fix: remove global readability of namespace nodes
Build and Publish Arch Package / build-arch (amd64, x86_64) (push) Successful in 50s
Build and Publish Arch Package / build-arch (arm64, aarch64) (push) Successful in 43s
Build and Publish Docker Image / build-apk (amd64, x86_64) (push) Successful in 44s
Build and Publish Docker Image / build-apk (arm64, aarch64) (push) Successful in 55s
Build and Publish Docker Image / build-and-push-docker (push) Successful in 10m46s
Build and Publish Arch Package / build-arch (amd64, x86_64) (push) Successful in 50s
Build and Publish Arch Package / build-arch (arm64, aarch64) (push) Successful in 43s
Build and Publish Docker Image / build-apk (amd64, x86_64) (push) Successful in 44s
Build and Publish Docker Image / build-apk (arm64, aarch64) (push) Successful in 55s
Build and Publish Docker Image / build-and-push-docker (push) Successful in 10m46s
This commit is contained in:
@@ -185,16 +185,15 @@ func (s *nodeServiceImpl) getPermContext() (*permContext, error) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// User and namespace nodes are globally readable (they represent identities,
|
// User nodes are globally readable (they represent identities,
|
||||||
// and anyone can reference or assign to them).
|
// and anyone can reference or assign to them).
|
||||||
for _, nodeType := range []string{"user", "namespace"} {
|
// Namespace nodes are NOT globally readable; access must be explicitly granted.
|
||||||
nodes, _ := s.store.FindNodes([]*models.Rel{{Type: models.RelType("_type::" + nodeType), Target: ""}})
|
nodes, _ := s.store.FindNodes([]*models.Rel{{Type: "_type::user", Target: ""}})
|
||||||
for _, n := range nodes {
|
for _, n := range nodes {
|
||||||
if pc.levels[n.ID] < permRead {
|
if pc.levels[n.ID] < permRead {
|
||||||
pc.levels[n.ID] = permRead
|
pc.levels[n.ID] = permRead
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
return pc, nil
|
return pc, nil
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user