fix(access): support to list users or teams with specified endpoint [EE-1704] (#7610)

api/http/security/authorization.go

@@ -113,10 +113,10 @@ func AuthorizedIsAdmin(context *RestrictedRequestContext) bool {
 	return context.IsAdmin
 }
 
-// authorizedEndpointAccess ensure that the user can access the specified environment(endpoint).
+// AuthorizedEndpointAccess ensure that the user can access the specified environment(endpoint).
 // It will check if the user is part of the authorized users or part of a team that is
 // listed in the authorized teams of the environment(endpoint) and the associated group.
-func authorizedEndpointAccess(endpoint *portainer.Endpoint, endpointGroup *portainer.EndpointGroup, userID portainer.UserID, memberships []portainer.TeamMembership) bool {
+func AuthorizedEndpointAccess(endpoint *portainer.Endpoint, endpointGroup *portainer.EndpointGroup, userID portainer.UserID, memberships []portainer.TeamMembership) bool {
 	groupAccess := AuthorizedAccess(userID, memberships, endpointGroup.UserAccessPolicies, endpointGroup.TeamAccessPolicies)
 	if !groupAccess {
 		return AuthorizedAccess(userID, memberships, endpoint.UserAccessPolicies, endpoint.TeamAccessPolicies)

api/http/security/bouncer.go

@@ -126,7 +126,7 @@ func (bouncer *RequestBouncer) AuthorizedEndpointOperation(r *http.Request, endp
 		return err
 	}
 
-	if !authorizedEndpointAccess(endpoint, group, tokenData.ID, memberships) {
+	if !AuthorizedEndpointAccess(endpoint, group, tokenData.ID, memberships) {
 		return httperrors.ErrEndpointAccessDenied
 	}
 

api/http/security/filter.go

@@ -7,21 +7,21 @@ import (
 // FilterUserTeams filters teams based on user role.
 // non-administrator users only have access to team they are member of.
 func FilterUserTeams(teams []portainer.Team, context *RestrictedRequestContext) []portainer.Team {
-	filteredTeams := teams
+	if context.IsAdmin {
+		return teams
+	}
 
-	if !context.IsAdmin {
-		filteredTeams = make([]portainer.Team, 0)
-		for _, membership := range context.UserMemberships {
-			for _, team := range teams {
-				if team.ID == membership.TeamID {
-					filteredTeams = append(filteredTeams, team)
-					break
-				}
+	teamsAccessableToUser := make([]portainer.Team, 0)
+	for _, membership := range context.UserMemberships {
+		for _, team := range teams {
+			if team.ID == membership.TeamID {
+				teamsAccessableToUser = append(teamsAccessableToUser, team)
+				break
 			}
 		}
 	}
 
-	return filteredTeams
+	return teamsAccessableToUser
 }
 
 // FilterLeaderTeams filters teams based on user role.
@@ -52,19 +52,18 @@ func FilterLeaderTeams(teams []portainer.Team, context *RestrictedRequestContext
 // FilterUsers filters users based on user role.
 // Non-administrator users only have access to non-administrator users.
 func FilterUsers(users []portainer.User, context *RestrictedRequestContext) []portainer.User {
-	filteredUsers := users
+	if context.IsAdmin {
+		return users
+	}
 
-	if !context.IsAdmin {
-		filteredUsers = make([]portainer.User, 0)
-
-		for _, user := range users {
-			if user.Role != portainer.AdministratorRole {
-				filteredUsers = append(filteredUsers, user)
-			}
+	nonAdmins := make([]portainer.User, 0)
+	for _, user := range users {
+		if user.Role != portainer.AdministratorRole {
+			nonAdmins = append(nonAdmins, user)
 		}
 	}
 
-	return filteredUsers
+	return nonAdmins
 }
 
 // FilterRegistries filters registries based on user role and team memberships.
@@ -96,7 +95,7 @@ func FilterEndpoints(endpoints []portainer.Endpoint, groups []portainer.Endpoint
 		for _, endpoint := range endpoints {
 			endpointGroup := getAssociatedGroup(&endpoint, groups)
 
-			if authorizedEndpointAccess(&endpoint, endpointGroup, context.UserID, context.UserMemberships) {
+			if AuthorizedEndpointAccess(&endpoint, endpointGroup, context.UserID, context.UserMemberships) {
 				filteredEndpoints = append(filteredEndpoints, endpoint)
 			}
 		}