Hide projects in global logs where user has limited guest role

Signed-off-by: Mark Huang <mhuang@pivotal.io>
2024-10-31 23:59:32 +01:00 · 2020-01-06 16:16:19 -05:00 · 2020-01-06 16:16:19 -05:00 · c2257d49b8
commit c2257d49b8
parent 012aa570c8
3 changed files with 40 additions and 7 deletions
--- a/src/core/api/api_test.go
+++ b/src/core/api/api_test.go
@ -40,8 +40,8 @@ import (
 )

 var (
-	nonSysAdminID, projAdminID, projDeveloperID, projGuestID, projAdminRobotID int64
-	projAdminPMID, projDeveloperPMID, projGuestPMID, projAdminRobotPMID        int
+	nonSysAdminID, projAdminID, projDeveloperID, projGuestID, projLimitedGuestID, projAdminRobotID int64
+	projAdminPMID, projDeveloperPMID, projGuestPMID, projLimitedGuestPMID, projAdminRobotPMID      int
 	// The following users/credentials are registered and assigned roles at the beginning of
 	// running testing and cleaned up at the end.
 	// Do not try to change the system and project roles that the users have during
@ -67,6 +67,10 @@ var (
 		Name:   "proj_guest",
 		Passwd: "Harbor12345",
 	}
+	projLimitedGuest = &usrInfo{
+		Name:   "proj_limited_guest",
+		Passwd: "Harbor12345",
+	}
 	projAdmin4Robot = &usrInfo{
 		Name:   "proj_admin_robot",
 		Passwd: "Harbor12345",
@ -312,6 +316,24 @@ func prepare() error {
 	}); err != nil {
 		return err
 	}
+
+	// register projLimitedGuest and assign project limit guest role
+	projLimitedGuestID, err = dao.Register(models.User{
+		Username: projLimitedGuest.Name,
+		Password: projLimitedGuest.Passwd,
+		Email:    projLimitedGuest.Name + "@test.com",
+	})
+	if err != nil {
+		return err
+	}
+	if projLimitedGuestPMID, err = project.AddProjectMember(models.Member{
+		ProjectID:  1,
+		Role:       common.RoleLimitedGuest,
+		EntityID:   int(projLimitedGuestID),
+		EntityType: common.UserMember,
+	}); err != nil {
+		return err
+	}
 	return err
 }

--- a/src/core/api/log.go
+++ b/src/core/api/log.go
@ -18,8 +18,10 @@ import (
 	"fmt"

 	"errors"
+
 	"github.com/goharbor/harbor/src/common/dao"
 	"github.com/goharbor/harbor/src/common/models"
+	"github.com/goharbor/harbor/src/common/rbac"
 	"github.com/goharbor/harbor/src/common/utils"
 )

@ -87,17 +89,20 @@ func (l *LogAPI) Get() {
 			return
 		}

-		if len(projects) == 0 {
+		ids := []int64{}
+		for _, project := range projects {
+			if hasPermission, _ := l.HasProjectPermission(project.ProjectID, rbac.ActionList, rbac.ResourceLog); hasPermission {
+				ids = append(ids, project.ProjectID)
+			}
+		}
+
+		if len(ids) == 0 {
 			l.SetPaginationHeader(0, page, size)
 			l.Data["json"] = nil
 			l.ServeJSON()
 			return
 		}

-		ids := []int64{}
-		for _, project := range projects {
-			ids = append(ids, project.ProjectID)
-		}
 		query.ProjectIDs = ids
 	}

--- a/src/core/api/log_test.go
+++ b/src/core/api/log_test.go
@ -93,4 +93,10 @@ func TestLogGet(t *testing.T) {
 	assert.Equal(t, repository, logs[0].RepoName)
 	assert.Equal(t, tag, logs[0].RepoTag)
 	assert.Equal(t, operation, logs[0].Operation)
+
+	// Limited Guest 200 && no logs
+	c.credential = projLimitedGuest
+	err = handleAndParse(c, &logs)
+	require.Nil(t, err)
+	require.Equal(t, 0, len(logs))
 }