fix(rbac): use team ids to get namespace access [r8s-154] (#209)

2025-07-19 05:19:39 +02:00 · 2024-12-05 17:29:45 +13:00 · 2024-12-05 17:29:45 +13:00 · 5d4d3888b8
commit 5d4d3888b8
parent 473084e915
2 changed files with 13 additions and 3 deletions
--- a/api/kubernetes/cli/access.go
+++ b/api/kubernetes/cli/access.go
@ -124,7 +124,7 @@ func (kcl *KubeClient) UpdateNamespaceAccessPolicies(accessPolicies map[string]p
 }

 // GetNonAdminNamespaces retrieves namespaces for a non-admin user, excluding the default namespace if restricted.
-func (kcl *KubeClient) GetNonAdminNamespaces(userID int, isRestrictDefaultNamespace bool) ([]string, error) {
+func (kcl *KubeClient) GetNonAdminNamespaces(userID int, teamIDs []int, isRestrictDefaultNamespace bool) ([]string, error) {
 	accessPolicies, err := kcl.GetNamespaceAccessPolicies()
 	if err != nil {
 		return nil, fmt.Errorf("an error occurred during the getNonAdminNamespaces operation, unable to get namespace access policies via portainer-config. check if portainer-config configMap exists in the Kubernetes cluster: %w", err)
@ -136,7 +136,7 @@ func (kcl *KubeClient) GetNonAdminNamespaces(userID int, isRestrictDefaultNamesp
 	}

 	for namespace, accessPolicy := range accessPolicies {
-		if hasUserAccessToNamespace(userID, nil, accessPolicy) {
+		if hasUserAccessToNamespace(userID, teamIDs, accessPolicy) {
 			nonAdminNamespaces = append(nonAdminNamespaces, namespace)
 		}
 	}