mirror of
https://github.com/portainer/portainer.git
synced 2025-07-22 06:49:40 +02:00
fix(access): support to list users or teams with specified endpoint [EE-1704] (#7610)
This commit is contained in:
Oscar Zhou
GitHub
parent
f71fe87ba7
commit
53025178ef
25 changed files with 632 additions and 61 deletions
|
|
@ -4,7 +4,9 @@ import (
|
|||
"net/http"
|
||||
|
||||
httperror "github.com/portainer/libhttp/error"
|
||||
"github.com/portainer/libhttp/request"
|
||||
"github.com/portainer/libhttp/response"
|
||||
portainer "github.com/portainer/portainer/api"
|
||||
"github.com/portainer/portainer/api/http/security"
|
||||
)
|
||||
|
||||
|
|
@ -18,6 +20,7 @@ import (
|
|||
// @security ApiKeyAuth
|
||||
// @security jwt
|
||||
// @produce json
|
||||
// @param environmentId query int false "Identifier of the environment(endpoint) that will be used to filter the authorized users"
|
||||
// @success 200 {array} portainer.User "Success"
|
||||
// @failure 400 "Invalid request"
|
||||
// @failure 500 "Server error"
|
||||
|
|
@ -33,11 +36,45 @@ func (handler *Handler) userList(w http.ResponseWriter, r *http.Request) *httper
|
|||
return httperror.InternalServerError("Unable to retrieve info from request context", err)
|
||||
}
|
||||
|
||||
filteredUsers := security.FilterUsers(users, securityContext)
|
||||
|
||||
for idx := range filteredUsers {
|
||||
hideFields(&filteredUsers[idx])
|
||||
availableUsers := security.FilterUsers(users, securityContext)
|
||||
for i := range availableUsers {
|
||||
hideFields(&availableUsers[i])
|
||||
}
|
||||
|
||||
return response.JSON(w, filteredUsers)
|
||||
endpointID, _ := request.RetrieveNumericQueryParameter(r, "environmentId", true)
|
||||
if endpointID == 0 {
|
||||
return response.JSON(w, availableUsers)
|
||||
}
|
||||
|
||||
// filter out users who do not have access to the specific endpoint
|
||||
endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
|
||||
if err != nil {
|
||||
return httperror.InternalServerError("Unable to retrieve endpoint from the database", err)
|
||||
}
|
||||
|
||||
endpointGroup, err := handler.DataStore.EndpointGroup().EndpointGroup(endpoint.GroupID)
|
||||
if err != nil {
|
||||
return httperror.InternalServerError("Unable to retrieve environment groups from the database", err)
|
||||
}
|
||||
|
||||
canAccessEndpoint := make([]portainer.User, 0)
|
||||
for _, user := range availableUsers {
|
||||
// the users who have the endpoint authorization
|
||||
if _, ok := user.EndpointAuthorizations[endpoint.ID]; ok {
|
||||
canAccessEndpoint = append(canAccessEndpoint, user)
|
||||
continue
|
||||
}
|
||||
|
||||
// the user inherits the endpoint access from team or environment group
|
||||
teamMemberships, err := handler.DataStore.TeamMembership().TeamMembershipsByUserID(user.ID)
|
||||
if err != nil {
|
||||
return httperror.InternalServerError("Unable to retrieve team membership from the database", err)
|
||||
}
|
||||
|
||||
if security.AuthorizedEndpointAccess(endpoint, endpointGroup, user.ID, teamMemberships) {
|
||||
canAccessEndpoint = append(canAccessEndpoint, user)
|
||||
}
|
||||
}
|
||||
|
||||
return response.JSON(w, canAccessEndpoint)
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue