Upstream/harbor
1
0
Fork 0
mirror of https://github.com/goharbor/harbor.git synced 2025-02-18 12:51:27 +01:00
Code Issues Projects Releases Wiki Activity

Fix the access control checking issue

Browse Source 
should check access first, then check authentication
return 401/403 accroding to the checking results properly
This commit is contained in:
Steven Zou 2018-07-26 14:28:16 +08:00
parent c1e1779ac0
commit 01fb95062c
1 changed files with 19 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
src/ui/api/chart_repository.go
View File

@ -284,39 +284,31 @@ func (cra *ChartRepositoryAPI) requireAccess(namespace string, accessLevel uint)
return true //do nothing return true //do nothing
} }
//At least, authentication is necessary when level > public
if !cra.SecurityCtx.IsAuthenticated() {
cra.HandleUnauthorized()
return false
}
theLevel := accessLevel theLevel := accessLevel
//If repo is empty, system admin role must be required //If repo is empty, system admin role must be required
if len(namespace) == 0 { if len(namespace) == 0 {
theLevel = accessLevelSystem theLevel = accessLevelSystem
} }
var err error
switch theLevel { switch theLevel {
//Should be system admin role //Should be system admin role
case accessLevelSystem: case accessLevelSystem:
if !cra.SecurityCtx.IsSysAdmin() { if !cra.SecurityCtx.IsSysAdmin() {
cra.RenderError(http.StatusForbidden, fmt.Sprintf("system admin role is required but user '%s' is not", cra.SecurityCtx.GetUsername())) err = fmt.Errorf("system admin role is required but user '%s' is not", cra.SecurityCtx.GetUsername())
return false
} }
case accessLevelAll: case accessLevelAll:
if !cra.SecurityCtx.HasAllPerm(namespace) { if !cra.SecurityCtx.HasAllPerm(namespace) {
cra.RenderError(http.StatusForbidden, fmt.Sprintf("project admin role is required but user '%s' does not have", cra.SecurityCtx.GetUsername())) err = fmt.Errorf("project admin role is required but user '%s' does not have", cra.SecurityCtx.GetUsername())
return false
} }
case accessLevelWrite: case accessLevelWrite:
if !cra.SecurityCtx.HasWritePerm(namespace) { if !cra.SecurityCtx.HasWritePerm(namespace) {
cra.RenderError(http.StatusForbidden, fmt.Sprintf("developer role is required but user '%s' does not have", cra.SecurityCtx.GetUsername())) err = fmt.Errorf("developer role is required but user '%s' does not have", cra.SecurityCtx.GetUsername())
return false
} }
case accessLevelRead: case accessLevelRead:
if !cra.SecurityCtx.HasReadPerm(namespace) { if !cra.SecurityCtx.HasReadPerm(namespace) {
cra.RenderError(http.StatusForbidden, fmt.Sprintf("at least a guest role is required for user '%s'", cra.SecurityCtx.GetUsername())) err = fmt.Errorf("at least a guest role is required for user '%s'", cra.SecurityCtx.GetUsername())
return false
} }
default: default:
//access rejected for invalid scope //access rejected for invalid scope
@ -324,6 +316,19 @@ func (cra *ChartRepositoryAPI) requireAccess(namespace string, accessLevel uint)
return false return false
} }
//Access is not granted, check if user has authenticated
if err != nil {
//Unauthenticated, return 401
if !cra.SecurityCtx.IsAuthenticated() {
cra.HandleUnauthorized()
return false
}
//Authenticated, return 403
cra.RenderError(http.StatusForbidden, err.Error())
return false
}
return true return true
} }