rancher/norman
1
0
Fork 0
mirror of https://github.com/rancher/norman.git synced 2025-09-04 08:45:22 +00:00
Code Issues Releases Wiki Activity

Distinguish between listing and getting

Browse Source 
We now have resources (subtypes of authConfig) that can be retrieved
by ID but their collections are not viewable. This change is needed
to suppport that.
This commit is contained in:
Craig Jellick
2018-01-31 19:14:35 -07:00
parent 536d36c706
commit 65807e9372
5 changed files with 24 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
api/server.go
View File

@@ -186,26 +186,32 @@ func (s *Server) handle(rw http.ResponseWriter, req *http.Request) (*types.APICo
if apiRequest.Link == "" { if apiRequest.Link == "" {
switch apiRequest.Method { switch apiRequest.Method {
case http.MethodGet: case http.MethodGet:
if !apiRequest.AccessControl.CanList(apiRequest, apiRequest.Schema) { if apiRequest.ID == "" {
return apiRequest, httperror.NewAPIError(httperror.PermissionDenied, "Can not list "+apiRequest.Schema.Type) if !apiRequest.AccessControl.CanList(apiRequest, apiRequest.Schema) {
return apiRequest, httperror.NewAPIError(httperror.PermissionDenied, "Can not list "+apiRequest.Schema.ID)
}
} else {
if !apiRequest.AccessControl.CanGet(apiRequest, apiRequest.Schema) {
return apiRequest, httperror.NewAPIError(httperror.PermissionDenied, "Can not get "+apiRequest.Schema.ID)
}
} }
handler = apiRequest.Schema.ListHandler handler = apiRequest.Schema.ListHandler
nextHandler = s.Defaults.ListHandler nextHandler = s.Defaults.ListHandler
case http.MethodPost: case http.MethodPost:
if !apiRequest.AccessControl.CanCreate(apiRequest, apiRequest.Schema) { if !apiRequest.AccessControl.CanCreate(apiRequest, apiRequest.Schema) {
return apiRequest, httperror.NewAPIError(httperror.PermissionDenied, "Can not create "+apiRequest.Schema.Type) return apiRequest, httperror.NewAPIError(httperror.PermissionDenied, "Can not create "+apiRequest.Schema.ID)
} }
handler = apiRequest.Schema.CreateHandler handler = apiRequest.Schema.CreateHandler
nextHandler = s.Defaults.CreateHandler nextHandler = s.Defaults.CreateHandler
case http.MethodPut: case http.MethodPut:
if !apiRequest.AccessControl.CanUpdate(apiRequest, nil, apiRequest.Schema) { if !apiRequest.AccessControl.CanUpdate(apiRequest, nil, apiRequest.Schema) {
return apiRequest, httperror.NewAPIError(httperror.PermissionDenied, "Can not update "+apiRequest.Schema.Type) return apiRequest, httperror.NewAPIError(httperror.PermissionDenied, "Can not update "+apiRequest.Schema.ID)
} }
handler = apiRequest.Schema.UpdateHandler handler = apiRequest.Schema.UpdateHandler
nextHandler = s.Defaults.UpdateHandler nextHandler = s.Defaults.UpdateHandler
case http.MethodDelete: case http.MethodDelete:
if !apiRequest.AccessControl.CanDelete(apiRequest, nil, apiRequest.Schema) { if !apiRequest.AccessControl.CanDelete(apiRequest, nil, apiRequest.Schema) {
return apiRequest, httperror.NewAPIError(httperror.PermissionDenied, "Can not delete "+apiRequest.Schema.Type) return apiRequest, httperror.NewAPIError(httperror.PermissionDenied, "Can not delete "+apiRequest.Schema.ID)
} }
handler = apiRequest.Schema.DeleteHandler handler = apiRequest.Schema.DeleteHandler
nextHandler = s.Defaults.DeleteHandler nextHandler = s.Defaults.DeleteHandler

4
authorization/all.go
View File

@@ -14,6 +14,10 @@ func (*AllAccess) CanCreate(apiContext *types.APIContext, schema *types.Schema)
return slice.ContainsString(schema.CollectionMethods, http.MethodPost) return slice.ContainsString(schema.CollectionMethods, http.MethodPost)
} }
func (*AllAccess) CanGet(apiContext *types.APIContext, schema *types.Schema) bool {
return slice.ContainsString(schema.ResourceMethods, http.MethodGet)
}
func (*AllAccess) CanList(apiContext *types.APIContext, schema *types.Schema) bool { func (*AllAccess) CanList(apiContext *types.APIContext, schema *types.Schema) bool {
return slice.ContainsString(schema.CollectionMethods, http.MethodGet) return slice.ContainsString(schema.CollectionMethods, http.MethodGet)
} }

2
store/schema/schema_store.go
View File

@@ -74,7 +74,7 @@ func (s *Store) List(apiContext *types.APIContext, schema *types.Schema, opt *ty
continue continue
} }
if schema.CanList(apiContext) { if schema.CanList(apiContext) || schema.CanGet(apiContext) {
schemas = s.addSchema(apiContext, schema, schemaMap, schemas, included) schemas = s.addSchema(apiContext, schema, schemaMap, schemas, included)
} }
} }

7
types/schema_funcs.go
View File

@@ -28,6 +28,13 @@ func (s *Schema) CanList(context *APIContext) bool {
return context.AccessControl.CanList(context, s) return context.AccessControl.CanList(context, s)
} }
func (s *Schema) CanGet(context *APIContext) bool {
if context == nil {
return slice.ContainsString(s.ResourceMethods, http.MethodGet)
}
return context.AccessControl.CanGet(context, s)
}
func (s *Schema) CanCreate(context *APIContext) bool { func (s *Schema) CanCreate(context *APIContext) bool {
if context == nil { if context == nil {
return slice.ContainsString(s.CollectionMethods, http.MethodPost) return slice.ContainsString(s.CollectionMethods, http.MethodPost)

1
types/server_types.go
View File

@@ -71,6 +71,7 @@ type ResponseWriter interface {
type AccessControl interface { type AccessControl interface {
CanCreate(apiContext *APIContext, schema *Schema) bool CanCreate(apiContext *APIContext, schema *Schema) bool
CanList(apiContext *APIContext, schema *Schema) bool CanList(apiContext *APIContext, schema *Schema) bool
CanGet(apiContext *APIContext, schema *Schema) bool
CanUpdate(apiContext *APIContext, obj map[string]interface{}, schema *Schema) bool CanUpdate(apiContext *APIContext, obj map[string]interface{}, schema *Schema) bool
CanDelete(apiContext *APIContext, obj map[string]interface{}, schema *Schema) bool CanDelete(apiContext *APIContext, obj map[string]interface{}, schema *Schema) bool