From d967ac0fb659ef84f500c94cd67c803da6d179c8 Mon Sep 17 00:00:00 2001
From: Shijun Sun <30999793+AllForNothing@users.noreply.github.com>
Date: Wed, 22 Nov 2023 14:37:31 +0800
Subject: [PATCH] Update the permission scope (#19603)

1. Update the permission scope
2. Sort the resources and actions by unicode

Signed-off-by: AllForNothing <sshijun@vmware.com>
---
 src/common/rbac/const.go                      | 29 +++++++++----------
 .../robot-permissions-panel.component.ts      |  2 ++
 tests/apitests/python/test_robot_account.py   |  2 +-
 3 files changed, 16 insertions(+), 17 deletions(-)

diff --git a/src/common/rbac/const.go b/src/common/rbac/const.go
index 1ae653bccb..3c64a85336 100644
--- a/src/common/rbac/const.go
+++ b/src/common/rbac/const.go
@@ -102,9 +102,7 @@ var (
 
 			{Resource: ResourceReplication, Action: ActionRead},
 			{Resource: ResourceReplication, Action: ActionCreate},
-			{Resource: ResourceReplication, Action: ActionDelete},
 			{Resource: ResourceReplication, Action: ActionList},
-			{Resource: ResourceReplication, Action: ActionUpdate},
 
 			{Resource: ResourceReplicationAdapter, Action: ActionList},
 
@@ -145,7 +143,6 @@ var (
 			{Resource: ResourceLabel, Action: ActionRead},
 			{Resource: ResourceLabel, Action: ActionCreate},
 			{Resource: ResourceLabel, Action: ActionDelete},
-			{Resource: ResourceLabel, Action: ActionList},
 			{Resource: ResourceLabel, Action: ActionUpdate},
 
 			{Resource: ResourceSecurityHub, Action: ActionRead},
@@ -154,11 +151,7 @@ var (
 			{Resource: ResourceCatalog, Action: ActionRead},
 		},
 		"Project": {
-			{Resource: ResourceLabel, Action: ActionRead},
-			{Resource: ResourceLabel, Action: ActionCreate},
-			{Resource: ResourceLabel, Action: ActionDelete},
-			{Resource: ResourceLabel, Action: ActionList},
-			{Resource: ResourceLabel, Action: ActionUpdate},
+			{Resource: ResourceLog, Action: ActionList},
 
 			{Resource: ResourceProject, Action: ActionRead},
 			{Resource: ResourceProject, Action: ActionDelete},
@@ -192,7 +185,7 @@ var (
 
 			{Resource: ResourceAccessory, Action: ActionList},
 
-			{Resource: ResourceArtifactAddition, Action: ActionCreate},
+			{Resource: ResourceArtifactAddition, Action: ActionRead},
 
 			{Resource: ResourceArtifactLabel, Action: ActionCreate},
 			{Resource: ResourceArtifactLabel, Action: ActionDelete},
@@ -211,19 +204,23 @@ var (
 			{Resource: ResourceImmutableTag, Action: ActionList},
 			{Resource: ResourceImmutableTag, Action: ActionUpdate},
 
+			{Resource: ResourceNotificationPolicy, Action: ActionRead},
+			{Resource: ResourceNotificationPolicy, Action: ActionCreate},
+			{Resource: ResourceNotificationPolicy, Action: ActionDelete},
+			{Resource: ResourceNotificationPolicy, Action: ActionList},
+			{Resource: ResourceNotificationPolicy, Action: ActionUpdate},
+
 			{Resource: ResourceTagRetention, Action: ActionRead},
 			{Resource: ResourceTagRetention, Action: ActionCreate},
 			{Resource: ResourceTagRetention, Action: ActionDelete},
 			{Resource: ResourceTagRetention, Action: ActionList},
 			{Resource: ResourceTagRetention, Action: ActionUpdate},
 
-			{Resource: ResourceLog, Action: ActionList},
-
-			{Resource: ResourceNotificationPolicy, Action: ActionRead},
-			{Resource: ResourceNotificationPolicy, Action: ActionCreate},
-			{Resource: ResourceNotificationPolicy, Action: ActionDelete},
-			{Resource: ResourceNotificationPolicy, Action: ActionList},
-			{Resource: ResourceNotificationPolicy, Action: ActionUpdate},
+			{Resource: ResourceLabel, Action: ActionRead},
+			{Resource: ResourceLabel, Action: ActionCreate},
+			{Resource: ResourceLabel, Action: ActionDelete},
+			{Resource: ResourceLabel, Action: ActionList},
+			{Resource: ResourceLabel, Action: ActionUpdate},
 		},
 	}
 )
diff --git a/src/portal/src/app/shared/components/robot-permissions-panel/robot-permissions-panel.component.ts b/src/portal/src/app/shared/components/robot-permissions-panel/robot-permissions-panel.component.ts
index 59ef454c2d..e79c9e4dd5 100644
--- a/src/portal/src/app/shared/components/robot-permissions-panel/robot-permissions-panel.component.ts
+++ b/src/portal/src/app/shared/components/robot-permissions-panel/robot-permissions-panel.component.ts
@@ -88,6 +88,8 @@ export class RobotPermissionsPanelComponent
                 this.candidateActions.push(item?.action);
             }
         });
+        this.candidateActions.sort();
+        this.candidateResources.sort();
     }
 
     isCandidate(resource: string, action: string): boolean {
diff --git a/tests/apitests/python/test_robot_account.py b/tests/apitests/python/test_robot_account.py
index ddc6cbc614..6d7db141eb 100644
--- a/tests/apitests/python/test_robot_account.py
+++ b/tests/apitests/python/test_robot_account.py
@@ -162,7 +162,7 @@ class TestRobotAccount(unittest.TestCase):
                 expected_error_message = expected_error_message
             )
 
-    def Atest_02_SystemlevelRobotAccount(self):
+    def test_02_SystemlevelRobotAccount(self):
         """
         Test case:
             Robot Account