From 01fb95062ce66458cc96f0cf42feb9b94b6095dd Mon Sep 17 00:00:00 2001 From: Steven Zou Date: Thu, 26 Jul 2018 14:28:16 +0800 Subject: [PATCH] Fix the access control checking issue should check access first, then check authentication return 401/403 accroding to the checking results properly --- src/ui/api/chart_repository.go | 33 +++++++++++++++++++-------------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/src/ui/api/chart_repository.go b/src/ui/api/chart_repository.go index 316590b40..add410ecb 100644 --- a/src/ui/api/chart_repository.go +++ b/src/ui/api/chart_repository.go @@ -284,39 +284,31 @@ func (cra *ChartRepositoryAPI) requireAccess(namespace string, accessLevel uint) return true //do nothing } - //At least, authentication is necessary when level > public - if !cra.SecurityCtx.IsAuthenticated() { - cra.HandleUnauthorized() - return false - } - theLevel := accessLevel //If repo is empty, system admin role must be required if len(namespace) == 0 { theLevel = accessLevelSystem } + var err error + switch theLevel { //Should be system admin role case accessLevelSystem: if !cra.SecurityCtx.IsSysAdmin() { - cra.RenderError(http.StatusForbidden, fmt.Sprintf("system admin role is required but user '%s' is not", cra.SecurityCtx.GetUsername())) - return false + err = fmt.Errorf("system admin role is required but user '%s' is not", cra.SecurityCtx.GetUsername()) } case accessLevelAll: if !cra.SecurityCtx.HasAllPerm(namespace) { - cra.RenderError(http.StatusForbidden, fmt.Sprintf("project admin role is required but user '%s' does not have", cra.SecurityCtx.GetUsername())) - return false + err = fmt.Errorf("project admin role is required but user '%s' does not have", cra.SecurityCtx.GetUsername()) } case accessLevelWrite: if !cra.SecurityCtx.HasWritePerm(namespace) { - cra.RenderError(http.StatusForbidden, fmt.Sprintf("developer role is required but user '%s' does not have", cra.SecurityCtx.GetUsername())) - return false + err = fmt.Errorf("developer role is required but user '%s' does not have", cra.SecurityCtx.GetUsername()) } case accessLevelRead: if !cra.SecurityCtx.HasReadPerm(namespace) { - cra.RenderError(http.StatusForbidden, fmt.Sprintf("at least a guest role is required for user '%s'", cra.SecurityCtx.GetUsername())) - return false + err = fmt.Errorf("at least a guest role is required for user '%s'", cra.SecurityCtx.GetUsername()) } default: //access rejected for invalid scope @@ -324,6 +316,19 @@ func (cra *ChartRepositoryAPI) requireAccess(namespace string, accessLevel uint) return false } + //Access is not granted, check if user has authenticated + if err != nil { + //Unauthenticated, return 401 + if !cra.SecurityCtx.IsAuthenticated() { + cra.HandleUnauthorized() + return false + } + + //Authenticated, return 403 + cra.RenderError(http.StatusForbidden, err.Error()) + return false + } + return true }