github-personal/cozystack
1
0
Fork 0
mirror of https://github.com/outbackdingo/cozystack.git synced 2026-01-28 02:18:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

[api] Fix listing tenantnamespaces for non-oidc users

Browse Source 
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
This commit is contained in:
Andrei Kvapil
2025-10-14 12:37:47 +02:00
parent 36df9bda05
commit 671e13df70
1 changed files with 18 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
pkg/registry/core/tenantnamespace/rest.go
View File

@@ -294,13 +294,25 @@ func (r *REST) filterAccessible(
if _, ok := nameSet[rbs.Items[i].Namespace]; !ok {
continue
}
subjectLoop:
for j := range rbs.Items[i].Subjects {
if rbs.Items[i].Subjects[j].Kind != "Group" {
continue
}
if _, ok = groups[rbs.Items[i].Subjects[j].Name]; ok {
allowedNameSet[rbs.Items[i].Namespace] = struct{}{}
break
subj := rbs.Items[i].Subjects[j]
switch subj.Kind {
case "Group":
if _, ok = groups[subj.Name]; ok {
allowedNameSet[rbs.Items[i].Namespace] = struct{}{}
break subjectLoop
}
case "User":
if subj.Name == u.GetName() {
allowedNameSet[rbs.Items[i].Namespace] = struct{}{}
break subjectLoop
}
case "ServiceAccount":
if u.GetName() == fmt.Sprintf("system:serviceaccount:%s:%s", subj.Namespace, subj.Name) {
allowedNameSet[rbs.Items[i].Namespace] = struct{}{}
break subjectLoop
}
}
}
}