From 3c6ca85e3014798c6b52764bb9b4c71306eafe0e Mon Sep 17 00:00:00 2001
From: hongming <talonwan@yunify.com>
Date: Thu, 9 Jul 2020 17:49:28 +0800
Subject: [PATCH] fix: forbidden update user

Signed-off-by: hongming <talonwan@yunify.com>
---
 pkg/controller/user/user_controller_test.go |  4 +---
 pkg/kapis/iam/v1alpha2/handler.go           | 16 ++++++++++++++--
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/pkg/controller/user/user_controller_test.go b/pkg/controller/user/user_controller_test.go
index 7018fb89a..ce7ed4773 100644
--- a/pkg/controller/user/user_controller_test.go
+++ b/pkg/controller/user/user_controller_test.go
@@ -209,9 +209,7 @@ func checkAction(expected, actual core.Action, t *testing.T) {
 func filterInformerActions(actions []core.Action) []core.Action {
 	var ret []core.Action
 	for _, action := range actions {
-		if action.Matches("list", "users") ||
-			action.Matches("list", "configmaps") ||
-			action.Matches("watch", "users") {
+		if !action.Matches("update", "users") {
 			continue
 		}
 		ret = append(ret, action)
diff --git a/pkg/kapis/iam/v1alpha2/handler.go b/pkg/kapis/iam/v1alpha2/handler.go
index 20ca3fcfc..89c3a1102 100644
--- a/pkg/kapis/iam/v1alpha2/handler.go
+++ b/pkg/kapis/iam/v1alpha2/handler.go
@@ -533,7 +533,7 @@ func (h *iamHandler) ModifyPassword(request *restful.Request, response *restful.
 		_, err := h.im.Authenticate(username, passwordReset.CurrentPassword)
 		if err != nil {
 			if err == im.AuthFailedIncorrectPassword {
-				err = errors.NewForbidden(iamv1alpha2.Resource(iamv1alpha2.ResourcesSingularUser), username, err)
+				err = errors.NewBadRequest("incorrect old password")
 				klog.Warning(err)
 				handleError(request, response, err)
 				return
@@ -1173,6 +1173,17 @@ func (h *iamHandler) PatchClusterRole(request *restful.Request, response *restfu
 }
 
 func (h *iamHandler) updateGlobalRoleBinding(operator user.Info, user *iamv1alpha2.User, globalRole string) error {
+
+	oldGlobalRole, err := h.am.GetGlobalRoleOfUser(user.Name)
+	if err != nil && !errors.IsNotFound(err) {
+		klog.Error(err)
+		return err
+	}
+
+	if oldGlobalRole.Name == globalRole {
+		return nil
+	}
+
 	userManagement := authorizer.AttributesRecord{
 		Resource:        iamv1alpha2.ResourcesPluralUser,
 		Verb:            "update",
@@ -1186,7 +1197,8 @@ func (h *iamHandler) updateGlobalRoleBinding(operator user.Info, user *iamv1alph
 		return err
 	}
 	if decision != authorizer.DecisionAllow {
-		err = errors.NewForbidden(iamv1alpha2.Resource(iamv1alpha2.ResourcesSingularUser), user.Name, fmt.Errorf("update global role binding not allowed"))
+		err = errors.NewForbidden(iamv1alpha2.Resource(iamv1alpha2.ResourcesSingularUser),
+			user.Name, fmt.Errorf("update global role binding is not allowed"))
 		klog.Warning(err)
 		return err
 	}