diff --git a/docs/permissions.md b/docs/permissions.md
index 2543ef3c3..b9a7bac3b 100644
--- a/docs/permissions.md
+++ b/docs/permissions.md
@@ -10,44 +10,45 @@ System admin have all permissions for the project.
The following table depicts the various user permission levels in a project.
-| Action | Guest | Developer | Master | Project Admin |
-| --------------------------------------- | ----- | --------- | ------ | ------------- |
-| See the porject configurations | ✓ | ✓ | ✓ | ✓ |
-| Edit the project configurations | | | | ✓ |
-| See a list of project members | ✓ | ✓ | ✓ | ✓ |
-| Create/edit/delete project members | | | | ✓ |
-| See a list of project logs | ✓ | ✓ | ✓ | ✓ |
-| See a list of project replications | | | ✓ | ✓ |
-| See a list of project replication jobs | | | | ✓ |
-| See a list of project labels | | | ✓ | ✓ |
-| Create/edit/delete project lables | | | ✓ | ✓ |
-| See a list of repositories | ✓ | ✓ | ✓ | ✓ |
-| Create repositories | | ✓ | ✓ | ✓ |
-| Edit/delete repositories | | | ✓ | ✓ |
-| See a list of images | ✓ | ✓ | ✓ | ✓ |
-| Retag image | ✓ | ✓ | ✓ | ✓ |
-| Pull image | ✓ | ✓ | ✓ | ✓ |
-| Push image | | ✓ | ✓ | ✓ |
-| Scan/delete image | | | ✓ | ✓ |
-| See a list of image vulnerabilities | ✓ | ✓ | ✓ | ✓ |
-| See image build history | ✓ | ✓ | ✓ | ✓ |
-| Add/Remove labels of image | | ✓ | ✓ | ✓ |
-| See a list of helm charts | ✓ | ✓ | ✓ | ✓ |
-| Download helm charts | ✓ | ✓ | ✓ | ✓ |
-| Upload helm charts | | ✓ | ✓ | ✓ |
-| Delete helm charts | | | ✓ | ✓ |
-| See a list of helm chart versions | ✓ | ✓ | ✓ | ✓ |
-| Download helm chart versions | ✓ | ✓ | ✓ | ✓ |
-| Upload helm chart versions | | ✓ | ✓ | ✓ |
-| Delete helm chart versions | | | ✓ | ✓ |
-| Add/Remove labels of helm chart version | | ✓ | ✓ | ✓ |
-| See a list of project robots | | | ✓ | ✓ |
-| Create/edit/delete project robots | | | | ✓ |
-| See configured CVE whitelist | ✓ | ✓ | ✓ | ✓ |
-| Create/edit/remove CVE whitelist | | | | ✓ |
-| Enable/disable webhooks | | ✓ | ✓ | ✓ |
-| Create/delete tag retention rules | | ✓ | ✓ | ✓ |
-| Enable/disable tag retention rules | | ✓ | ✓ | ✓ |
-| See project quotas | ✓ | ✓ | ✓ | ✓ |
-| Edit project quotas | | | | |
+| Action | Limited Guest | Guest | Developer | Master | Project Admin |
+| --------------------------------------- | ------------- | ----- | --------- | ------ | ------------- |
+| See the porject configurations | ✓ | ✓ | ✓ | ✓ | ✓ |
+| Edit the project configurations | | | | | ✓ |
+| See a list of project members | | ✓ | ✓ | ✓ | ✓ |
+| Create/edit/delete project members | | | | | ✓ |
+| See a list of project logs | | ✓ | ✓ | ✓ | ✓ |
+| See a list of project replications | | | | ✓ | ✓ |
+| See a list of project replication jobs | | | | | ✓ |
+| See a list of project labels | | | | ✓ | ✓ |
+| Create/edit/delete project lables | | | | ✓ | ✓ |
+| See a list of repositories | ✓ | ✓ | ✓ | ✓ | ✓ |
+| Create repositories | | | ✓ | ✓ | ✓ |
+| Edit/delete repositories | | | | ✓ | ✓ |
+| See a list of images | ✓ | ✓ | ✓ | ✓ | ✓ |
+| Retag image | | ✓ | ✓ | ✓ | ✓ |
+| Pull image | ✓ | ✓ | ✓ | ✓ | ✓ |
+| Push image | | | ✓ | ✓ | ✓ |
+| Scan/delete image | | | | ✓ | ✓ |
+| See a list of image vulnerabilities | ✓ | ✓ | ✓ | ✓ | ✓ |
+| See image build history | ✓ | ✓ | ✓ | ✓ | ✓ |
