7 @@ func (h *NameserversHandler) GetNameserverGroup(w http.ResponseWriter, r *http.R
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
nsGroup, err := h.accountManager.GetNameServerGroup(account.Id, nsGroupID)
|
nsGroup, err := h.accountManager.GetNameServerGroup(account.Id, user.Id, nsGroupID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
util.WriteError(err, w)
|
util.WriteError(err, w)
|
||||||
return
|
return
|
||||||
|
@ -61,7 +61,7 @@ var baseExistingNSGroup = &nbdns.NameServerGroup{
|
|||||||
func initNameserversTestData() *NameserversHandler {
|
func initNameserversTestData() *NameserversHandler {
|
||||||
return &NameserversHandler{
|
return &NameserversHandler{
|
||||||
accountManager: &mock_server.MockAccountManager{
|
accountManager: &mock_server.MockAccountManager{
|
||||||
GetNameServerGroupFunc: func(accountID, nsGroupID string) (*nbdns.NameServerGroup, error) {
|
GetNameServerGroupFunc: func(accountID, userID, nsGroupID string) (*nbdns.NameServerGroup, error) {
|
||||||
if nsGroupID == existingNSGroupID {
|
if nsGroupID == existingNSGroupID {
|
||||||
return baseExistingNSGroup.Copy(), nil
|
return baseExistingNSGroup.Copy(), nil
|
||||||
}
|
}
|
||||||
|
@ -63,11 +63,11 @@ type MockAccountManager struct {
|
|||||||
DeletePATFunc func(accountID string, initiatorUserID string, targetUserId string, tokenID string) error
|
DeletePATFunc func(accountID string, initiatorUserID string, targetUserId string, tokenID string) error
|
||||||
GetPATFunc func(accountID string, initiatorUserID string, targetUserId string, tokenID string) (*server.PersonalAccessToken, error)
|
GetPATFunc func(accountID string, initiatorUserID string, targetUserId string, tokenID string) (*server.PersonalAccessToken, error)
|
||||||
GetAllPATsFunc func(accountID string, initiatorUserID string, targetUserId string) ([]*server.PersonalAccessToken, error)
|
GetAllPATsFunc func(accountID string, initiatorUserID string, targetUserId string) ([]*server.PersonalAccessToken, error)
|
||||||
GetNameServerGroupFunc func(accountID, nsGroupID string) (*nbdns.NameServerGroup, error)
|
GetNameServerGroupFunc func(accountID, userID, nsGroupID string) (*nbdns.NameServerGroup, error)
|
||||||
CreateNameServerGroupFunc func(accountID string, name, description string, nameServerList []nbdns.NameServer, groups []string, primary bool, domains []string, enabled bool, userID string, searchDomainsEnabled bool) (*nbdns.NameServerGroup, error)
|
CreateNameServerGroupFunc func(accountID string, name, description string, nameServerList []nbdns.NameServer, groups []string, primary bool, domains []string, enabled bool, userID string, searchDomainsEnabled bool) (*nbdns.NameServerGroup, error)
|
||||||
SaveNameServerGroupFunc func(accountID, userID string, nsGroupToSave *nbdns.NameServerGroup) error
|
SaveNameServerGroupFunc func(accountID, userID string, nsGroupToSave *nbdns.NameServerGroup) error
|
||||||
DeleteNameServerGroupFunc func(accountID, nsGroupID, userID string) error
|
DeleteNameServerGroupFunc func(accountID, nsGroupID, userID string) error
|
||||||
ListNameServerGroupsFunc func(accountID string) ([]*nbdns.NameServerGroup, error)
|
ListNameServerGroupsFunc func(accountID string, userID string) ([]*nbdns.NameServerGroup, error)
|
||||||
CreateUserFunc func(accountID, userID string, key *server.UserInfo) (*server.UserInfo, error)
|
