fix: skip namespace write-permission check when namespace is newly created
Build and Publish Arch Package / build-arch (amd64, x86_64) (push) Successful in 51s
Build and Publish Arch Package / build-arch (arm64, aarch64) (push) Successful in 49s
Build and Publish Docker Image / build-apk (amd64, x86_64) (push) Successful in 47s
Build and Publish Docker Image / build-apk (arm64, aarch64) (push) Successful in 43s
Build and Publish Docker Image / build-and-push-docker (push) Successful in 10m48s
Build and Publish Arch Package / build-arch (amd64, x86_64) (push) Successful in 51s
Build and Publish Arch Package / build-arch (arm64, aarch64) (push) Successful in 49s
Build and Publish Docker Image / build-apk (amd64, x86_64) (push) Successful in 47s
Build and Publish Docker Image / build-apk (arm64, aarch64) (push) Successful in 43s
Build and Publish Docker Image / build-and-push-docker (push) Successful in 10m48s
This commit is contained in:
@@ -495,11 +495,14 @@ func (s *nodeServiceImpl) Add(input AddInput) (*models.Node, error) {
|
|||||||
if nsRef == "" {
|
if nsRef == "" {
|
||||||
nsRef = s.userID
|
nsRef = s.userID
|
||||||
}
|
}
|
||||||
nsID, err := s.resolveNamespaceRef(st, nsRef)
|
nsID, nsCreated, err := s.resolveNamespaceRef(st, nsRef)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if input.Namespace != "" && !pc.canWrite(nsID) {
|
// Skip the write check when the namespace was just created — the
|
||||||
|
// current user is the creator/owner, but the permContext was built
|
||||||
|
// before the namespace existed and therefore doesn't reflect it.
|
||||||
|
if input.Namespace != "" && !nsCreated && !pc.canWrite(nsID) {
|
||||||
return fmt.Errorf("permission denied: no write access to namespace %q", input.Namespace)
|
return fmt.Errorf("permission denied: no write access to namespace %q", input.Namespace)
|
||||||
}
|
}
|
||||||
ownerID = nsID
|
ownerID = nsID
|
||||||
@@ -725,7 +728,7 @@ func (s *nodeServiceImpl) Update(id string, input UpdateInput) (*models.Node, er
|
|||||||
|
|
||||||
// Namespace change: transfer ownership from the current namespace to the new one.
|
// Namespace change: transfer ownership from the current namespace to the new one.
|
||||||
if input.Namespace != nil {
|
if input.Namespace != nil {
|
||||||
newNsID, err := s.resolveNamespaceRef(st, *input.Namespace)
|
newNsID, _, err := s.resolveNamespaceRef(st, *input.Namespace)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@@ -973,11 +976,16 @@ func (s *nodeServiceImpl) ensureUser(st store.GraphStore, username string) (stri
|
|||||||
return id, nil
|
return id, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *nodeServiceImpl) resolveNamespaceRef(st store.GraphStore, ref string) (string, error) {
|
// resolveNamespaceRef returns the namespace ID and whether it was newly created.
|
||||||
|
func (s *nodeServiceImpl) resolveNamespaceRef(st store.GraphStore, ref string) (string, bool, error) {
|
||||||
if exists, _ := st.NodeExists(ref); exists {
|
if exists, _ := st.NodeExists(ref); exists {
|
||||||
return ref, nil
|
return ref, false, nil
|
||||||
}
|
}
|
||||||
return s.ensureNamespace(st, ref)
|
id, err := s.ensureNamespace(st, ref)
|
||||||
|
if err != nil {
|
||||||
|
return "", false, err
|
||||||
|
}
|
||||||
|
return id, true, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *nodeServiceImpl) ensureNamespace(st store.GraphStore, name string) (string, error) {
|
func (s *nodeServiceImpl) ensureNamespace(st store.GraphStore, name string) (string, error) {
|
||||||
|
|||||||
Reference in New Issue
Block a user