Upstream/harbor
1
0
Fork 0
mirror of https://github.com/goharbor/harbor.git synced 2024-11-26 12:15:20 +01:00
Code Issues Projects Releases Wiki Activity

Fix the access control checking issue

Browse Source 
should check access first, then check authentication
return 401/403 accroding to the checking results properly
This commit is contained in:
Steven Zou 2018-07-26 14:28:16 +08:00
parent c1e1779ac0
commit 01fb95062c
1 changed files with 19 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
src/ui/api/chart_repository.go
View File

@ -284,39 +284,31 @@ func (cra *ChartRepositoryAPI) requireAccess(namespace string, accessLevel uint)
return true //do nothing
}
//At least, authentication is necessary when level > public
if !cra.SecurityCtx.IsAuthenticated() {
cra.HandleUnauthorized()
return false
}
theLevel := accessLevel
//If repo is empty, system admin role must be required
if len(namespace) == 0 {
theLevel = accessLevelSystem
}
var err error
switch theLevel {
//Should be system admin role
case accessLevelSystem:
if !cra.SecurityCtx.IsSysAdmin() {
cra.RenderError(http.StatusForbidden, fmt.Sprintf("system admin role is required but user '%s' is not", cra.SecurityCtx.GetUsername()))
return false
err = fmt.Errorf("system admin role is required but user '%s' is not", cra.SecurityCtx.GetUsername())
}
case accessLevelAll:
if !cra.SecurityCtx.HasAllPerm(namespace) {
cra.RenderError(http.StatusForbidden, fmt.Sprintf("project admin role is required but user '%s' does not have", cra.SecurityCtx.GetUsername()))
return false
err = fmt.Errorf("project admin role is required but user '%s' does not have", cra.SecurityCtx.GetUsername())
}
case accessLevelWrite:
if !cra.SecurityCtx.HasWritePerm(namespace) {
cra.RenderError(http.StatusForbidden, fmt.Sprintf("developer role is required but user '%s' does not have", cra.SecurityCtx.GetUsername()))
return false
err = fmt.Errorf("developer role is required but user '%s' does not have", cra.SecurityCtx.GetUsername())
}
case accessLevelRead:
if !cra.SecurityCtx.HasReadPerm(namespace) {
cra.RenderError(http.StatusForbidden, fmt.Sprintf("at least a guest role is required for user '%s'", cra.SecurityCtx.GetUsername()))
return false
err = fmt.Errorf("at least a guest role is required for user '%s'", cra.SecurityCtx.GetUsername())
}
default:
//access rejected for invalid scope
@ -324,6 +316,19 @@ func (cra *ChartRepositoryAPI) requireAccess(namespace string, accessLevel uint)
return false
}
//Access is not granted, check if user has authenticated
if err != nil {
//Unauthenticated, return 401
if !cra.SecurityCtx.IsAuthenticated() {
cra.HandleUnauthorized()
return false
}
//Authenticated, return 403
cra.RenderError(http.StatusForbidden, err.Error())
return false
}
return true
}