From 452d09775a38fda99d808babd3af1aa23ff61c18 Mon Sep 17 00:00:00 2001
From: hongming <hongming@kubesphere.io>
Date: Mon, 6 Jan 2025 15:34:24 +0800
Subject: [PATCH] adjust the authorization rules for workspace roles (#6329)

Signed-off-by: hongming <coder.scala@gmail.com>
---
 config/ks-core/templates/builtinroles.yaml  | 16 ++++++----------
 config/ks-core/templates/roletemplates.yaml |  7 +++++--
 2 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/config/ks-core/templates/builtinroles.yaml b/config/ks-core/templates/builtinroles.yaml
index e14db6a72..89d1b4376 100644
--- a/config/ks-core/templates/builtinroles.yaml
+++ b/config/ks-core/templates/builtinroles.yaml
@@ -173,6 +173,8 @@ role:
         iam.kubesphere.io/scope: "workspace"
     templateNames:
       - workspace-view-workspace-settings
+      - workspace-view-members
+      - workspace-view-roles
   apiVersion: iam.kubesphere.io/v1beta1
   kind: WorkspaceRole
   metadata:
@@ -181,16 +183,7 @@ role:
       kubesphere.io/description: '{"zh": "查看企业空间设置。", "en": "View workspace settings."}'
       iam.kubesphere.io/auto-aggregate: "true"
     name: regular
-  rules:
-    - apiGroups:
-        - '*'
-      resources:
-        - workspaces
-        - workspacemembers
-      verbs:
-        - get
-        - list
-        - watch
+  rules: []
 
 ---
 apiVersion: iam.kubesphere.io/v1beta1
@@ -208,6 +201,9 @@ role:
     templateNames:
       - workspace-create-projects
       - workspace-view-workspace-settings
+      - workspace-view-members
+      - workspace-view-roles
+      - workspace-view-app-repos
   apiVersion: iam.kubesphere.io/v1beta1
   kind: WorkspaceRole
   metadata:
diff --git a/config/ks-core/templates/roletemplates.yaml b/config/ks-core/templates/roletemplates.yaml
index f1bcb67ea..ba4b31cb4 100644
--- a/config/ks-core/templates/roletemplates.yaml
+++ b/config/ks-core/templates/roletemplates.yaml
@@ -1103,6 +1103,8 @@ metadata:
     iam.kubesphere.io/category: workspace-access-control
     iam.kubesphere.io/scope: "workspace"
     iam.kubesphere.io/aggregate-to-viewer: ""
+    iam.kubesphere.io/aggregate-to-self-provisioner: ""
+    iam.kubesphere.io/aggregate-to-regular: ""
     kubesphere.io/managed: 'true'
   name: workspace-view-members
 spec:
@@ -1168,6 +1170,8 @@ metadata:
     iam.kubesphere.io/category: workspace-access-control
     iam.kubesphere.io/scope: "workspace"
     iam.kubesphere.io/aggregate-to-viewer: ""
+    iam.kubesphere.io/aggregate-to-regular: ""
+    iam.kubesphere.io/aggregate-to-self-provisioner: ""
     kubesphere.io/managed: 'true'
   name: workspace-view-roles
 spec:
@@ -1846,6 +1850,7 @@ metadata:
     iam.kubesphere.io/category: workspace-app
     iam.kubesphere.io/scope: workspace
     kubesphere.io/managed: "true"
+    iam.kubesphere.io/aggregate-to-self-provisioner: ""
     iam.kubesphere.io/aggregate-to-viewer: ""
     iam.kubesphere.io/aggregate-to-regular: ""
   name: workspace-view-app-repos
@@ -1877,7 +1882,6 @@ metadata:
     iam.kubesphere.io/category: workspace-app
     iam.kubesphere.io/scope: workspace
     kubesphere.io/managed: "true"
-    iam.kubesphere.io/aggregate-to-self-provisioner: ""
     iam.kubesphere.io/aggregate-to-admin: ""
   name: workspace-manage-app-repos
 spec:
@@ -2002,7 +2006,6 @@ metadata:
     iam.kubesphere.io/category: workspace-app
     iam.kubesphere.io/scope: workspace
     kubesphere.io/managed: "true"
-    iam.kubesphere.io/aggregate-to-self-provisioner: ""
     iam.kubesphere.io/aggregate-to-admin: ""
   name: workspace-manage-app-templates
 spec: