Distinguish between listing and getting

We now have resources (subtypes of authConfig) that can be retrieved by ID but their collections are not viewable. This change is needed to suppport that.
rancher · Feb 1, 2018 · e871e0f · e871e0f
1 parent 1da4009
commit e871e0f
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 6 deletions.
diff --git a/api/server.go b/api/server.go
@@ -186,26 +186,32 @@ func (s *Server) handle(rw http.ResponseWriter, req *http.Request) (*types.APICo
 		if apiRequest.Link == "" {
 			switch apiRequest.Method {
 			case http.MethodGet:
-				if !apiRequest.AccessControl.CanList(apiRequest, apiRequest.Schema) {
-					return apiRequest, httperror.NewAPIError(httperror.PermissionDenied, "Can not list "+apiRequest.Schema.Type)
+				if apiRequest.ID == "" {
+					if !apiRequest.AccessControl.CanList(apiRequest, apiRequest.Schema) {
+						return apiRequest, httperror.NewAPIError(httperror.PermissionDenied, "Can not list "+apiRequest.Schema.ID)
+					}
+				} else {
+					if !apiRequest.AccessControl.CanGet(apiRequest, apiRequest.Schema) {
+						return apiRequest, httperror.NewAPIError(httperror.PermissionDenied, "Can not get "+apiRequest.Schema.ID)
+					}
 				}
 				handler = apiRequest.Schema.ListHandler
 				nextHandler = s.Defaults.ListHandler
 			case http.MethodPost:
 				if !apiRequest.AccessControl.CanCreate(apiRequest, apiRequest.Schema) {
-					return apiRequest, httperror.NewAPIError(httperror.PermissionDenied, "Can not create "+apiRequest.Schema.Type)
+					return apiRequest, httperror.NewAPIError(httperror.PermissionDenied, "Can not create "+apiRequest.Schema.ID)
 				}
 				handler = apiRequest.Schema.CreateHandler
 				nextHandler = s.Defaults.CreateHandler
 			case http.MethodPut:
 				if !apiRequest.AccessControl.CanUpdate(apiRequest, nil, apiRequest.Schema) {
-					return apiRequest, httperror.NewAPIError(httperror.PermissionDenied, "Can not update "+apiRequest.Schema.Type)
+					return apiRequest, httperror.NewAPIError(httperror.PermissionDenied, "Can not update "+apiRequest.Schema.ID)
 				}
 				handler = apiRequest.Schema.UpdateHandler
 				nextHandler = s.Defaults.UpdateHandler
 			case http.MethodDelete:
 				if !apiRequest.AccessControl.CanDelete(apiRequest, nil, apiRequest.Schema) {
-					return apiRequest, httperror.NewAPIError(httperror.PermissionDenied, "Can not delete "+apiRequest.Schema.Type)
+					return apiRequest, httperror.NewAPIError(httperror.PermissionDenied, "Can not delete "+apiRequest.Schema.ID)
 				}
 				handler = apiRequest.Schema.DeleteHandler
 				nextHandler = s.Defaults.DeleteHandler

diff --git a/authorization/all.go b/authorization/all.go
@@ -14,6 +14,10 @@ func (*AllAccess) CanCreate(apiContext *types.APIContext, schema *types.Schema)
 	return slice.ContainsString(schema.CollectionMethods, http.MethodPost)
 }
 
+func (*AllAccess) CanGet(apiContext *types.APIContext, schema *types.Schema) bool {
+	return slice.ContainsString(schema.ResourceMethods, http.MethodGet)
+}
+
 func (*AllAccess) CanList(apiContext *types.APIContext, schema *types.Schema) bool {
 	return slice.ContainsString(schema.CollectionMethods, http.MethodGet)
 }

diff --git a/store/schema/schema_store.go b/store/schema/schema_store.go
@@ -74,7 +74,7 @@ func (s *Store) List(apiContext *types.APIContext, schema *types.Schema, opt *ty
 			continue
 		}
 
-		if schema.CanList(apiContext) {
+		if schema.CanList(apiContext) || schema.CanGet(apiContext) {
 			schemas = s.addSchema(apiContext, schema, schemaMap, schemas, included)
 		}
 	}

diff --git a/types/schema_funcs.go b/types/schema_funcs.go
@@ -28,6 +28,13 @@ func (s *Schema) CanList(context *APIContext) bool {
 	return context.AccessControl.CanList(context, s)
 }
 
+func (s *Schema) CanGet(context *APIContext) bool {
+	if context == nil {
+		return slice.ContainsString(s.ResourceMethods, http.MethodGet)
+	}
+	return context.AccessControl.CanGet(context, s)
+}
+
 func (s *Schema) CanCreate(context *APIContext) bool {
 	if context == nil {
 		return slice.ContainsString(s.CollectionMethods, http.MethodPost)

diff --git a/types/server_types.go b/types/server_types.go
@@ -71,6 +71,7 @@ type ResponseWriter interface {
 type AccessControl interface {
 	CanCreate(apiContext *APIContext, schema *Schema) bool
 	CanList(apiContext *APIContext, schema *Schema) bool
+	CanGet(apiContext *APIContext, schema *Schema) bool
 	CanUpdate(apiContext *APIContext, obj map[string]interface{}, schema *Schema) bool
 	CanDelete(apiContext *APIContext, obj map[string]interface{}, schema *Schema) bool