+| Add/Remove labels of image | | | ✓ | ✓ | ✓ |
+| See a list of helm charts | ✓ | ✓ | ✓ | ✓ | ✓ |
+| Download helm charts | ✓ | ✓ | ✓ | ✓ | ✓ |
+| Upload helm charts | | | ✓ | ✓ | ✓ |
+| Delete helm charts | | | | ✓ | ✓ |
+| See a list of helm chart versions | ✓ | ✓ | ✓ | ✓ | ✓ |
+| Download helm chart versions | ✓ | ✓ | ✓ | ✓ | ✓ |
+| Upload helm chart versions | | | ✓ | ✓ | ✓ |
+| Delete helm chart versions | | | | ✓ | ✓ |
+| Add/Remove labels of helm chart version | | | ✓ | ✓ | ✓ |
+| See a list of project robots | | | | ✓ | ✓ |
+| Create/edit/delete project robots | | | | | ✓ |
+| See configured CVE whitelist | ✓ | ✓ | ✓ | ✓ | ✓ |
+| Create/edit/remove CVE whitelist | | | | | ✓ |
+| Enable/disable webhooks | | | ✓ | ✓ | ✓ |
+| Create/delete tag retention rules | | | ✓ | ✓ | ✓ |
+| Enable/disable tag retention rules | | | ✓ | ✓ | ✓ |
+| See project quotas | ✓ | ✓ | ✓ | ✓ | ✓ |
+| Edit project quotas | | | | | |
+
diff --git a/make/migrations/postgresql/0015_1.10.0_schema.up.sql b/make/migrations/postgresql/0015_1.10.0_schema.up.sql
index 6b7e860d9..d4cc01997 100644
--- a/make/migrations/postgresql/0015_1.10.0_schema.up.sql
+++ b/make/migrations/postgresql/0015_1.10.0_schema.up.sql
@@ -57,4 +57,7 @@ DROP TABLE IF EXISTS img_scan_job;
DROP TRIGGER IF EXISTS TRIGGER ON img_scan_overview;
DROP TABLE IF EXISTS img_scan_overview;
-DROP TABLE IF EXISTS clair_vuln_timestamp
\ No newline at end of file
+DROP TABLE IF EXISTS clair_vuln_timestamp;
+
+/* Add limited guest role */
+INSERT INTO role (role_code, name) VALUES ('LRS', 'limitedGuest');
diff --git a/src/common/const.go b/src/common/const.go
index c051762ff..62a577eff 100755
--- a/src/common/const.go
+++ b/src/common/const.go
@@ -33,6 +33,7 @@ const (
RoleDeveloper = 2
RoleGuest = 3
RoleMaster = 4
+ RoleLimitedGuest = 5
LabelLevelSystem = "s"
LabelLevelUser = "u"
diff --git a/src/common/dao/project.go b/src/common/dao/project.go
index e027ec221..764601aa3 100644
--- a/src/common/dao/project.go
+++ b/src/common/dao/project.go
@@ -78,7 +78,7 @@ func addProjectMember(member models.Member) (int, error) {
func GetProjectByID(id int64) (*models.Project, error) {
o := GetOrmer()
- sql := `select p.project_id, p.name, u.username as owner_name, p.owner_id, p.creation_time, p.update_time
+ sql := `select p.project_id, p.name, u.username as owner_name, p.owner_id, p.creation_time, p.update_time
from project p left join harbor_user u on p.owner_id = u.user_id where p.deleted = false and p.project_id = ?`
queryParam := make([]interface{}, 1)
queryParam = append(queryParam, id)
@@ -142,7 +142,7 @@ func GetTotalOfProjects(query *models.ProjectQueryParam) (int64, error) {
// GetProjects returns a project list according to the query conditions
func GetProjects(query *models.ProjectQueryParam) ([]*models.Project, error) {
sqlStr, queryParam := projectQueryConditions(query)
- sqlStr = `select distinct p.project_id, p.name, p.owner_id,
+ sqlStr = `select distinct p.project_id, p.name, p.owner_id,
p.creation_time, p.update_time ` + sqlStr + ` order by p.name`
sqlStr, queryParam = CreatePagination(query, sqlStr, queryParam)
@@ -158,15 +158,15 @@ func GetProjects(query *models.ProjectQueryParam) ([]*models.Project, error) {
// and the user is in the group which is a group member of this project.
