From 261333779f7b6a65c78e2ff15b83797466618ac2 Mon Sep 17 00:00:00 2001
From: Min Min <37430175+jamsman94@users.noreply.github.com>
Date: Wed, 9 Aug 2023 17:21:43 +0800
Subject: [PATCH] fix panic bug & minor permission problem (#2936)

Signed-off-by: Min Min <minmin@koderover.com>
Co-authored-by: Min Min <minmin@koderover.com>
---
 pkg/microservice/aslan/core/build/handler/build.go   | 12 +++---------
 pkg/microservice/aslan/core/build/handler/target.go  |  8 ++------
 .../aslan/core/environment/handler/configmap.go      |  7 +++++--
 .../aslan/core/environment/handler/environment.go    | 12 +++---------
 .../aslan/core/environment/handler/image.go          |  8 ++------
 .../aslan/core/environment/handler/ingress.go        |  7 +++++--
 .../aslan/core/environment/handler/pvc.go            |  7 +++++--
 .../aslan/core/environment/handler/renderset.go      |  4 +---
 .../aslan/core/environment/handler/secret.go         |  7 +++++--
 .../aslan/core/environment/handler/service.go        |  8 ++------
 .../aslan/core/project/handler/product.go            |  4 +---
 .../aslan/core/service/handler/service.go            |  4 +---
 .../aslan/core/workflow/handler/workflow.go          |  4 +---
 .../aslan/core/workflow/testing/handler/scanning.go  |  4 +---
 .../aslan/core/workflow/testing/handler/testing.go   |  4 +---
 .../picket/core/filter/handler/project.go            |  4 +---
 16 files changed, 39 insertions(+), 65 deletions(-)

diff --git a/pkg/microservice/aslan/core/build/handler/build.go b/pkg/microservice/aslan/core/build/handler/build.go
index ead8d54e4..8a2143bed 100644
--- a/pkg/microservice/aslan/core/build/handler/build.go
+++ b/pkg/microservice/aslan/core/build/handler/build.go
@@ -81,9 +81,7 @@ func ListBuildModules(c *gin.Context) {
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
+	} else if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
 		// first check if the user is projectAdmin
 		if projectAuthInfo.IsProjectAdmin {
 			permitted = true
@@ -130,14 +128,10 @@ func ListBuildModulesByServiceModule(c *gin.Context) {
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if ctx.Resources.SystemActions.Template.Create ||
+	} else if ctx.Resources.SystemActions.Template.Create ||
 		ctx.Resources.SystemActions.Template.Edit {
 		permitted = true
-	}
-
-	if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
+	} else if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
 		// first check if the user is projectAdmin
 		if projectAuthInfo.IsProjectAdmin {
 			permitted = true
diff --git a/pkg/microservice/aslan/core/build/handler/target.go b/pkg/microservice/aslan/core/build/handler/target.go
index ecab748c8..4c49559e1 100644
--- a/pkg/microservice/aslan/core/build/handler/target.go
+++ b/pkg/microservice/aslan/core/build/handler/target.go
@@ -46,9 +46,7 @@ func ListDeployTarget(c *gin.Context) {
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
+	} else if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
 		// first check if the user is projectAdmin
 		if projectAuthInfo.IsProjectAdmin {
 			permitted = true
@@ -94,9 +92,7 @@ func ListBuildModulesForProduct(c *gin.Context) {
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectedAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
+	} else if projectedAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
 		if projectedAuthInfo.IsProjectAdmin {
 			permitted = true
 		}
diff --git a/pkg/microservice/aslan/core/environment/handler/configmap.go b/pkg/microservice/aslan/core/environment/handler/configmap.go
index 10c8319db..68de724d6 100644
--- a/pkg/microservice/aslan/core/environment/handler/configmap.go
+++ b/pkg/microservice/aslan/core/environment/handler/configmap.go
@@ -93,8 +93,11 @@ func ListProductionConfigMaps(c *gin.Context) {
 		}
 		if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
 			!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.View {
-			ctx.UnAuthorized = true
-			return
+			permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.ProductionEnvActionView)
+			if err != nil || !permitted {
+				ctx.UnAuthorized = true
+				return
+			}
 		}
 	}
 
