From 6ed13bcec19380c98fb3ed13cbe149928b9c700a Mon Sep 17 00:00:00 2001 From: Yi-Ya Chen Date: Fri, 17 Jan 2025 16:45:27 +0800 Subject: [PATCH] fix: check user delete permission Signed-off-by: Yi-Ya Chen (cherry picked from commit f5961f3a59edc02438f255a1871bdee30828d0af) --- pkg/harvester/models/harvester/node.js | 73 ++++++++++---------------- 1 file changed, 27 insertions(+), 46 deletions(-) diff --git a/pkg/harvester/models/harvester/node.js b/pkg/harvester/models/harvester/node.js index cc7f9fb0..c1d9abad 100644 --- a/pkg/harvester/models/harvester/node.js +++ b/pkg/harvester/models/harvester/node.js @@ -27,17 +27,7 @@ const HEALTHY = 'healthy'; const WARNING = 'warning'; export default class HciNode extends HarvesterResource { - constructor(...args) { - super(...args); - this._roleBasedActions = []; - this._initialized = false; // flag to prevent repeated initialization - } - get _availableActions() { - if (!this._initialized) { - this.setupRoleBasedActions(); - } - const cordon = { action: 'cordon', enabled: this.hasAction('cordon') && !this.isCordoned, @@ -120,44 +110,10 @@ export default class HciNode extends HarvesterResource { shutDown, powerOn, reboot, - ...this._roleBasedActions || [] + ...super._availableActions ]; } - async setupRoleBasedActions() { - const baseActions = super._availableActions || []; - - // access control is only available on the multiple cluster Harvester - if (this.$rootGetters['isStandaloneHarvester']) { - this._roleBasedActions = baseActions; - } else { - this._roleBasedActions = await this._updateRoleBasedActions(baseActions); - } - - this._initialized = true; - } - - async _updateRoleBasedActions(actions) { - const hasSchema = (type) => this.$rootGetters['rancher/schemaFor'](type); - - if (!hasSchema(NORMAN.PRINCIPAL) || !hasSchema(NORMAN.CLUSTER_ROLE_TEMPLATE_BINDING)) return actions; - - try { - const templates = await this.$dispatch('rancher/findAll', { type: NORMAN.CLUSTER_ROLE_TEMPLATE_BINDING }, { root: true }); - const [currentUser] = this.$rootGetters['rancher/all'](NORMAN.PRINCIPAL) || []; - const userRole = templates.find((template) => template.userPrincipalId === currentUser?.id); - - if (userRole?.roleTemplateId === 'cluster-member') { - return actions.filter((action) => action.action !== 'promptRemove'); - } - } catch (error) { - // eslint-disable-next-line no-console - console.error('Error fetching role-based actions:', error); - } - - return actions; - } - promptRemove(resources = this) { this.$dispatch('promptModal', { resources, @@ -513,10 +469,35 @@ export default class HciNode extends HarvesterResource { return parseSi(this.reserved.memory || '0'); } + // returns the user role, either 'cluster-owner' or 'cluster-member' + async _getRoleTemplateId() { + try { + const templates = await this.$dispatch('rancher/findAll', { type: NORMAN.CLUSTER_ROLE_TEMPLATE_BINDING }, { root: true }); + const currentUser = this.$rootGetters['rancher/all'](NORMAN.PRINCIPAL)?.[0]; + const userRole = templates.find((template) => template.userPrincipalId === currentUser?.id); + + return userRole?.roleTemplateId || 'cluster-member'; + } catch (error) { + return 'cluster-member'; + } + } + get canDelete() { const nodes = this.$rootGetters['harvester/all'](NODE) || []; + const isSingleNode = nodes.length === 1; - return nodes.length > 1; + if (isSingleNode) return false; + + // access control is unavailable in standalone harvester + if (this.$rootGetters['isStandaloneHarvester']) return true; + + if (this._canDelete === undefined) { + return this._getRoleTemplateId().then((id) => { + this._canDelete = id === 'cluster-owner'; + }); + } + + return this._canDelete; } get vlanStatuses() {