func GetGroupProjects(groupIDs []int, query *models.ProjectQueryParam) ([]*models.Project, error) {
sql, params := projectQueryConditions(query)
- sql = `select distinct p.project_id, p.name, p.owner_id,
+ sql = `select distinct p.project_id, p.name, p.owner_id,
p.creation_time, p.update_time ` + sql
groupIDCondition := JoinNumberConditions(groupIDs)
if len(groupIDs) > 0 {
sql = fmt.Sprintf(
- `%s union select distinct p.project_id, p.name, p.owner_id, p.creation_time, p.update_time
- from project p
+ `%s union select distinct p.project_id, p.name, p.owner_id, p.creation_time, p.update_time
+ from project p
left join project_member pm on p.project_id = pm.project_id
- left join user_group ug on ug.id = pm.entity_id and pm.entity_type = 'g'
+ left join user_group ug on ug.id = pm.entity_id and pm.entity_type = 'g'
where ug.id in ( %s )`,
sql, groupIDCondition)
}
@@ -188,11 +188,11 @@ func GetTotalGroupProjects(groupIDs []int, query *models.ProjectQueryParam) (int
sql = `select count(1) ` + sqlCondition
} else {
sql = fmt.Sprintf(
- `select count(1)
- from ( select p.project_id %s union select p.project_id
- from project p
+ `select count(1)
+ from ( select p.project_id %s union select p.project_id
+ from project p
left join project_member pm on p.project_id = pm.project_id
- left join user_group ug on ug.id = pm.entity_id and pm.entity_type = 'g'
+ left join user_group ug on ug.id = pm.entity_id and pm.entity_type = 'g'
where ug.id in ( %s )) t`,
sqlCondition, groupIDCondition)
}
@@ -254,6 +254,8 @@ func projectQueryConditions(query *models.ProjectQueryParam) (string, []interfac
roleID = 3
case common.RoleMaster:
roleID = 4
+ case common.RoleLimitedGuest:
+ roleID = 5
}
params = append(params, roleID)
}
@@ -287,8 +289,8 @@ func DeleteProject(id int64) error {
return err
}
name := fmt.Sprintf("%s#%d", project.Name, project.ProjectID)
- sql := `update project
- set deleted = true, name = ?
+ sql := `update project
+ set deleted = true, name = ?
where project_id = ?`
_, err = GetOrmer().Raw(sql, name, id).Exec()
return err
@@ -304,8 +306,8 @@ func GetRolesByGroupID(projectID int64, groupIDs []int) ([]int, error) {
groupIDCondition := JoinNumberConditions(groupIDs)
o := GetOrmer()
sql := fmt.Sprintf(
- `select distinct pm.role from project_member pm
- left join user_group ug on pm.entity_type = 'g' and pm.entity_id = ug.id
+ `select distinct pm.role from project_member pm
+ left join user_group ug on pm.entity_type = 'g' and pm.entity_id = ug.id
where ug.id in ( %s ) and pm.project_id = ?`,
groupIDCondition)
log.Debugf("sql for GetRolesByGroupID(project ID: %d, group ids: %v):%v", projectID, groupIDs, sql)
diff --git a/src/common/models/project.go b/src/common/models/project.go
index 1b56284a3..38e1622bb 100644
--- a/src/common/models/project.go
+++ b/src/common/models/project.go
@@ -201,6 +201,7 @@ type ProjectSummary struct {
MasterCount int64 `json:"master_count"`
DeveloperCount int64 `json:"developer_count"`
GuestCount int64 `json:"guest_count"`
+ LimitedGuestCount int64 `json:"limited_guest_count"`
Quota struct {
Hard types.ResourceList `json:"hard"`
diff --git a/src/common/rbac/project/util.go b/src/common/rbac/project/util.go
index 85116fe21..63ed661c8 100644
