remove user role from policy types

2025-09-07 05:34:38 +08:00 · 2024-10-29 08:51:27 +04:00 · 2024-10-29 08:51:27 +04:00 · 2cc54d949c
commit 2cc54d949c
parent a954f87c9d
5 changed files with 7 additions and 70 deletions
--- a/controllers/acls.go
+++ b/controllers/acls.go
@ -44,7 +44,6 @@ func aclPolicyTypes(w http.ResponseWriter, r *http.Request) {
 		},
 		SrcGroupTypes: []models.AclGroupType{
 			models.UserAclID,
 			//models.UserRoleAclID,
 			models.UserGroupAclID,
 			models.DeviceAclID,
 		},
--- a/logic/acls.go
+++ b/logic/acls.go
@ -56,10 +56,6 @@ func CreateDefaultAclNetworkPolicies(netID models.NetworkID) {
 					ID:    models.UserGroupAclID,
 					Value: "*",
 				},
 				// {
 				// 	ID:    models.UserRoleAclID,
 				// 	Value: "*",
 				// },
 			},
 			Dst: []models.AclPolicyTag{{
 				ID:    models.DeviceAclID,
@ -175,9 +171,7 @@ func IsAclPolicyValid(acl models.Acl) bool {
 			if srcI.Value == "*" {
 				continue
 			}
-			if srcI.ID != models.UserAclID {
+			if srcI.ID != models.UserAclID && srcI.ID != models.UserGroupAclID {
 				// &&	srcI.ID != models.UserGroupAclID && srcI.ID != models.UserRoleAclID
 				return false
 			}
 			// check if user group is valid
@ -186,12 +180,6 @@ func IsAclPolicyValid(acl models.Acl) bool {
 				if err != nil {
 					return false
 				}
 				// } else if srcI.ID == models.UserRoleAclID {
 				// 	_, err := GetRole(models.UserRoleID(srcI.Value))
 				// 	if err != nil {
 				// 		return false
 				// 	}
 			} else if srcI.ID == models.UserGroupAclID {
 				err := IsGroupValid(models.UserGroupID(srcI.Value))
--- a/models/acl.go
+++ b/models/acl.go
@ -44,9 +44,8 @@ type AclPolicyTag struct {
 type AclGroupType string
 const (
-	UserAclID      AclGroupType = "user"
+	UserAclID                AclGroupType = "user"
-	UserGroupAclID AclGroupType = "user-group"
+	UserGroupAclID           AclGroupType = "user-group"
 	//UserRoleAclID            AclGroupType = "user-role"
 	DeviceAclID              AclGroupType = "tag"
 	NetmakerIPAclID          AclGroupType = "ip"
 	NetmakerSubNetRangeAClID AclGroupType = "ipset"
--- a/pro/controllers/users.go
+++ b/pro/controllers/users.go
@ -834,7 +834,7 @@ func getUserRemoteAccessNetworks(w http.ResponseWriter, r *http.Request) {
 	userGws := make(map[string][]models.UserRemoteGws)
 	networks := []models.Network{}
 	networkMap := make(map[string]struct{})
-	userGwNodes := proLogic.GetUserRAGNodes(*user)
+	userGwNodes := proLogic.GetUserRAGNodesV1(*user)
 	for _, node := range userGwNodes {
 		network, err := logic.GetNetwork(node.Network)
 		if err != nil {
@ -876,7 +876,7 @@ func getUserRemoteAccessNetworkGateways(w http.ResponseWriter, r *http.Request)
 	}
 	userGws := []models.UserRAGs{}
-	userGwNodes := proLogic.GetUserRAGNodes(*user)
+	userGwNodes := proLogic.GetUserRAGNodesV1(*user)
 	for _, node := range userGwNodes {
 		if node.Network != network {
 			continue
@ -931,7 +931,7 @@ func getRemoteAccessGatewayConf(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	userGwNodes := proLogic.GetUserRAGNodes(*user)
+	userGwNodes := proLogic.GetUserRAGNodesV1(*user)
 	if _, ok := userGwNodes[remoteGwID]; !ok {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("access denied"), "forbidden"))
 		return
@ -1075,7 +1075,7 @@ func getUserRemoteAccessGwsV1(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
 		return
 	}
-	userGwNodes := proLogic.GetUserRAGNodes(*user)
+	userGwNodes := proLogic.GetUserRAGNodesV1(*user)
 	for _, extClient := range allextClients {
 		node, ok := userGwNodes[extClient.IngressGatewayID]
 		if !ok {
--- a/pro/logic/user_mgmt.go
+++ b/pro/logic/user_mgmt.go
@ -1140,55 +1140,6 @@ func CreateDefaultUserPolicies(netID models.NetworkID) {
 	if netID.String() == "" {
 		return
 	}
 	// if !logic.IsAclExists(models.AclID(fmt.Sprintf("%s.%s", netID, models.NetworkAdmin))) {
 	// 	defaultUserAcl := models.Acl{
 	// 		ID:        models.AclID(fmt.Sprintf("%s.%s", netID, models.NetworkAdmin)),
 	// 		Name:      models.NetworkAdmin.String(),
 	// 		Default:   true,
 	// 		NetworkID: netID,
 	// 		RuleType:  models.UserPolicy,
 	// 		Src: []models.AclPolicyTag{
 	// 			{
 	// 				ID:    models.UserRoleAclID,
 	// 				Value: fmt.Sprintf("%s-%s", netID, models.NetworkAdmin),
 	// 			}},
 	// 		Dst: []models.AclPolicyTag{
 	// 			{
 	// 				ID:    models.DeviceAclID,
 	// 				Value: fmt.Sprintf("%s.%s", netID, models.RemoteAccessTagName),
 	// 			},
 	// 		},
 	// 		AllowedDirection: models.TrafficDirectionUni,
 	// 		Enabled:          true,
 	// 		CreatedBy:        "auto",
 	// 		CreatedAt:        time.Now().UTC(),
 	// 	}
 	// 	logic.InsertAcl(defaultUserAcl)
 	// }
 	// if !logic.IsAclExists(models.AclID(fmt.Sprintf("%s.%s", netID, models.NetworkUser))) {
 	// 	defaultUserAcl := models.Acl{
 	// 		ID:        models.AclID(fmt.Sprintf("%s.%s", netID, models.NetworkUser)),
 	// 		Name:      models.NetworkUser.String(),
 	// 		Default:   true,
 	// 		NetworkID: netID,
 	// 		RuleType:  models.UserPolicy,
 	// 		Src: []models.AclPolicyTag{
 	// 			{
 	// 				ID:    models.UserRoleAclID,
 	// 				Value: fmt.Sprintf("%s-%s", netID, models.NetworkUser),
 	// 			}},
 	// 		Dst: []models.AclPolicyTag{
 	// 			{
 	// 				ID:    models.DeviceAclID,
 	// 				Value: fmt.Sprintf("%s.%s", netID, models.RemoteAccessTagName),
 	// 			}},
 	// 		AllowedDirection: models.TrafficDirectionUni,
 	// 		Enabled:          true,
 	// 		CreatedBy:        "auto",
 	// 		CreatedAt:        time.Now().UTC(),
 	// 	}
 	// 	logic.InsertAcl(defaultUserAcl)
 	// }
 	if !logic.IsAclExists(models.AclID(fmt.Sprintf("%s.%s-grp", netID, models.NetworkAdmin))) {
 		defaultUserAcl := models.Acl{