Merge pull request #121 from RafayLabs/few-fixes

fixes for permissions and user group assoc
2026-05-10 18:36:49 +00:00 · 2022-04-26 21:34:09 +05:30
parent 8e5e36b6cf 33f3d9337b
commit d908aef6bf
5 changed files with 15 additions and 7 deletions
--- a/internal/dao/common.go
+++ b/internal/dao/common.go
@@ -244,6 +244,8 @@ func ListFiltered(ctx context.Context, db bun.IDB,
 	if organizationId.Valid {
 		sq = sq.Where("organization_id = ?", organizationId)
 	}
+	//TODO: to be uncommented after fixing the test case
+	//sq = sq.Where("trash = ?", false)
 	if orderBy != "" && order != "" {
 		sq.Order(orderBy + " " + order)
 	}
--- a/pkg/service/user.go
+++ b/pkg/service/user.go
@@ -114,6 +114,10 @@ func (s *userService) createUserRoleRelations(ctx context.Context, db bun.IDB, u
 	var ps []*authzv1.Policy
 	var rids []uuid.UUID
 	for _, pnr := range projectNamespaceRoles {
+		//if this is derived from group, do not persist a direct project resource role assoc
+		if len(pnr.GetGroup()) > 0 {
+			continue
+		}
 		role := pnr.GetRole()
 		entity, err := dao.GetByName(ctx, db, role, &models.Role{})
 		if err != nil {
@@ -400,7 +404,6 @@ func (s *userService) identitiesModelToUser(ctx context.Context, db bun.IDB, use
 		return &userv3.User{}, err
 	}
 	roles = append(roles, allAssociatedRoles...)
-
 	user.ApiVersion = apiVersion
 	user.Kind = userKind
 	user.Metadata = &v3.Metadata{
--- a/scripts/initialize/permissions/base/role_read.json
+++ b/scripts/initialize/permissions/base/role_read.json
@@ -2,20 +2,20 @@
  "name": "role.read",
  "resource_urls": [
    {
-      "url": "",
+      "url": "/roles",
      "methods": [
        "GET"
      ]
    },
    {
-      "url": "/:metadata.name",
+      "url": "/role/:metadata.name",
      "methods": [
        "GET"
      ]
    }
  ],
  "resource_action_urls": [],
-  "base_url": "/auth/v3/partner/:metadata.partner/organization/:metadata.organization/roles",
+  "base_url": "/auth/v3/partner/:metadata.partner/organization/:metadata.organization",
  "description": "view roles.",
  "authenticated": true,
  "scope": "ORGANIZATION"
--- a/scripts/initialize/permissions/base/role_write.json
+++ b/scripts/initialize/permissions/base/role_write.json
@@ -2,13 +2,13 @@
  "name": "role.write",
  "resource_urls": [
    {
-      "url": "",
+      "url": "/roles",
      "methods": [
        "POST"
      ]
    },
    {
-      "url": "/:metadata.name",
+      "url": "/role/:metadata.name",
      "methods": [
        "PUT",
        "DELETE"
@@ -16,7 +16,7 @@
    }
  ],
  "resource_action_urls": [],
-  "base_url": "/auth/v3/partner/:metadata.partner/organization/:metadata.organization/roles",
+  "base_url": "/auth/v3/partner/:metadata.partner/organization/:metadata.organization",
  "description": "create, manage roles.",
  "authenticated": true,
  "scope": "ORGANIZATION"
--- a/scripts/initialize/roles/ztka/roles.json
+++ b/scripts/initialize/roles/ztka/roles.json
@@ -68,6 +68,7 @@
        "PROJECT_ADMIN": [
            "console.all",
            "partner.read",
+            "organization.read",
            "project.admin.write",
            "project.auditLog.read",
            "project.relayAudit.read",
@@ -84,6 +85,7 @@
        "PROJECT_READ_ONLY": [
            "console.all",
            "partner.read",
+            "organization.read",
            "project.read",
            "project.auditLog.read",
            "project.relayAudit.read",
@@ -97,6 +99,7 @@
        "CLUSTER_ADMIN": [
            "console.all",
            "partner.read",
+            "organization.read",
            "project.read",
            "project.auditLog.read",
            "project.relayAudit.read",