--- a/src/common/rbac/project/util.go
+++ b/src/common/rbac/project/util.go
@@ -48,124 +48,7 @@ var (
}
// all policies for the projects
- allPolicies = []*rbac.Policy{
- {Resource: rbac.ResourceSelf, Action: rbac.ActionRead},
- {Resource: rbac.ResourceSelf, Action: rbac.ActionUpdate},
- {Resource: rbac.ResourceSelf, Action: rbac.ActionDelete},
-
- {Resource: rbac.ResourceMember, Action: rbac.ActionCreate},
- {Resource: rbac.ResourceMember, Action: rbac.ActionRead},
- {Resource: rbac.ResourceMember, Action: rbac.ActionUpdate},
- {Resource: rbac.ResourceMember, Action: rbac.ActionDelete},
- {Resource: rbac.ResourceMember, Action: rbac.ActionList},
-
- {Resource: rbac.ResourceMetadata, Action: rbac.ActionCreate},
- {Resource: rbac.ResourceMetadata, Action: rbac.ActionRead},
- {Resource: rbac.ResourceMetadata, Action: rbac.ActionUpdate},
- {Resource: rbac.ResourceMetadata, Action: rbac.ActionDelete},
-
- {Resource: rbac.ResourceLog, Action: rbac.ActionList},
-
- {Resource: rbac.ResourceReplication, Action: rbac.ActionList},
- {Resource: rbac.ResourceReplication, Action: rbac.ActionCreate},
- {Resource: rbac.ResourceReplication, Action: rbac.ActionRead},
- {Resource: rbac.ResourceReplication, Action: rbac.ActionUpdate},
- {Resource: rbac.ResourceReplication, Action: rbac.ActionDelete},
-
- {Resource: rbac.ResourceReplicationJob, Action: rbac.ActionCreate},
- {Resource: rbac.ResourceReplicationJob, Action: rbac.ActionRead},
- {Resource: rbac.ResourceReplicationJob, Action: rbac.ActionList},
-
- {Resource: rbac.ResourceReplicationExecution, Action: rbac.ActionRead},
- {Resource: rbac.ResourceReplicationExecution, Action: rbac.ActionList},
- {Resource: rbac.ResourceReplicationExecution, Action: rbac.ActionCreate},
- {Resource: rbac.ResourceReplicationExecution, Action: rbac.ActionUpdate},
- {Resource: rbac.ResourceReplicationExecution, Action: rbac.ActionDelete},
-
- {Resource: rbac.ResourceReplicationTask, Action: rbac.ActionRead},
- {Resource: rbac.ResourceReplicationTask, Action: rbac.ActionList},
- {Resource: rbac.ResourceReplicationTask, Action: rbac.ActionCreate},
- {Resource: rbac.ResourceReplicationTask, Action: rbac.ActionUpdate},
- {Resource: rbac.ResourceReplicationTask, Action: rbac.ActionDelete},
-
- {Resource: rbac.ResourceTagRetention, Action: rbac.ActionCreate},
- {Resource: rbac.ResourceTagRetention, Action: rbac.ActionRead},
- {Resource: rbac.ResourceTagRetention, Action: rbac.ActionUpdate},
- {Resource: rbac.ResourceTagRetention, Action: rbac.ActionDelete},
- {Resource: rbac.ResourceTagRetention, Action: rbac.ActionList},
- {Resource: rbac.ResourceTagRetention, Action: rbac.ActionOperate},
-
- {Resource: rbac.ResourceImmutableTag, Action: rbac.ActionCreate},
- {Resource: rbac.ResourceImmutableTag, Action: rbac.ActionUpdate},
- {Resource: rbac.ResourceImmutableTag, Action: rbac.ActionDelete},
- {Resource: rbac.ResourceImmutableTag, Action: rbac.ActionList},
-
- {Resource: rbac.ResourceLabel, Action: rbac.ActionCreate},
- {Resource: rbac.ResourceLabel, Action: rbac.ActionRead},
- {Resource: rbac.ResourceLabel, Action: rbac.ActionUpdate},
- {Resource: rbac.ResourceLabel, Action: rbac.ActionDelete},
- {Resource: rbac.ResourceLabel, Action: rbac.ActionList},
