diff --git a/src/server/v2.0/handler/robot.go b/src/server/v2.0/handler/robot.go index fd73ccb4d..c6e941f81 100644 --- a/src/server/v2.0/handler/robot.go +++ b/src/server/v2.0/handler/robot.go @@ -481,11 +481,14 @@ func isValidPermissionScope(creating []*models.RobotPermission, creator []*robot for _, pCreating := range creating { key := fmt.Sprintf("%s:%s", pCreating.Kind, pCreating.Namespace) - creatingPerm, found := creatorMap[key] + creatorPerm, found := creatorMap[key] if !found { - return false + allProjects := fmt.Sprintf("%s:*", pCreating.Kind) + if creatorPerm, found = creatorMap[allProjects]; !found { + return false + } } - if !hasLessThanOrEqualAccess(pCreating.Access, creatingPerm.Access) { + if !hasLessThanOrEqualAccess(pCreating.Access, creatorPerm.Access) { return false } } diff --git a/src/server/v2.0/handler/robot_test.go b/src/server/v2.0/handler/robot_test.go index 9cd64de3e..fdcf326e4 100644 --- a/src/server/v2.0/handler/robot_test.go +++ b/src/server/v2.0/handler/robot_test.go @@ -382,6 +382,96 @@ func TestValidPermissionScope(t *testing.T) { }, expected: false, }, + { + name: "System - subset project", + creatingPerms: []*models.RobotPermission{ + { + Kind: "project", + Namespace: "test1", + Access: []*models.Access{ + {Resource: "user", Action: "delete", Effect: "allow"}, + }, + }, + }, + creatorPerms: []*robot.Permission{ + { + Kind: "system", + Namespace: "/", + Access: []*types.Policy{ + {Resource: "robot", Action: "create", Effect: "allow"}, + }, + }, + { + Kind: "project", + Namespace: "test1", + Access: []*types.Policy{ + {Resource: "user", Action: "create", Effect: "allow"}, + {Resource: "user", Action: "delete", Effect: "allow"}, + }, + }, + }, + expected: true, + }, + { + name: "System - cover all", + creatingPerms: []*models.RobotPermission{ + { + Kind: "project", + Namespace: "test1", + Access: []*models.Access{ + {Resource: "user", Action: "delete", Effect: "allow"}, + }, + }, + }, + creatorPerms: []*robot.Permission{ + { + Kind: "system", + Namespace: "/", + Access: []*types.Policy{ + {Resource: "robot", Action: "create", Effect: "allow"}, + }, + }, + { + Kind: "project", + Namespace: "*", + Access: []*types.Policy{ + {Resource: "user", Action: "create", Effect: "allow"}, + {Resource: "user", Action: "delete", Effect: "allow"}, + }, + }, + }, + expected: true, + }, + { + name: "System - cover all 2", + creatingPerms: []*models.RobotPermission{ + { + Kind: "project", + Namespace: "test1", + Access: []*models.Access{ + {Resource: "user", Action: "update", Effect: "allow"}, + }, + }, + }, + creatorPerms: []*robot.Permission{ + { + Kind: "system", + Namespace: "/", + Access: []*types.Policy{ + {Resource: "robot", Action: "create", Effect: "allow"}, + }, + }, + { + Kind: "project", + Namespace: "*", + Access: []*types.Policy{ + {Resource: "user", Action: "create", Effect: "allow"}, + {Resource: "user", Action: "delete", Effect: "allow"}, + }, + }, + }, + expected: false, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) {