CreateUserFunc func(accountID, userID string, key *server.UserInfo) (*server.UserInfo, error)
|
||||||
GetAccountFromTokenFunc func(claims jwtclaims.AuthorizationClaims) (*server.Account, *server.User, error)
|
GetAccountFromTokenFunc func(claims jwtclaims.AuthorizationClaims) (*server.Account, *server.User, error)
|
||||||
CheckUserAccessByJWTGroupsFunc func(claims jwtclaims.AuthorizationClaims) error
|
CheckUserAccessByJWTGroupsFunc func(claims jwtclaims.AuthorizationClaims) error
|
||||||
@ -496,9 +496,9 @@ func (am *MockAccountManager) InviteUser(accountID string, initiatorUserID strin
|
|||||||
}
|
}
|
||||||
|
|
||||||
// GetNameServerGroup mocks GetNameServerGroup of the AccountManager interface
|
// GetNameServerGroup mocks GetNameServerGroup of the AccountManager interface
|
||||||
func (am *MockAccountManager) GetNameServerGroup(accountID, nsGroupID string) (*nbdns.NameServerGroup, error) {
|
func (am *MockAccountManager) GetNameServerGroup(accountID, userID, nsGroupID string) (*nbdns.NameServerGroup, error) {
|
||||||
if am.GetNameServerGroupFunc != nil {
|
if am.GetNameServerGroupFunc != nil {
|
||||||
return am.GetNameServerGroupFunc(accountID, nsGroupID)
|
return am.GetNameServerGroupFunc(accountID, userID, nsGroupID)
|
||||||
}
|
}
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
@ -528,9 +528,9 @@ func (am *MockAccountManager) DeleteNameServerGroup(accountID, nsGroupID, userID
|
|||||||
}
|
}
|
||||||
|
|
||||||
// ListNameServerGroups mocks ListNameServerGroups of the AccountManager interface
|
// ListNameServerGroups mocks ListNameServerGroups of the AccountManager interface
|
||||||
func (am *MockAccountManager) ListNameServerGroups(accountID string) ([]*nbdns.NameServerGroup, error) {
|
func (am *MockAccountManager) ListNameServerGroups(accountID string, userID string) ([]*nbdns.NameServerGroup, error) {
|
||||||
if am.ListNameServerGroupsFunc != nil {
|
if am.ListNameServerGroupsFunc != nil {
|
||||||
return am.ListNameServerGroupsFunc(accountID)
|
return am.ListNameServerGroupsFunc(accountID, userID)
|
||||||
}
|
}
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
@ -16,7 +16,7 @@ import (
|
|||||||
const domainPattern = `^(?i)[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,}$`
|
const domainPattern = `^(?i)[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,}$`
|
||||||
|
|
||||||
// GetNameServerGroup gets a nameserver group object from account and nameserver group IDs
|
// GetNameServerGroup gets a nameserver group object from account and nameserver group IDs
|
||||||
func (am *DefaultAccountManager) GetNameServerGroup(accountID, nsGroupID string) (*nbdns.NameServerGroup, error) {
|
func (am *DefaultAccountManager) GetNameServerGroup(accountID, userID, nsGroupID string) (*nbdns.NameServerGroup, error) {
|
||||||
|
|
||||||
unlock := am.Store.AcquireAccountLock(accountID)
|
unlock := am.Store.AcquireAccountLock(accountID)
|
||||||
defer unlock()
|
defer unlock()
|
||||||
@ -26,6 +26,15 @@ func (am *DefaultAccountManager) GetNameServerGroup(accountID, nsGroupID string)
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
user, err := account.FindUser(userID)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if !(user.HasAdminPower() || user.IsServiceUser) {
|
||||||
|
return nil, status.Errorf(status.PermissionDenied, "only users with admin power can view nameserver groups")
|
||||||
|
}
|
||||||
|
|
||||||