-
- {Resource: rbac.ResourceLabelResource, Action: rbac.ActionList},
-
- {Resource: rbac.ResourceRepository, Action: rbac.ActionCreate},
- {Resource: rbac.ResourceRepository, Action: rbac.ActionRead},
- {Resource: rbac.ResourceRepository, Action: rbac.ActionUpdate},
- {Resource: rbac.ResourceRepository, Action: rbac.ActionDelete},
- {Resource: rbac.ResourceRepository, Action: rbac.ActionList},
- {Resource: rbac.ResourceRepository, Action: rbac.ActionPull},
- {Resource: rbac.ResourceRepository, Action: rbac.ActionPush},
-
- {Resource: rbac.ResourceRepositoryLabel, Action: rbac.ActionCreate},
- {Resource: rbac.ResourceRepositoryLabel, Action: rbac.ActionDelete},
- {Resource: rbac.ResourceRepositoryLabel, Action: rbac.ActionList},
-
- {Resource: rbac.ResourceRepositoryTag, Action: rbac.ActionRead},
- {Resource: rbac.ResourceRepositoryTag, Action: rbac.ActionDelete},
- {Resource: rbac.ResourceRepositoryTag, Action: rbac.ActionList},
-
- {Resource: rbac.ResourceRepositoryTagScanJob, Action: rbac.ActionCreate},
- {Resource: rbac.ResourceRepositoryTagScanJob, Action: rbac.ActionRead},
-
- {Resource: rbac.ResourceRepositoryTagVulnerability, Action: rbac.ActionList},
-
- {Resource: rbac.ResourceRepositoryTagManifest, Action: rbac.ActionRead},
-
- {Resource: rbac.ResourceRepositoryTagLabel, Action: rbac.ActionCreate},
- {Resource: rbac.ResourceRepositoryTagLabel, Action: rbac.ActionDelete},
- {Resource: rbac.ResourceRepositoryTagLabel, Action: rbac.ActionList},
-
- {Resource: rbac.ResourceHelmChart, Action: rbac.ActionCreate},
- {Resource: rbac.ResourceHelmChart, Action: rbac.ActionRead},
- {Resource: rbac.ResourceHelmChart, Action: rbac.ActionDelete},
- {Resource: rbac.ResourceHelmChart, Action: rbac.ActionList},
-
- {Resource: rbac.ResourceHelmChartVersion, Action: rbac.ActionCreate},
- {Resource: rbac.ResourceHelmChartVersion, Action: rbac.ActionRead},
- {Resource: rbac.ResourceHelmChartVersion, Action: rbac.ActionDelete},
- {Resource: rbac.ResourceHelmChartVersion, Action: rbac.ActionList},
-
- {Resource: rbac.ResourceHelmChartVersionLabel, Action: rbac.ActionCreate},
- {Resource: rbac.ResourceHelmChartVersionLabel, Action: rbac.ActionDelete},
-
- {Resource: rbac.ResourceConfiguration, Action: rbac.ActionRead},
- {Resource: rbac.ResourceConfiguration, Action: rbac.ActionUpdate},
-
- {Resource: rbac.ResourceRobot, Action: rbac.ActionCreate},
- {Resource: rbac.ResourceRobot, Action: rbac.ActionRead},
- {Resource: rbac.ResourceRobot, Action: rbac.ActionUpdate},
- {Resource: rbac.ResourceRobot, Action: rbac.ActionDelete},
- {Resource: rbac.ResourceRobot, Action: rbac.ActionList},
-
- {Resource: rbac.ResourceNotificationPolicy, Action: rbac.ActionCreate},
- {Resource: rbac.ResourceNotificationPolicy, Action: rbac.ActionUpdate},
- {Resource: rbac.ResourceNotificationPolicy, Action: rbac.ActionDelete},
- {Resource: rbac.ResourceNotificationPolicy, Action: rbac.ActionList},
- {Resource: rbac.ResourceNotificationPolicy, Action: rbac.ActionRead},
-
- {Resource: rbac.ResourceScan, Action: rbac.ActionCreate},
- {Resource: rbac.ResourceScan, Action: rbac.ActionRead},
- }
+ allPolicies = computeAllPolicies()
)
// PoliciesForPublicProject ...
