sendnrw/netbird
2
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-04-23 18:56:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into refactor/permissions-manager

Browse Source
This commit is contained in:
pascal
2026-04-07 17:35:39 +02:00
parent f5c8a6fe1a 0588d2dbe1
commit 20e6dff507
112 changed files with 10718 additions and 2106 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
management/server/user.go
View File

@@ -375,6 +375,10 @@ func (am *DefaultAccountManager) CreatePAT(ctx context.Context, accountID string
return nil, err
}
if targetUser.AccountID != accountID {
return nil, status.NewPermissionDeniedError()
}
// @note this is essential to prevent non admin users with Pats create permission frpm creating one for a service user
if initiatorUserID != targetUserID && !(initiatorUser.HasAdminPower() && targetUser.IsServiceUser) {
return nil, status.NewAdminPermissionError()
@@ -407,6 +411,10 @@ func (am *DefaultAccountManager) DeletePAT(ctx context.Context, accountID string
return err
}
if targetUser.AccountID != accountID {
return status.NewPermissionDeniedError()
}
if initiatorUserID != targetUserID && !(initiatorUser.HasAdminPower() && targetUser.IsServiceUser) {
return status.NewAdminPermissionError()
}
@@ -438,6 +446,10 @@ func (am *DefaultAccountManager) GetPAT(ctx context.Context, accountID string, i
return nil, err
}
if targetUser.AccountID != accountID {
return nil, status.NewPermissionDeniedError()
}
if initiatorUserID != targetUserID && !(initiatorUser.HasAdminPower() && targetUser.IsServiceUser) {
return nil, status.NewAdminPermissionError()
}
@@ -457,6 +469,10 @@ func (am *DefaultAccountManager) GetAllPATs(ctx context.Context, accountID strin
return nil, err
}
if targetUser.AccountID != accountID {
return nil, status.NewPermissionDeniedError()
}
if initiatorUserID != targetUserID && !(initiatorUser.HasAdminPower() && targetUser.IsServiceUser) {
return nil, status.NewAdminPermissionError()
}
@@ -691,9 +707,15 @@ func (am *DefaultAccountManager) processUserUpdate(ctx context.Context, transact
updatedUser.Role = update.Role
updatedUser.Blocked = update.Blocked
updatedUser.AutoGroups = update.AutoGroups
// these two fields can't be set via API, only via direct call to the method
// these fields can't be set via API, only via direct call to the method
updatedUser.Issued = update.Issued
updatedUser.IntegrationReference = update.IntegrationReference
if update.Name != "" {
updatedUser.Name = update.Name
}
if update.Email != "" {
updatedUser.Email = update.Email
}
var transferredOwnerRole bool
result, err := handleOwnerRoleTransfer(ctx, transaction, initiatorUser, update)