admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #2373 from wansir/2358

Browse Source 
fix: forbidden update user
This commit is contained in:
KubeSphere CI Bot
2020-07-09 18:28:47 +08:00
committed by GitHub
parent 013b89df4f 3c6ca85e30
commit b479195aea
2 changed files with 15 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/controller/user/user_controller_test.go
View File

@@ -209,9 +209,7 @@ func checkAction(expected, actual core.Action, t *testing.T) {
func filterInformerActions(actions []core.Action) []core.Action {
var ret []core.Action
for _, action := range actions {
if action.Matches("list", "users") ||
action.Matches("list", "configmaps") ||
action.Matches("watch", "users") {
if !action.Matches("update", "users") {
continue
}
ret = append(ret, action)

16
pkg/kapis/iam/v1alpha2/handler.go
View File

@@ -533,7 +533,7 @@ func (h *iamHandler) ModifyPassword(request *restful.Request, response *restful.
_, err := h.im.Authenticate(username, passwordReset.CurrentPassword)
if err != nil {
if err == im.AuthFailedIncorrectPassword {
err = errors.NewForbidden(iamv1alpha2.Resource(iamv1alpha2.ResourcesSingularUser), username, err)
err = errors.NewBadRequest("incorrect old password")
klog.Warning(err)
handleError(request, response, err)
return
@@ -1173,6 +1173,17 @@ func (h *iamHandler) PatchClusterRole(request *restful.Request, response *restfu
}
func (h *iamHandler) updateGlobalRoleBinding(operator user.Info, user *iamv1alpha2.User, globalRole string) error {
oldGlobalRole, err := h.am.GetGlobalRoleOfUser(user.Name)
if err != nil && !errors.IsNotFound(err) {
klog.Error(err)
return err
}
if oldGlobalRole.Name == globalRole {
return nil
}
userManagement := authorizer.AttributesRecord{
Resource: iamv1alpha2.ResourcesPluralUser,
Verb: "update",
@@ -1186,7 +1197,8 @@ func (h *iamHandler) updateGlobalRoleBinding(operator user.Info, user *iamv1alph
return err
}
if decision != authorizer.DecisionAllow {
err = errors.NewForbidden(iamv1alpha2.Resource(iamv1alpha2.ResourcesSingularUser), user.Name, fmt.Errorf("update global role binding not allowed"))
err = errors.NewForbidden(iamv1alpha2.Resource(iamv1alpha2.ResourcesSingularUser),
user.Name, fmt.Errorf("update global role binding is not allowed"))
klog.Warning(err)
return err
}