@@ -197,3 +80,19 @@ func GetAllPolicies(namespace rbac.Namespace) []*rbac.Policy {
return policies
}
+
+func computeAllPolicies() []*rbac.Policy {
+ var results []*rbac.Policy
+
+ mp := map[string]bool{}
+ for _, policies := range rolePoliciesMap {
+ for _, policy := range policies {
+ if !mp[policy.String()] {
+ results = append(results, policy)
+ mp[policy.String()] = true
+ }
+ }
+ }
+
+ return results
+}
diff --git a/src/common/rbac/project/visitor_role.go b/src/common/rbac/project/visitor_role.go
index d8d594f4f..41ee7205e 100755
--- a/src/common/rbac/project/visitor_role.go
+++ b/src/common/rbac/project/visitor_role.go
@@ -299,6 +299,28 @@ var (
{Resource: rbac.ResourceRobot, Action: rbac.ActionRead},
{Resource: rbac.ResourceRobot, Action: rbac.ActionList},
},
+
+ "limitedGuest": {
+ {Resource: rbac.ResourceSelf, Action: rbac.ActionRead},
+
+ {Resource: rbac.ResourceRepository, Action: rbac.ActionList},
+ {Resource: rbac.ResourceRepository, Action: rbac.ActionPull},
+
+ {Resource: rbac.ResourceRepositoryTag, Action: rbac.ActionRead},
+ {Resource: rbac.ResourceRepositoryTag, Action: rbac.ActionList},
+
+ {Resource: rbac.ResourceRepositoryTagVulnerability, Action: rbac.ActionList},
+
+ {Resource: rbac.ResourceRepositoryTagManifest, Action: rbac.ActionRead},
+
+ {Resource: rbac.ResourceHelmChart, Action: rbac.ActionRead},
+ {Resource: rbac.ResourceHelmChart, Action: rbac.ActionList},
+
+ {Resource: rbac.ResourceHelmChartVersion, Action: rbac.ActionRead},
+ {Resource: rbac.ResourceHelmChartVersion, Action: rbac.ActionList},
+
+ {Resource: rbac.ResourceConfiguration, Action: rbac.ActionRead},
+ },
}
)
@@ -319,6 +341,8 @@ func (role *visitorRole) GetRoleName() string {
return "developer"
case common.RoleGuest:
return "guest"
+ case common.RoleLimitedGuest:
+ return "limitedGuest"
default:
return ""
}
diff --git a/src/common/rbac/project/visitor_role_test.go b/src/common/rbac/project/visitor_role_test.go
index b1f22d24a..e2cc7c2e2 100644
--- a/src/common/rbac/project/visitor_role_test.go
+++ b/src/common/rbac/project/visitor_role_test.go
@@ -35,6 +35,9 @@ func (suite *VisitorRoleTestSuite) TestGetRoleName() {
guest := visitorRole{roleID: common.RoleGuest}
suite.Equal(guest.GetRoleName(), "guest")
+ limitedGuest := visitorRole{roleID: common.RoleLimitedGuest}
+ suite.Equal(limitedGuest.GetRoleName(), "limitedGuest")
+
unknow := visitorRole{roleID: 404}
suite.Equal(unknow.GetRoleName(), "")
}
diff --git a/src/common/security/local/context.go b/src/common/security/local/context.go
index b246ae2e8..a80130da8 100644
--- a/src/common/security/local/context.go
+++ b/src/common/security/local/context.go
@@ -125,6 +125,8 @@ func (s *SecurityContext) GetProjectRoles(projectIDOrName interface{}) []int {
roles = append(roles, common.RoleDeveloper)
case "RS":
roles = append(roles, common.RoleGuest)
+ case "LRS":
+ roles = append(roles, common.RoleLimitedGuest)
}
}
return mergeRoles(roles, s.GetRolesByGroup(projectIDOrName))
diff --git a/src/core/api/project.go b/src/core/api/project.go
index 40559991a..51bcb3d67 100644
--- a/src/core/api/project.go
+++ b/src/core/api/project.go
@@ -685,6 +685,7 @@ func getProjectMemberSummary(projectID int64, summary *models.ProjectSummary) {
{common.RoleMaster, &summary.MasterCount},
{common.RoleDeveloper, &summary.DeveloperCount},
{common.RoleGuest, &summary.GuestCount},
+ {common.RoleLimitedGuest, &summary.LimitedGuestCount},
} {
wg.Add(1)
go func(role int, count *int64) {