nsGroup, found := account.NameServerGroups[nsGroupID]
|
nsGroup, found := account.NameServerGroups[nsGroupID]
|
||||||
if found {
|
if found {
|
||||||
return nsGroup.Copy(), nil
|
return nsGroup.Copy(), nil
|
||||||
@ -147,7 +156,7 @@ func (am *DefaultAccountManager) DeleteNameServerGroup(accountID, nsGroupID, use
|
|||||||
}
|
}
|
||||||
|
|
||||||
// ListNameServerGroups returns a list of nameserver groups from account
|
// ListNameServerGroups returns a list of nameserver groups from account
|
||||||
func (am *DefaultAccountManager) ListNameServerGroups(accountID string) ([]*nbdns.NameServerGroup, error) {
|
func (am *DefaultAccountManager) ListNameServerGroups(accountID string, userID string) ([]*nbdns.NameServerGroup, error) {
|
||||||
|
|
||||||
unlock := am.Store.AcquireAccountLock(accountID)
|
unlock := am.Store.AcquireAccountLock(accountID)
|
||||||
defer unlock()
|
defer unlock()
|
||||||
@ -157,6 +166,15 @@ func (am *DefaultAccountManager) ListNameServerGroups(accountID string) ([]*nbdn
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
user, err := account.FindUser(userID)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if !(user.HasAdminPower() || user.IsServiceUser) {
|
||||||
|
return nil, status.Errorf(status.PermissionDenied, "only users with admin power can view name server groups")
|
||||||
|
}
|
||||||
|
|
||||||
nsGroups := make([]*nbdns.NameServerGroup, 0, len(account.NameServerGroups))
|
nsGroups := make([]*nbdns.NameServerGroup, 0, len(account.NameServerGroups))
|
||||||
for _, item := range account.NameServerGroups {
|
for _, item := range account.NameServerGroups {
|
||||||
nsGroups = append(nsGroups, item.Copy())
|
nsGroups = append(nsGroups, item.Copy())
|
||||||
|
@ -20,6 +20,7 @@ const (
|
|||||||
nsGroupPeer2Key = "/yF0+vCfv+mRR5k0dca0TrGdO/oiNeAI58gToZm5NyI="
|
nsGroupPeer2Key = "/yF0+vCfv+mRR5k0dca0TrGdO/oiNeAI58gToZm5NyI="
|
||||||
validDomain = "example.com"
|
validDomain = "example.com"
|
||||||
invalidDomain = "dnsdnsdnsdnsdnsdnsdnsdnsdnsdnsdnsdnsdnsdnsdnsdnsdnsdnsdnsdnsdnsdns.com"
|
invalidDomain = "dnsdnsdnsdnsdnsdnsdnsdnsdnsdnsdnsdnsdnsdnsdnsdnsdnsdnsdnsdnsdnsdns.com"
|
||||||
|
testUserID = "testingUser"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestCreateNameServerGroup(t *testing.T) {
|
func TestCreateNameServerGroup(t *testing.T) {
|
||||||
@ -726,7 +727,7 @@ func TestGetNameServerGroup(t *testing.T) {
|
|||||||
t.Error("failed to init testing account")
|
t.Error("failed to init testing account")
|
||||||
}
|
}
|
||||||
|
|
||||||
foundGroup, err := am.GetNameServerGroup(account.Id, existingNSGroupID)
|
foundGroup, err := am.GetNameServerGroup(account.Id, testUserID, existingNSGroupID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Error("getting existing nameserver group failed with error: ", err)
|
t.Error("getting existing nameserver group failed with error: ", err)
|
||||||
}
|
}
|
||||||
@ -735,7 +736,7 @@ func TestGetNameServerGroup(t *testing.T) {
|
|||||||
t.Error("got a nil group while getting nameserver group with ID")
|
t.Error("got a nil group while getting nameserver group with ID")
|
||||||
}
|
}
|
||||||
|
|
||||||
_, err = am.GetNameServerGroup(account.Id, "not existing")
|
_, err = am.GetNameServerGroup(account.Id, testUserID, "not existing")
|
||||||
if err == nil {
|
if err == nil {
|
||||||
t.Error("getting not existing nameserver group should return error, got nil")
