|
|
|
|
@ -38,18 +38,17 @@ func (a *AccessControl) Evaluate(ctx context.Context, user identity.Requester, e |
|
|
|
|
return false, nil |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
namespace, identifier := user.GetNamespacedID() |
|
|
|
|
|
|
|
|
|
// If the user is in no organization, then the evaluation must happen based on the user's global permissions
|
|
|
|
|
permissions := user.GetPermissions() |
|
|
|
|
if user.GetOrgID() == accesscontrol.NoOrgID { |
|
|
|
|
permissions = user.GetGlobalPermissions() |
|
|
|
|
} |
|
|
|
|
if len(permissions) == 0 { |
|
|
|
|
a.log.Debug("No permissions set for entity", "namespace", namespace, "id", identifier, "orgID", user.GetOrgID(), "login", user.GetLogin()) |
|
|
|
|
a.debug(ctx, user, "No permissions set", evaluator) |
|
|
|
|
return false, nil |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
a.debug(ctx, user, "Evaluating permissions", evaluator) |
|
|
|
|
// Test evaluation without scope resolver first, this will prevent 403 for wildcard scopes when resource does not exist
|
|
|
|
|
if evaluator.Evaluate(permissions) { |
|
|
|
|
return true, nil |
|
|
|
|
@ -63,9 +62,15 @@ func (a *AccessControl) Evaluate(ctx context.Context, user identity.Requester, e |
|
|
|
|
return false, err |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
a.debug(ctx, user, "Evaluating resolved permissions", resolvedEvaluator) |
|
|
|
|
return resolvedEvaluator.Evaluate(permissions), nil |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
func (a *AccessControl) RegisterScopeAttributeResolver(prefix string, resolver accesscontrol.ScopeAttributeResolver) { |
|
|
|
|
a.resolvers.AddScopeAttributeResolver(prefix, resolver) |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
func (a *AccessControl) debug(ctx context.Context, ident identity.Requester, msg string, eval accesscontrol.Evaluator) { |
|
|
|
|
namespace, id := ident.GetNamespacedID() |
|
|
|
|
a.log.FromContext(ctx).Debug(msg, "namespace", namespace, "id", id, "orgID", ident.GetOrgID(), eval.GoString()) |
|
|
|
|
} |
|
|
|
|
|
Karl Persson
1 year ago
committed by