Skip to content

Commit 005fe7a

Browse files
committed
restore unrelated changes
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
1 parent 1043654 commit 005fe7a

1 file changed

Lines changed: 21 additions & 10 deletions

File tree

app/controlplane/internal/service/service.go

Lines changed: 21 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -193,22 +193,33 @@ func (s *service) authorizeResource(ctx context.Context, op *authz.Policy, resou
193193
// for example admin in project1, then apply RBAC enforcement
194194
m := entities.CurrentMembership(ctx)
195195

196-
// iterate through all resource memberships and find any that matches
196+
var matchingResources []*entities.ResourceMembership
197+
// First, collect all memberships that match the requested resource type and ID
197198
for _, rm := range m.Resources {
198199
if rm.ResourceType == resourceType && rm.ResourceID == resourceID {
199-
pass, err := s.enforcer.Enforce(string(rm.Role), op)
200-
if err != nil {
201-
return handleUseCaseErr(err, s.log)
202-
}
203-
204-
if pass {
205-
s.log.Debugw("msg", "authorized using user membership", "resource_id", resourceID.String(), "resource_type", resourceType, "role", rm.Role, "membership_id", rm.MembershipID, "user_id", m.UserID)
206-
return nil
207-
}
200+
matchingResources = append(matchingResources, rm)
208201
}
209202
}
210203

211204
var defaultMessage = fmt.Sprintf("you do not have permissions to access to the %s associated with this resource", resourceType)
205+
// If no matching resources were found, return forbidden error
206+
if len(matchingResources) == 0 {
207+
return errors.Forbidden("forbidden", defaultMessage)
208+
}
209+
210+
// Try to enforce the policy with each matching role
211+
// If any role passes, authorize the request
212+
for _, rm := range matchingResources {
213+
pass, err := s.enforcer.Enforce(string(rm.Role), op)
214+
if err != nil {
215+
return handleUseCaseErr(err, s.log)
216+
}
217+
218+
if pass {
219+
s.log.Debugw("msg", "authorized using user membership", "resource_id", resourceID.String(), "resource_type", resourceType, "role", rm.Role, "membership_id", rm.MembershipID, "user_id", m.UserID)
220+
return nil
221+
}
222+
}
212223

213224
// If none of the roles pass, return forbidden error
214225
return errors.Forbidden("forbidden", defaultMessage)

0 commit comments

Comments
 (0)