|
t.Error("getting not existing nameserver group should return error, got nil")
|
||||||
}
|
}
|
||||||
@ -813,7 +814,7 @@ func initTestNSAccount(t *testing.T, am *DefaultAccountManager) (*Account, error
|
|||||||
}
|
}
|
||||||
|
|
||||||
accountID := "testingAcc"
|
accountID := "testingAcc"
|
||||||
userID := "testingUser"
|
userID := testUserID
|
||||||
domain := "example.com"
|
domain := "example.com"
|
||||||
|
|
||||||
account := newAccountWithId(accountID, userID, domain)
|
account := newAccountWithId(accountID, userID, domain)
|
||||||
|
@ -54,7 +54,7 @@ func (am *DefaultAccountManager) GetPeers(accountID, userID string) ([]*nbpeer.P
|
|||||||
peers := make([]*nbpeer.Peer, 0)
|
peers := make([]*nbpeer.Peer, 0)
|
||||||
peersMap := make(map[string]*nbpeer.Peer)
|
peersMap := make(map[string]*nbpeer.Peer)
|
||||||
for _, peer := range account.Peers {
|
for _, peer := range account.Peers {
|
||||||
if !user.HasAdminPower() && user.Id != peer.UserID {
|
if !(user.HasAdminPower() || user.IsServiceUser) && user.Id != peer.UserID {
|
||||||
// only display peers that belong to the current user if the current user is not an admin
|
// only display peers that belong to the current user if the current user is not an admin
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
@ -723,7 +723,7 @@ func (am *DefaultAccountManager) GetPeer(accountID, peerID, userID string) (*nbp
|
|||||||
}
|
}
|
||||||
|
|
||||||
// if admin or user owns this peer, return peer
|
// if admin or user owns this peer, return peer
|
||||||
if user.HasAdminPower() || peer.UserID == userID {
|
if user.HasAdminPower() || user.IsServiceUser || peer.UserID == userID {
|
||||||
return peer, nil
|
return peer, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -323,7 +323,7 @@ func (am *DefaultAccountManager) GetPolicy(accountID, policyID, userID string) (
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if !user.HasAdminPower() {
|
if !(user.HasAdminPower() || user.IsServiceUser) {
|
||||||
return nil, status.Errorf(status.PermissionDenied, "only users with admin power are allowed to view policies")
|
return nil, status.Errorf(status.PermissionDenied, "only users with admin power are allowed to view policies")
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -406,7 +406,7 @@ func (am *DefaultAccountManager) ListPolicies(accountID, userID string) ([]*Poli
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if !user.HasAdminPower() {
|
if !(user.HasAdminPower() || user.IsServiceUser) {
|
||||||
return nil, status.Errorf(status.PermissionDenied, "only users with admin power can view policies")
|
return nil, status.Errorf(status.PermissionDenied, "only users with admin power can view policies")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -27,7 +27,7 @@ func (am *DefaultAccountManager) GetRoute(accountID, routeID, userID string) (*r
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if !user.HasAdminPower() {
|
if !(user.HasAdminPower() || user.IsServiceUser) {
|
||||||
return nil, status.Errorf(status.PermissionDenied, "only users with admin power can view Network Routes")
|
return nil, status.Errorf(status.PermissionDenied, "only users with admin power can view Network Routes")
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -296,7 +296,7 @@ func (am *DefaultAccountManager) ListRoutes(accountID, userID string) ([]*route.
