admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: forbidden update user

Browse Source 
Signed-off-by: hongming <talonwan@yunify.com>
This commit is contained in:
hongming
2020-07-09 17:49:28 +08:00
parent f187f97c76
commit 3c6ca85e30
2 changed files with 15 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/controller/user/user_controller_test.go
View File

@@ -209,9 +209,7 @@ func checkAction(expected, actual core.Action, t *testing.T) {
func filterInformerActions(actions []core.Action) []core.Action { func filterInformerActions(actions []core.Action) []core.Action {
var ret []core.Action var ret []core.Action
for _, action := range actions { for _, action := range actions {
if action.Matches("list", "users") || if !action.Matches("update", "users") {
action.Matches("list", "configmaps") ||
action.Matches("watch", "users") {
continue continue
} }
ret = append(ret, action) ret = append(ret, action)

16
pkg/kapis/iam/v1alpha2/handler.go
View File

@@ -533,7 +533,7 @@ func (h *iamHandler) ModifyPassword(request *restful.Request, response *restful.
_, err := h.im.Authenticate(username, passwordReset.CurrentPassword) _, err := h.im.Authenticate(username, passwordReset.CurrentPassword)
if err != nil { if err != nil {
if err == im.AuthFailedIncorrectPassword { if err == im.AuthFailedIncorrectPassword {
err = errors.NewForbidden(iamv1alpha2.Resource(iamv1alpha2.ResourcesSingularUser), username, err) err = errors.NewBadRequest("incorrect old password")
klog.Warning(err) klog.Warning(err)
handleError(request, response, err) handleError(request, response, err)
return return
@@ -1173,6 +1173,17 @@ func (h *iamHandler) PatchClusterRole(request *restful.Request, response *restfu
} }
func (h *iamHandler) updateGlobalRoleBinding(operator user.Info, user *iamv1alpha2.User, globalRole string) error { func (h *iamHandler) updateGlobalRoleBinding(operator user.Info, user *iamv1alpha2.User, globalRole string) error {
oldGlobalRole, err := h.am.GetGlobalRoleOfUser(user.Name)
if err != nil && !errors.IsNotFound(err) {
klog.Error(err)
return err
}
if oldGlobalRole.Name == globalRole {
return nil
}
userManagement := authorizer.AttributesRecord{ userManagement := authorizer.AttributesRecord{
Resource: iamv1alpha2.ResourcesPluralUser, Resource: iamv1alpha2.ResourcesPluralUser,
Verb: "update", Verb: "update",
@@ -1186,7 +1197,8 @@ func (h *iamHandler) updateGlobalRoleBinding(operator user.Info, user *iamv1alph
return err return err
} }
if decision != authorizer.DecisionAllow { if decision != authorizer.DecisionAllow {
err = errors.NewForbidden(iamv1alpha2.Resource(iamv1alpha2.ResourcesSingularUser), user.Name, fmt.Errorf("update global role binding not allowed")) err = errors.NewForbidden(iamv1alpha2.Resource(iamv1alpha2.ResourcesSingularUser),
user.Name, fmt.Errorf("update global role binding is not allowed"))
klog.Warning(err) klog.Warning(err)
return err return err
} }