diff --git a/pkg/microservice/aslan/core/environment/handler/environment.go b/pkg/microservice/aslan/core/environment/handler/environment.go
index 28e5a208e..b0170fc05 100644
--- a/pkg/microservice/aslan/core/environment/handler/environment.go
+++ b/pkg/microservice/aslan/core/environment/handler/environment.go
@@ -1511,9 +1511,7 @@ func updateMultiK8sEnv(c *gin.Context, request *service.UpdateEnvRequest, produc
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[request.ProjectName]; ok {
+	} else if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[request.ProjectName]; ok {
 		if projectAuthInfo.IsProjectAdmin {
 			permitted = true
 		}
@@ -1567,9 +1565,7 @@ func updateMultiHelmEnv(c *gin.Context, request *service.UpdateEnvRequest, produ
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[request.ProjectName]; ok {
+	} else if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[request.ProjectName]; ok {
 		if projectAuthInfo.IsProjectAdmin {
 			permitted = true
 		}
@@ -1625,9 +1621,7 @@ func updateMultiHelmChartEnv(c *gin.Context, request *service.UpdateEnvRequest,
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[request.ProjectName]; ok {
+	} else if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[request.ProjectName]; ok {
 		if projectAuthInfo.IsProjectAdmin {
 			permitted = true
 		}
diff --git a/pkg/microservice/aslan/core/environment/handler/image.go b/pkg/microservice/aslan/core/environment/handler/image.go
index 3d342ca7b..9177162b2 100644
--- a/pkg/microservice/aslan/core/environment/handler/image.go
+++ b/pkg/microservice/aslan/core/environment/handler/image.go
@@ -120,9 +120,7 @@ func UpdateDeploymentContainerImage(c *gin.Context) {
 	permitted := false
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[args.ProductName]; ok {
+	} else if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[args.ProductName]; ok {
 		if projectAuthInfo.IsProjectAdmin {
 			permitted = true
 		}
@@ -189,9 +187,7 @@ func UpdateProductionDeploymentContainerImage(c *gin.Context) {
 	permitted := false
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[args.ProductName]; ok {
+	} else if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[args.ProductName]; ok {
 		if projectAuthInfo.IsProjectAdmin {
 			permitted = true
 		}
diff --git a/pkg/microservice/aslan/core/environment/handler/ingress.go b/pkg/microservice/aslan/core/environment/handler/ingress.go
index ab6f5a96d..b3544a1a1 100644
--- a/pkg/microservice/aslan/core/environment/handler/ingress.go
+++ b/pkg/microservice/aslan/core/environment/handler/ingress.go
@@ -89,8 +89,11 @@ func ListProductionIngresses(c *gin.Context) {
 		}
 		if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
 			!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.View {
-			ctx.UnAuthorized = true
-			return
+			permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.ProductionEnvActionView)
+			if err != nil || !permitted {
+				ctx.UnAuthorized = true
+				return
+			}
 		}
 	}
 
diff --git a/pkg/microservice/aslan/core/environment/handler/pvc.go b/pkg/microservice/aslan/core/environment/handler/pvc.go
index 038e86cce..7748b8fb0 100644
--- a/pkg/microservice/aslan/core/environment/handler/pvc.go
+++ b/pkg/microservice/aslan/core/environment/handler/pvc.go
@@ -89,8 +89,11 @@ func ListProductionPvcs(c *gin.Context) {
 		}
 		if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
 			!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.View {
-			ctx.UnAuthorized = true
-			return
+			permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionView)
+			if err != nil || !permitted {
+				ctx.UnAuthorized = true
+				return
+			}
 		}
 	}
 
diff --git a/pkg/microservice/aslan/core/environment/handler/renderset.go b/pkg/microservice/aslan/core/environment/handler/renderset.go
index bc2e9dfbd..a5bcaebbe 100644
--- a/pkg/microservice/aslan/core/environment/handler/renderset.go
+++ b/pkg/microservice/aslan/core/environment/handler/renderset.go
@@ -337,9 +337,7 @@ func GetGlobalVariables(c *gin.Context) {
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectedAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
+	} else if projectedAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
 		if projectedAuthInfo.IsProjectAdmin {
 			permitted = true
 		}
diff --git a/pkg/microservice/aslan/core/environment/handler/secret.go b/pkg/microservice/aslan/core/environment/handler/secret.go
index 1e34a1bb1..ae8b9aded 100644
--- a/pkg/microservice/aslan/core/environment/handler/secret.go
+++ b/pkg/microservice/aslan/core/environment/handler/secret.go
@@ -89,8 +89,11 @@ func ListProductionSecrets(c *gin.Context) {
 		}
 		if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
 			!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.View {
-			ctx.UnAuthorized = true
-			return
+			permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.ProductionEnvActionView)
+			if err != nil || !permitted {
+				ctx.UnAuthorized = true
+				return
+			}
 		}
 	}
 
