mirror of
https://github.com/goharbor/harbor.git
synced 2024-12-27 11:07:46 +01:00
Fix the access control checking issue
should check access first, then check authentication return 401/403 accroding to the checking results properly
This commit is contained in:
parent
c1e1779ac0
commit
01fb95062c
@ -284,39 +284,31 @@ func (cra *ChartRepositoryAPI) requireAccess(namespace string, accessLevel uint)
|
||||
return true //do nothing
|
||||
}
|
||||
|
||||
//At least, authentication is necessary when level > public
|
||||
if !cra.SecurityCtx.IsAuthenticated() {
|
||||
cra.HandleUnauthorized()
|
||||
return false
|
||||
}
|
||||
|
||||
theLevel := accessLevel
|
||||
//If repo is empty, system admin role must be required
|
||||
if len(namespace) == 0 {
|
||||
theLevel = accessLevelSystem
|
||||
}
|
||||
|
||||
var err error
|
||||
|
||||
switch theLevel {
|
||||
//Should be system admin role
|
||||
case accessLevelSystem:
|
||||
if !cra.SecurityCtx.IsSysAdmin() {
|
||||
cra.RenderError(http.StatusForbidden, fmt.Sprintf("system admin role is required but user '%s' is not", cra.SecurityCtx.GetUsername()))
|
||||
return false
|
||||
err = fmt.Errorf("system admin role is required but user '%s' is not", cra.SecurityCtx.GetUsername())
|
||||
}
|
||||
case accessLevelAll:
|
||||
if !cra.SecurityCtx.HasAllPerm(namespace) {
|
||||
cra.RenderError(http.StatusForbidden, fmt.Sprintf("project admin role is required but user '%s' does not have", cra.SecurityCtx.GetUsername()))
|
||||
return false
|
||||
err = fmt.Errorf("project admin role is required but user '%s' does not have", cra.SecurityCtx.GetUsername())
|
||||
}
|
||||
case accessLevelWrite:
|
||||
if !cra.SecurityCtx.HasWritePerm(namespace) {
|
||||
cra.RenderError(http.StatusForbidden, fmt.Sprintf("developer role is required but user '%s' does not have", cra.SecurityCtx.GetUsername()))
|
||||
return false
|
||||
err = fmt.Errorf("developer role is required but user '%s' does not have", cra.SecurityCtx.GetUsername())
|
||||
}
|
||||
case accessLevelRead:
|
||||
if !cra.SecurityCtx.HasReadPerm(namespace) {
|
||||
cra.RenderError(http.StatusForbidden, fmt.Sprintf("at least a guest role is required for user '%s'", cra.SecurityCtx.GetUsername()))
|
||||
return false
|
||||
err = fmt.Errorf("at least a guest role is required for user '%s'", cra.SecurityCtx.GetUsername())
|
||||
}
|
||||
default:
|
||||
//access rejected for invalid scope
|
||||
@ -324,6 +316,19 @@ func (cra *ChartRepositoryAPI) requireAccess(namespace string, accessLevel uint)
|
||||
return false
|
||||
}
|
||||
|
||||
//Access is not granted, check if user has authenticated
|
||||
if err != nil {
|
||||
//Unauthenticated, return 401
|
||||
if !cra.SecurityCtx.IsAuthenticated() {
|
||||
cra.HandleUnauthorized()
|
||||
return false
|
||||
}
|
||||
|
||||
//Authenticated, return 403
|
||||
cra.RenderError(http.StatusForbidden, err.Error())
|
||||
return false
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user