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if !user.HasAdminPower() {
|
if !(user.HasAdminPower() || user.IsServiceUser) {
|
||||||
return nil, status.Errorf(status.PermissionDenied, "only users with admin power can view Network Routes")
|
return nil, status.Errorf(status.PermissionDenied, "only users with admin power can view Network Routes")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -342,7 +342,7 @@ func (am *DefaultAccountManager) ListSetupKeys(accountID, userID string) ([]*Set
|
|||||||
keys := make([]*SetupKey, 0, len(account.SetupKeys))
|
keys := make([]*SetupKey, 0, len(account.SetupKeys))
|
||||||
for _, key := range account.SetupKeys {
|
for _, key := range account.SetupKeys {
|
||||||
var k *SetupKey
|
var k *SetupKey
|
||||||
if !user.HasAdminPower() {
|
if !(user.HasAdminPower() || user.IsServiceUser) {
|
||||||
k = key.HiddenCopy(999)
|
k = key.HiddenCopy(999)
|
||||||
} else {
|
} else {
|
||||||
k = key.Copy()
|
k = key.Copy()
|
||||||
@ -384,7 +384,7 @@ func (am *DefaultAccountManager) GetSetupKey(accountID, userID, keyID string) (*
|
|||||||
foundKey.UpdatedAt = foundKey.CreatedAt
|
foundKey.UpdatedAt = foundKey.CreatedAt
|
||||||
}
|
}
|
||||||
|
|
||||||
if !user.HasAdminPower() {
|
if !(user.HasAdminPower() || user.IsServiceUser) {
|
||||||
foundKey = foundKey.HiddenCopy(999)
|
foundKey = foundKey.HiddenCopy(999)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -18,7 +18,7 @@ func TestDefaultAccountManager_SaveSetupKey(t *testing.T) {
|
|||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
userID := "test_user"
|
userID := "testingUser"
|
||||||
account, err := manager.GetOrCreateAccountByUser(userID, "")
|
account, err := manager.GetOrCreateAccountByUser(userID, "")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
@ -76,7 +76,7 @@ func TestDefaultAccountManager_CreateSetupKey(t *testing.T) {
|
|||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
userID := "test_user"
|
userID := "testingUser"
|
||||||
account, err := manager.GetOrCreateAccountByUser(userID, "")
|
account, err := manager.GetOrCreateAccountByUser(userID, "")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
|
@ -991,7 +991,7 @@ func (am *DefaultAccountManager) GetUsersFromAccount(accountID, userID string) (
|
|||||||
// in case of self-hosted, or IDP doesn't return anything, we will return the locally stored userInfo
|
// in case of self-hosted, or IDP doesn't return anything, we will return the locally stored userInfo
|
||||||
if len(queriedUsers) == 0 {
|
if len(queriedUsers) == 0 {
|
||||||
for _, accountUser := range account.Users {
|
for _, accountUser := range account.Users {
|
||||||
if !user.HasAdminPower() && user.Id != accountUser.Id {
|
if !(user.HasAdminPower() || user.IsServiceUser || user.Id == accountUser.Id) {
|
||||||
// if user is not an admin then show only current user and do not show other users
|
// if user is not an admin then show only current user and do not show other users
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
@ -1005,7 +1005,7 @@ func (am *DefaultAccountManager) GetUsersFromAccount(accountID, userID string) (
|
|||||||
}
|
}
|
||||||
|
|
||||||
for _, localUser := range account.Users {
|
for _, localUser := range account.Users {
|
||||||
if !user.HasAdminPower() && user.Id != localUser.Id {
|
if !(user.HasAdminPower() || user.IsServiceUser) && user.Id != localUser.Id {
|
||||||
// if user is not an admin then show only current user and do not show other users
|
// if user is not an admin then show only current user and do not show other users
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
@ -822,8 +822,8 @@ func TestUser_GetUsersFromAccount_ForUser(t *testing.T) {
|
|||||||
t.Fatalf("Error when getting users from account: %s", err)
|
t.Fatalf("Error when getting users from account: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
assert.Equal(t, 1, len(users))
|
// Service users should see all users
|
||||||
assert.Equal(t, mockServiceUserID, users[0].ID)
|
assert.Equal(t, 2, len(users))
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestDefaultAccountManager_SaveUser(t *testing.T) {
|
func TestDefaultAccountManager_SaveUser(t *testing.T) {
|
||||||
|
Loading…
x
Reference in New Issue
Block a user