diff --git a/pkg/microservice/aslan/core/environment/handler/service.go b/pkg/microservice/aslan/core/environment/handler/service.go
index aca83c8a1..e57585b84 100644
--- a/pkg/microservice/aslan/core/environment/handler/service.go
+++ b/pkg/microservice/aslan/core/environment/handler/service.go
@@ -59,9 +59,7 @@ func ListSvcsInEnv(c *gin.Context) {
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectedAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
+	} else if projectedAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
 		if projectedAuthInfo.IsProjectAdmin {
 			permitted = true
 		}
@@ -162,9 +160,7 @@ func GetProductionService(c *gin.Context) {
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectedAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
+	} else if projectedAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
 		if projectedAuthInfo.IsProjectAdmin {
 			permitted = true
 		}
diff --git a/pkg/microservice/aslan/core/project/handler/product.go b/pkg/microservice/aslan/core/project/handler/product.go
index 6cc94fa3c..b6d38bbba 100644
--- a/pkg/microservice/aslan/core/project/handler/product.go
+++ b/pkg/microservice/aslan/core/project/handler/product.go
@@ -491,9 +491,7 @@ func GetGlobalVariables(c *gin.Context) {
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectedAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
+	} else if projectedAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
 		if projectedAuthInfo.IsProjectAdmin {
 			permitted = true
 		}
diff --git a/pkg/microservice/aslan/core/service/handler/service.go b/pkg/microservice/aslan/core/service/handler/service.go
index 2c2a5e68d..800ad5b14 100644
--- a/pkg/microservice/aslan/core/service/handler/service.go
+++ b/pkg/microservice/aslan/core/service/handler/service.go
@@ -151,9 +151,7 @@ func GetServiceTemplateOption(c *gin.Context) {
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectName]; ok {
+	} else if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectName]; ok {
 		// first check if the user is projectAdmin
 		if projectAuthInfo.IsProjectAdmin {
 			permitted = true
diff --git a/pkg/microservice/aslan/core/workflow/handler/workflow.go b/pkg/microservice/aslan/core/workflow/handler/workflow.go
index 6123272bf..3a0cc8be6 100644
--- a/pkg/microservice/aslan/core/workflow/handler/workflow.go
+++ b/pkg/microservice/aslan/core/workflow/handler/workflow.go
@@ -80,9 +80,7 @@ func AutoCreateWorkflow(c *gin.Context) {
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
+	} else if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
 		// first check if the user is projectAdmin
 		if projectAuthInfo.IsProjectAdmin {
 			permitted = true
diff --git a/pkg/microservice/aslan/core/workflow/testing/handler/scanning.go b/pkg/microservice/aslan/core/workflow/testing/handler/scanning.go
index a58024330..16bb2ab70 100644
--- a/pkg/microservice/aslan/core/workflow/testing/handler/scanning.go
+++ b/pkg/microservice/aslan/core/workflow/testing/handler/scanning.go
@@ -193,9 +193,7 @@ func ListScanningModule(c *gin.Context) {
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
+	} else if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
 		// first check if the user is projectAdmin
 		if projectAuthInfo.IsProjectAdmin {
 			permitted = true
diff --git a/pkg/microservice/aslan/core/workflow/testing/handler/testing.go b/pkg/microservice/aslan/core/workflow/testing/handler/testing.go
index 52847f2fe..4f2225658 100644
--- a/pkg/microservice/aslan/core/workflow/testing/handler/testing.go
+++ b/pkg/microservice/aslan/core/workflow/testing/handler/testing.go
@@ -205,9 +205,7 @@ func GetTestModule(c *gin.Context) {
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
+	} else if projectAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
 		// first check if the user is projectAdmin
 		if projectAuthInfo.IsProjectAdmin {
 			permitted = true
diff --git a/pkg/microservice/picket/core/filter/handler/project.go b/pkg/microservice/picket/core/filter/handler/project.go
index 71c6ae989..bd179cebb 100644
--- a/pkg/microservice/picket/core/filter/handler/project.go
+++ b/pkg/microservice/picket/core/filter/handler/project.go
@@ -56,9 +56,7 @@ func CreateProject(c *gin.Context) {
 
 	if ctx.Resources.IsSystemAdmin {
 		permitted = true
-	}
-
-	if ctx.Resources.SystemActions.Project.Create {
+	} else if ctx.Resources.SystemActions.Project.Create {
 		permitted = true
 	}
 
-- 
GitLab