fix: workspace manage permission

Signed-off-by: N hongming <talonwan@yunify.com>

fix: workspace manage permission
Signed-off-by: N hongming <talonwan@yunify.com>
ed5e1c53 · hongming · zryfish · 8268c969 · ed5e1c53 · ed5e1c53
隐藏空白更改
内联并排

Showing with 8 addition and 19 deletion

pkg/models/iam/am.go pkg/models/iam/am.go +7 -4

pkg/models/iam/policy/policy.go pkg/models/iam/policy/policy.go +1 -15

未找到文件。
--- a/pkg/models/iam/am.go
+++ b/pkg/models/iam/am.go
@@ -481,10 +481,13 @@ func GetUserWorkspaceSimpleRules(workspace, username string) ([]models.SimpleRul
 		return nil, err
 	}

-	if workspacesManager, err := policy.GetClusterAction("workspaces", "edit"); err == nil {
-		if rulesMatchesAction(clusterRules, workspacesManager) {
-			return GetWorkspaceRoleSimpleRules(workspace, constants.WorkspaceAdmin), nil
-		}
+	// workspace manager
+	if RulesMatchesRequired(clusterRules, rbacv1.PolicyRule{
+		Verbs:     []string{"*"},
+		APIGroups: []string{"*"},
+		Resources: []string{"workspaces", "workspaces/*"},
+	}) {
+		return GetWorkspaceRoleSimpleRules(workspace, constants.WorkspaceAdmin), nil
 	}

 	workspaceRole, err := GetUserWorkspaceRole(workspace, username)

--- a/pkg/models/iam/policy/policy.go
+++ b/pkg/models/iam/policy/policy.go
@@ -20,7 +20,6 @@ package policy

 import (
 	"encoding/json"
-	"fmt"
 	"io/ioutil"

 	"kubesphere.io/kubesphere/pkg/models"
@@ -60,7 +59,7 @@ var (
 		{Name: "workspaces",
 			Actions: []models.Action{
 				{
-					Name: "manager",
+					Name: "manage",
 					Rules: []v1.PolicyRule{
 						{
 							Verbs:     []string{"*"},
@@ -1084,16 +1083,3 @@ var (
 		},
 	}
 )
-
-func GetClusterAction(module, action string) (models.Action, error) {
-	for _, rule := range ClusterRoleRuleMapping {
-		if rule.Name == module {
-			for _, act := range rule.Actions {
-				if act.Name == action {
-					return act, nil
-				}
-			}
-		}
-	}
-	return models.Action{}, fmt.Errorf("not found")
-}