diff --git a/src/core/api/projectmember.go b/src/core/api/projectmember.go
index b704ad5c6..54e0707cd 100644
--- a/src/core/api/projectmember.go
+++ b/src/core/api/projectmember.go
@@ -191,7 +191,7 @@ func (pma *ProjectMemberAPI) Put() {
pma.SendBadRequestError(err)
return
}
- if req.Role < 1 || req.Role > 4 {
+ if !isValidRole(req.Role) {
pma.SendBadRequestError(fmt.Errorf("Invalid role id %v", req.Role))
return
}
@@ -284,9 +284,22 @@ func AddProjectMember(projectID int64, request models.MemberReq) (int, error) {
return 0, ErrDuplicateProjectMember
}
- if member.Role < 1 || member.Role > 4 {
+ if !isValidRole(member.Role) {
// Return invalid role error
return 0, ErrInvalidRole
}
return project.AddProjectMember(member)
}
+
+func isValidRole(role int) bool {
+ switch role {
+ case common.RoleProjectAdmin,
+ common.RoleMaster,
+ common.RoleDeveloper,
+ common.RoleGuest,
+ common.RoleLimitedGuest:
+ return true
+ default:
+ return false
+ }
+}
diff --git a/src/core/api/projectmember_test.go b/src/core/api/projectmember_test.go
index 89aab304b..306fe138f 100644
--- a/src/core/api/projectmember_test.go
+++ b/src/core/api/projectmember_test.go
@@ -344,3 +344,28 @@ func TestProjectMemberAPI_PutAndDelete(t *testing.T) {
runCodeCheckingCases(t, cases...)
}
+
+func Test_isValidRole(t *testing.T) {
+ type args struct {
+ role int
+ }
+ tests := []struct {
+ name string
+ args args
+ want bool
+ }{
+ {"project admin", args{1}, true},
+ {"master", args{4}, true},
+ {"developer", args{2}, true},
+ {"guest", args{3}, true},
+ {"limited guest", args{5}, true},
+ {"unknow", args{6}, false},
+ }
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ if got := isValidRole(tt.args.role); got != tt.want {
+ t.Errorf("isValidRole() = %v, want %v", got, tt.want)
+ }
+ })
+ }
+}
diff --git a/src/portal/lib/src/shared/shared.const.ts b/src/portal/lib/src/shared/shared.const.ts
index 8e76581d9..4a36ed52c 100644
--- a/src/portal/lib/src/shared/shared.const.ts
+++ b/src/portal/lib/src/shared/shared.const.ts
@@ -145,6 +145,11 @@ export const PROJECT_ROOTS = [
NAME: "guest",
VALUE: 3,
LABEL: "GROUP.GUEST"
+ },
+ {
+ NAME: "limited",
+ VALUE: 5,
+ LABEL: "GROUP.LIMITED_GUEST"
}
];
diff --git a/src/portal/src/app/project/member/add-member/add-member.component.html b/src/portal/src/app/project/member/add-member/add-member.component.html
index ee2f5f1ff..de4028ee1 100644
--- a/src/portal/src/app/project/member/add-member/add-member.component.html
+++ b/src/portal/src/app/project/member/add-member/add-member.component.html
@@ -45,6 +45,10 @@
+
+
+
+
diff --git a/src/portal/src/app/project/member/member.component.html b/src/portal/src/app/project/member/member.component.html
index a357c6d1f..3d67d57a8 100644
--- a/src/portal/src/app/project/member/member.component.html
+++ b/src/portal/src/app/project/member/member.component.html
@@ -27,6 +27,7 @@
+
diff --git a/src/portal/src/app/project/summary/summary.component.html b/src/portal/src/app/project/summary/summary.component.html
index 70d640c1a..be804c6ab 100644
--- a/src/portal/src/app/project/summary/summary.component.html
+++ b/src/portal/src/app/project/summary/summary.component.html
@@ -19,6 +19,7 @@
{{ summaryInformation?.master_count }} {{'SUMMARY.MASTER' | translate}}
{{ summaryInformation?.developer_count }} {{'SUMMARY.DEVELOPER' | translate}}
{{ summaryInformation?.guest_count }} {{'SUMMARY.GUEST' | translate}}
+ {{ summaryInformation?.limited_guest_count }} {{'SUMMARY.LIMITED_GUEST' | translate}}
