gravitl/netmaker
1
1
Fork 0
mirror of https://github.com/gravitl/netmaker.git synced 2025-09-11 07:34:31 +08:00
Code Issues Projects Releases Packages Wiki Activity

set extclient permission scope when rag vpn access is set

Browse source
This commit is contained in:
abhishek9686 2024-08-02 14:25:58 +05:30
parent a392980253
commit 43a0ca20d7
2 changed files with 50 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
pro/controllers/users.go
View file

@ -524,7 +524,7 @@ func createRole(w http.ResponseWriter, r *http.Request) {
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
return
}
err = proLogic.ValidateCreateRoleReq(userRole)
err = proLogic.ValidateCreateRoleReq(&userRole)
if err != nil {
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
return
@ -559,7 +559,7 @@ func updateRole(w http.ResponseWriter, r *http.Request) {
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
return
}
err = proLogic.ValidateUpdateRoleReq(userRole)
err = proLogic.ValidateUpdateRoleReq(&userRole)
if err != nil {
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
return

50
pro/logic/user_mgmt.go
View file

@ -205,7 +205,7 @@ func ListPlatformRoles() ([]models.UserRolePermissionTemplate, error) {
return userRoles, nil
}
func ValidateCreateRoleReq(userRole models.UserRolePermissionTemplate) error {
func ValidateCreateRoleReq(userRole *models.UserRolePermissionTemplate) error {
// check if role exists with this id
_, err := logic.GetRole(userRole.ID)
if err == nil {
@ -216,6 +216,29 @@ func ValidateCreateRoleReq(userRole models.UserRolePermissionTemplate) error {
if _, ok := models.RsrcTypeMap[rsrcType]; !ok {
return errors.New("invalid rsrc type " + rsrcType.String())
}
if rsrcType == models.RemoteAccessGwRsrc {
userRsrcPermissions := userRole.NetworkLevelAccess[models.RemoteAccessGwRsrc]
var vpnAccess bool
for _, scope := range userRsrcPermissions {
if scope.VPNaccess {
vpnAccess = true
break
}
}
if vpnAccess {
userRole.NetworkLevelAccess[models.ExtClientsRsrc] = map[models.RsrcID]models.RsrcPermissionScope{
models.AllExtClientsRsrcID: {
Read: true,
Create: true,
Update: true,
Delete: true,
SelfOnly: true,
},
}
}
}
}
}
if userRole.NetworkID == "" {
@ -224,7 +247,7 @@ func ValidateCreateRoleReq(userRole models.UserRolePermissionTemplate) error {
return nil
}
func ValidateUpdateRoleReq(userRole models.UserRolePermissionTemplate) error {
func ValidateUpdateRoleReq(userRole *models.UserRolePermissionTemplate) error {
roleInDB, err := logic.GetRole(userRole.ID)
if err != nil {
return err
@ -240,6 +263,29 @@ func ValidateUpdateRoleReq(userRole models.UserRolePermissionTemplate) error {
if _, ok := models.RsrcTypeMap[rsrcType]; !ok {
return errors.New("invalid rsrc type " + rsrcType.String())
}
if rsrcType == models.RemoteAccessGwRsrc {
userRsrcPermissions := userRole.NetworkLevelAccess[models.RemoteAccessGwRsrc]
var vpnAccess bool
for _, scope := range userRsrcPermissions {
if scope.VPNaccess {
vpnAccess = true
break
}
}
if vpnAccess {
userRole.NetworkLevelAccess[models.ExtClientsRsrc] = map[models.RsrcID]models.RsrcPermissionScope{
models.AllExtClientsRsrcID: {
Read: true,
Create: true,
Update: true,
Delete: true,
SelfOnly: true,
},
}
}
}
}
}
return nil