diff --git a/internal/dao/common.go b/internal/dao/common.go index 58bf7f0..e20e8f7 100644 --- a/internal/dao/common.go +++ b/internal/dao/common.go @@ -244,6 +244,8 @@ func ListFiltered(ctx context.Context, db bun.IDB, if organizationId.Valid { sq = sq.Where("organization_id = ?", organizationId) } + //TODO: to be uncommented after fixing the test case + //sq = sq.Where("trash = ?", false) if orderBy != "" && order != "" { sq.Order(orderBy + " " + order) } diff --git a/pkg/service/user.go b/pkg/service/user.go index aea29c5..3b6521e 100644 --- a/pkg/service/user.go +++ b/pkg/service/user.go @@ -114,6 +114,10 @@ func (s *userService) createUserRoleRelations(ctx context.Context, db bun.IDB, u var ps []*authzv1.Policy var rids []uuid.UUID for _, pnr := range projectNamespaceRoles { + //if this is derived from group, do not persist a direct project resource role assoc + if len(pnr.GetGroup()) > 0 { + continue + } role := pnr.GetRole() entity, err := dao.GetByName(ctx, db, role, &models.Role{}) if err != nil { @@ -400,7 +404,6 @@ func (s *userService) identitiesModelToUser(ctx context.Context, db bun.IDB, use return &userv3.User{}, err } roles = append(roles, allAssociatedRoles...) - user.ApiVersion = apiVersion user.Kind = userKind user.Metadata = &v3.Metadata{ diff --git a/scripts/initialize/permissions/base/role_read.json b/scripts/initialize/permissions/base/role_read.json index e1a4266..9064545 100644 --- a/scripts/initialize/permissions/base/role_read.json +++ b/scripts/initialize/permissions/base/role_read.json @@ -2,20 +2,20 @@ "name": "role.read", "resource_urls": [ { - "url": "", + "url": "/roles", "methods": [ "GET" ] }, { - "url": "/:metadata.name", + "url": "/role/:metadata.name", "methods": [ "GET" ] } ], "resource_action_urls": [], - "base_url": "/auth/v3/partner/:metadata.partner/organization/:metadata.organization/roles", + "base_url": "/auth/v3/partner/:metadata.partner/organization/:metadata.organization", "description": "view roles.", "authenticated": true, "scope": "ORGANIZATION" diff --git a/scripts/initialize/permissions/base/role_write.json b/scripts/initialize/permissions/base/role_write.json index 1dc0ab3..f3c73a7 100644 --- a/scripts/initialize/permissions/base/role_write.json +++ b/scripts/initialize/permissions/base/role_write.json @@ -2,13 +2,13 @@ "name": "role.write", "resource_urls": [ { - "url": "", + "url": "/roles", "methods": [ "POST" ] }, { - "url": "/:metadata.name", + "url": "/role/:metadata.name", "methods": [ "PUT", "DELETE" @@ -16,7 +16,7 @@ } ], "resource_action_urls": [], - "base_url": "/auth/v3/partner/:metadata.partner/organization/:metadata.organization/roles", + "base_url": "/auth/v3/partner/:metadata.partner/organization/:metadata.organization", "description": "create, manage roles.", "authenticated": true, "scope": "ORGANIZATION" diff --git a/scripts/initialize/roles/ztka/roles.json b/scripts/initialize/roles/ztka/roles.json index 8f84747..1c7fa7f 100644 --- a/scripts/initialize/roles/ztka/roles.json +++ b/scripts/initialize/roles/ztka/roles.json @@ -68,6 +68,7 @@ "PROJECT_ADMIN": [ "console.all", "partner.read", + "organization.read", "project.admin.write", "project.auditLog.read", "project.relayAudit.read", @@ -84,6 +85,7 @@ "PROJECT_READ_ONLY": [ "console.all", "partner.read", + "organization.read", "project.read", "project.auditLog.read", "project.relayAudit.read", @@ -97,6 +99,7 @@ "CLUSTER_ADMIN": [ "console.all", "partner.read", + "organization.read", "project.read", "project.auditLog.read", "project.relayAudit.read",