fix: 修复cloudid用户列表权限问题

2026-06-02 14:02:39 +08:00 · 2020-07-14 16:10:34 +08:00
parent b203286ce9
commit dccf685f66
4 changed files with 30 additions and 51 deletions
--- a/pkg/apis/cloudid/clouduser.go
+++ b/pkg/apis/cloudid/clouduser.go
@@ -105,10 +105,6 @@ type ClouduserListInput struct {
 	CloudaccountResourceListInput
 	CloudproviderResourceListInput

-	// 通过关联用户查找公有云子账号
-	// example: cloudadmin
-	OwnerName string `json:"owner_name"`
-
 	// 过滤绑定权限的子账号
 	CloudpolicyId string `json:"cloudpolicy_id"`

--- a/pkg/apis/list.go
+++ b/pkg/apis/list.go
@@ -59,11 +59,7 @@ type StatusDomainLevelUserResourceListInput struct {
 }

 type UserResourceListInput struct {
-	StandaloneResourceListInput
-	ScopedResourceInput
-
-	// list in admin mode
-	Admin *bool `json:"admin"`
+	StatusDomainLevelResourceListInput

 	// 查询指定的用户（ID或名称）拥有的资源
 	User string `json:"user"`
--- a/pkg/cloudcommon/db/statusinfrasuserresource.go
+++ b/pkg/cloudcommon/db/statusinfrasuserresource.go
@@ -60,36 +60,48 @@ func (manager *SStatusDomainLevelUserResourceBaseManager) ValidateCreateData(ctx
 	return input, nil
 }

+func (manager *SStatusDomainLevelUserResourceBaseManager) FilterByOwner(q *sqlchemy.SQuery, owner mcclient.IIdentityProvider, scope rbacutils.TRbacScope) *sqlchemy.SQuery {
+	if owner != nil {
+		switch scope {
+		case rbacutils.ScopeProject, rbacutils.ScopeUser:
+			return q.Equals("owner_id", owner.GetProjectDomainId())
+		case rbacutils.ScopeDomain:
+			sq := UserCacheManager.Query("id").Equals("domain_id", owner.GetProjectDomainId())
+			q = q.Filter(
+				sqlchemy.OR(
+					sqlchemy.Equals(q.Field("domain_id"), owner.GetProjectDomainId()),
+					sqlchemy.In(q.Field("owner_id"), sq.SubQuery()),
+				),
+			)
+		}
+	}
+	return q
+}
+
 func (manager *SStatusDomainLevelUserResourceBaseManager) ListItemFilter(
 	ctx context.Context,
 	q *sqlchemy.SQuery,
 	userCred mcclient.TokenCredential,
 	query apis.StatusDomainLevelUserResourceListInput,
 ) (*sqlchemy.SQuery, error) {
-	q, err := manager.SStandaloneResourceBaseManager.ListItemFilter(ctx, q, userCred, query.StandaloneResourceListInput)
+	q, err := manager.SStatusDomainLevelResourceBaseManager.ListItemFilter(ctx, q, userCred, query.StatusDomainLevelResourceListInput)
 	if err != nil {
 		return nil, errors.Wrap(err, "SUserResourceBaseManager.ListItemFilter")
 	}

-	if ((query.Admin != nil && *query.Admin) || query.Scope == string(rbacutils.ScopeSystem)) && IsAdminAllowList(userCred, manager) {
-		user := query.User
-		if len(user) > 0 {
-			uc, _ := UserCacheManager.FetchUserByIdOrName(ctx, user)
-			if uc == nil {
-				return nil, httperrors.NewUserNotFoundError("user %s not found", user)
-			}
-			q = q.Equals("owner_id", uc.Id)
-		}
-	} else if query.Scope == string(rbacutils.ScopeDomain) && IsDomainAllowList(userCred, manager) {
-		q = q.Equals("domain_id", userCred.GetProjectDomainId())
-	} else {
-		q = q.Equals("owner_id", userCred.GetUserId())
-	}
-
 	q, err = manager.SStatusResourceBaseManager.ListItemFilter(ctx, q, userCred, query.StatusResourceBaseListInput)
 	if err != nil {
 		return nil, errors.Wrap(err, "SStatusResourceBaseManager.ListItemFilter")
 	}
+
+	if len(query.User) > 0 {
+		uc, _ := UserCacheManager.FetchUserByIdOrName(ctx, query.User)
+		if uc == nil {
+			return nil, httperrors.NewUserNotFoundError("user %s not found", query.User)
+		}
+		q = q.Equals("owner_id", uc.Id)
+	}
+
 	return q, nil
 }

@@ -164,16 +176,3 @@ func (model *SStatusDomainLevelUserResourceBase) GetExtraDetails(
 ) (apis.StatusDomainLevelUserResourceDetails, error) {
 	return apis.StatusDomainLevelUserResourceDetails{}, nil
 }
-
-func (self *SStatusDomainLevelUserResourceBase) GetOwnerId() mcclient.IIdentityProvider {
-	owner := SOwnerId{UserId: self.OwnerId}
-	return &owner
-}
-
-func (manager *SStatusDomainLevelUserResourceBaseManager) NamespaceScope() rbacutils.TRbacScope {
-	return rbacutils.ScopeUser
-}
-
-func (manager *SStatusDomainLevelUserResourceBaseManager) ResourceScope() rbacutils.TRbacScope {
-	return rbacutils.ScopeUser
-}
--- a/pkg/cloudid/models/clouduser.go
+++ b/pkg/cloudid/models/clouduser.go
@@ -141,12 +141,6 @@ func (manager *SClouduserManager) ListItemFilter(ctx context.Context, q *sqlchem
 		q = q.In("id", sq.SubQuery())
 	}

-	if len(query.OwnerName) > 0 {
-		caches := db.UserCacheManager.Query().SubQuery()
-		q = q.Join(caches, sqlchemy.Equals(caches.Field("id"), q.Field("owner_id"))).
-			Filter(sqlchemy.Equals(caches.Field("name"), query.OwnerName))
-	}
-
 	return q, nil
 }

@@ -426,6 +420,7 @@ func (manager *SClouduserManager) ValidateCreateData(ctx context.Context, userCr
 		return input, httperrors.NewGeneralError(errors.Wrap(err, "p.CreateIClouduser"))
 	}
 	input.ExternalId = iUser.GetGlobalId()
+	input.Name = iUser.GetName()

 	input.OwnerId = user.Id
 	input.DomainId = account.DomainId
@@ -1209,13 +1204,6 @@ func (self *SClouduser) AllowPerformChangeOwner(ctx context.Context, userCred mc

 // 变更子账号所属本地用户
 func (self *SClouduser) PerformChangeOwner(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, input api.ClouduserChangeOwnerInput) (jsonutils.JSONObject, error) {
-	if len(self.OwnerId) > 0 {
-		user, err := db.UserCacheManager.FetchUserById(ctx, self.OwnerId)
-		if err != nil || user.DomainId != self.DomainId && !userCred.HasSystemAdminPrivilege() {
-			return nil, httperrors.NewForbiddenError("Not allow to change owner")
-		}
-	}
-
 	user, err := db.UserCacheManager.FetchUserById(ctx, input.UserId)
 	if err != nil {
 		return nil, httperrors.NewGeneralError(errors.Wrapf(err, "Not found user %s", input.UserId))