fix: workspace manage permission

Signed-off-by: hongming <talonwan@yunify.com>

pkg/models/iam/am.go

@@ -481,10 +481,13 @@ func GetUserWorkspaceSimpleRules(workspace, username string) ([]models.SimpleRul
 		return nil, err
 	}
 
-	if workspacesManager, err := policy.GetClusterAction("workspaces", "edit"); err == nil {
+	// workspace manager
-		if rulesMatchesAction(clusterRules, workspacesManager) {
+	if RulesMatchesRequired(clusterRules, rbacv1.PolicyRule{
-			return GetWorkspaceRoleSimpleRules(workspace, constants.WorkspaceAdmin), nil
+		Verbs:     []string{"*"},
-		}
+		APIGroups: []string{"*"},
+		Resources: []string{"workspaces", "workspaces/*"},
+	}) {
+		return GetWorkspaceRoleSimpleRules(workspace, constants.WorkspaceAdmin), nil
 	}
 
 	workspaceRole, err := GetUserWorkspaceRole(workspace, username)

pkg/models/iam/policy/policy.go

@@ -20,7 +20,6 @@ package policy
 
 import (
 	"encoding/json"
-	"fmt"
 	"io/ioutil"
 
 	"kubesphere.io/kubesphere/pkg/models"
@@ -60,7 +59,7 @@ var (
 		{Name: "workspaces",
 			Actions: []models.Action{
 				{
-					Name: "manager",
+					Name: "manage",
 					Rules: []v1.PolicyRule{
 						{
 							Verbs:     []string{"*"},
@@ -1084,16 +1083,3 @@ var (
 		},
 	}
 )
-
-func GetClusterAction(module, action string) (models.Action, error) {
-	for _, rule := range ClusterRoleRuleMapping {
-		if rule.Name == module {
-			for _, act := range rule.Actions {
-				if act.Name == action {
-					return act, nil
-				}
-			}
-		}
-	}
-	return models.Action{}, fmt.Errorf("not found")
-}