feat(api): relocate authorizations outside of JWT (#3079)

* feat(api): relocate authorizations outside of JWT * fix(api): update user authorization after enabling the RBAC extension * feat(api): add PortainerEndpointList operation in the default portainer authorizations * feat(auth): retrieve authorization from API instead of JWT * refactor(auth): move permissions retrieval to function * refactor(api): document authorizations methods
2025-07-23 15:29:42 +02:00 · 2019-09-10 10:58:26 +12:00 · 2019-09-10 10:58:26 +12:00 · 7d76bc89e7
commit 7d76bc89e7
parent 7ebb3e62dd
29 changed files with 472 additions and 303 deletions
--- a/api/http/handler/endpointgroups/endpointgroup_update.go
+++ b/api/http/handler/endpointgroups/endpointgroup_update.go
@ -53,12 +53,15 @@ func (handler *Handler) endpointGroupUpdate(w http.ResponseWriter, r *http.Reque
 		endpointGroup.Tags = payload.Tags
 	}

+	updateAuthorizations := false
 	if payload.UserAccessPolicies != nil {
 		endpointGroup.UserAccessPolicies = payload.UserAccessPolicies
+		updateAuthorizations = true
 	}

 	if payload.TeamAccessPolicies != nil {
 		endpointGroup.TeamAccessPolicies = payload.TeamAccessPolicies
+		updateAuthorizations = true
 	}

 	err = handler.EndpointGroupService.UpdateEndpointGroup(endpointGroup.ID, endpointGroup)
@ -66,5 +69,12 @@ func (handler *Handler) endpointGroupUpdate(w http.ResponseWriter, r *http.Reque
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint group changes inside the database", err}
 	}

+	if updateAuthorizations {
+		err = handler.AuthorizationService.UpdateUserAuthorizationsFromPolicies(&payload.UserAccessPolicies, &payload.TeamAccessPolicies)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update user authorizations", err}
+		}
+	}
+
 	return response.JSON(w, endpointGroup)
 }