docker/quay
1
0
Fork 0
mirror of https://github.com/quay/quay.git synced 2025-11-17 23:02:34 +03:00
Code Activity

users: add restricted users' filter (PROJQUAY-1245) (#1551)

Browse Source 
- Similar to LDAP_SUPERUSER_FILTER, add a specific filter to define
restricted users, based on the LDAP_USER_FILTER
- restrict writes on restricted users' own namespace. Normal
permissions applies on organization membership
- add global readonly superuser GLOBAL_READONLY_SUPER_USERS (PROJQUAY-2604)
- Removes RESTRICTED_USER_INCLUDE_ROBOTS, FEATURE_RESTRICTED_READ_ONLY_USERS
This commit is contained in:
Kenny Lee Sin Cheong
2022-10-28 13:38:37 -04:00
committed by GitHub
parent 6bbfdf5e78
commit c84067a4d6
30 changed files with 574 additions and 185 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
endpoints/api/robot.py
View File

@@ -217,7 +217,7 @@ class OrgRobot(ApiResource):
Returns the organization's robot with the specified name.
"""
permission = AdministerOrganizationPermission(orgname)
if permission.can():
if permission.can() or allow_if_superuser():
robot = model.get_org_robot(robot_shortname, orgname)
return robot.to_dict(include_metadata=True, include_token=True)
@@ -232,7 +232,7 @@ class OrgRobot(ApiResource):
Create a new robot in the organization.
"""
permission = AdministerOrganizationPermission(orgname)
if permission.can():
if permission.can() or allow_if_superuser():
create_data = request.get_json() or {}
robot = model.create_org_robot(
robot_shortname,
@@ -260,7 +260,7 @@ class OrgRobot(ApiResource):
Delete an existing organization robot.
"""
permission = AdministerOrganizationPermission(orgname)
if permission.can():
if permission.can() or allow_if_superuser():
robot_username = format_robot_username(orgname, robot_shortname)
if not model.robot_has_mirror(robot_username):
model.delete_robot(robot_username)
@@ -360,7 +360,7 @@ class RegenerateOrgRobot(ApiResource):
Regenerates the token for an organization robot.
"""
permission = AdministerOrganizationPermission(orgname)
if permission.can():
if permission.can() or allow_if_superuser():
robot = model.regenerate_org_robot_token(robot_shortname, orgname)
log_action("regenerate_robot_token", orgname, {"robot": robot_shortname})
return robot.to_dict(include_token=True)