fix user scope (#360)

kubecube-io · Dec 12, 2023 · 070093e · 070093e
1 parent 91a6a21
commit 070093e
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 2 deletions.
diff --git a/pkg/apis/user/v1/user_types.go b/pkg/apis/user/v1/user_types.go
@@ -130,3 +130,14 @@ type UserList struct {
 func init() {
 	SchemeBuilder.Register(&User{}, &UserList{})
 }
+
+func (u *User) IsUserPlatformScope() bool {
+	platformScope := false
+	for _, scope := range u.Spec.ScopeBindings {
+		if scope.ScopeType == PlatformScope {
+			platformScope = true
+			break
+		}
+	}
+	return platformScope
+}
diff --git a/pkg/apiserver/cubeapi/authorization/handler.go b/pkg/apiserver/cubeapi/authorization/handler.go
@@ -597,6 +597,7 @@ func getUserProjects(user *user.User, projectList *tenantv1.ProjectList, tenantA
 		projectSet.Insert(p.Project)
 	}
 	tenantSet := sets.NewString(user.Status.BelongTenants...)
+	isUserPlatform := user.IsUserPlatformScope()
 
 	for _, p := range projectList.Items {
 		t, ok := p.Labels[constants.TenantLabel]
@@ -607,7 +608,7 @@ func getUserProjects(user *user.User, projectList *tenantv1.ProjectList, tenantA
 		// 1. user is platform admin
 		// 2. user's belong projects had this queried project
 		// 3. user's belong tenants had this queried tenant
-		if !user.Status.PlatformAdmin && !projectSet.Has(p.Name) && !tenantSet.Has(t) {
+		if !isUserPlatform && !user.Status.PlatformAdmin && !projectSet.Has(p.Name) && !tenantSet.Has(t) {
 			continue
 		}
 

diff --git a/pkg/apiserver/cubeapi/authorization/helper.go b/pkg/apiserver/cubeapi/authorization/helper.go
@@ -272,7 +272,7 @@ func GetVisibleTenants(ctx context.Context, cli mgrclient.Client, username strin
 		return nil, err
 	}
 
-	if user.Status.PlatformAdmin {
+	if user.Status.PlatformAdmin || user.IsUserPlatformScope() {
 		return tenants.Items, nil
 	}