diff --git a/src/portal/src/app/shared/route/member-guard-activate.service.ts b/src/portal/src/app/shared/route/member-guard-activate.service.ts
index e6f504f00..ffc744e7a 100644
--- a/src/portal/src/app/shared/route/member-guard-activate.service.ts
+++ b/src/portal/src/app/shared/route/member-guard-activate.service.ts
@@ -21,7 +21,8 @@ import {
import { SessionService } from '../../shared/session.service';
import { ProjectService } from '@harbor/ui';
import { CommonRoutes } from '@harbor/ui';
-import { Observable } from 'rxjs';
+import { Observable, of } from 'rxjs';
+import { map, catchError } from 'rxjs/operators';
@Injectable()
export class MemberGuard implements CanActivate, CanActivateChild {
@@ -31,49 +32,39 @@ export class MemberGuard implements CanActivate, CanActivateChild {
private router: Router) {}
canActivate(route: ActivatedRouteSnapshot, state: RouterStateSnapshot): Observable | boolean {
- let projectId = route.params['id'];
+ const projectId = route.params['id'];
this.sessionService.setProjectMembers([]);
- return new Observable((observer) => {
- let user = this.sessionService.getCurrentUser();
- if (user === null) {
- this.sessionService.retrieveUser()
- .subscribe(() => {
- this.checkMemberStatus(state.url, projectId).subscribe((res) => observer.next(res));
- }, error => {
- this.router.navigate([CommonRoutes.HARBOR_DEFAULT]);
- observer.next(false);
- });
- } else {
- this.checkMemberStatus(state.url, projectId).subscribe((res) => observer.next(res));
- }
- });
- }
- checkMemberStatus(url: string, projectId: number): Observable {
- return new Observable((observer) => {
- this.projectService.checkProjectMember(projectId)
- .subscribe(res => {
- this.sessionService.setProjectMembers(res);
- return observer.next(true);
- },
+ const user = this.sessionService.getCurrentUser();
+ if (user !== null) {
+ return this.hasProjectPerm(state.url, projectId);
+ }
+
+ return this.sessionService.retrieveUser().pipe(
() => {
- // Add exception for repository in project detail router activation.
- this.projectService.getProject(projectId).subscribe(project => {
- if (project.metadata && project.metadata.public === 'true') {
- return observer.next(true);
- }
- this.router.navigate([CommonRoutes.HARBOR_DEFAULT]);
- return observer.next(false);
- },
- () => {
- this.router.navigate([CommonRoutes.HARBOR_DEFAULT]);
- return observer.next(false);
- });
- });
- });
+ return this.hasProjectPerm(state.url, projectId);
+ },
+ catchError(err => {
+ this.router.navigate([CommonRoutes.HARBOR_DEFAULT]);
+ return of(false);
+ })
+ );
}
canActivateChild(route: ActivatedRouteSnapshot, state: RouterStateSnapshot): Observable | boolean {
return this.canActivate(route, state);
}
+
+ hasProjectPerm(url: string, projectId: number): Observable {
+ // Note: current user will have the permission to visit the project when the user can get response from GET /projects/:id API.
+ return this.projectService.getProject(projectId).pipe(
+ map(() => {
+ return true;
+ }),
+ catchError(err => {
+ this.router.navigate([CommonRoutes.HARBOR_DEFAULT]);
+ return of(false);
+ })
+ );
+ }
}
diff --git a/src/portal/src/app/shared/shared.const.ts b/src/portal/src/app/shared/shared.const.ts
index 631d9e66d..15d4d3574 100644
--- a/src/portal/src/app/shared/shared.const.ts
+++ b/src/portal/src/app/shared/shared.const.ts
@@ -60,14 +60,29 @@ export const enum ConfirmationButtons {
}
export const ProjectTypes = { 0: 'PROJECT.ALL_PROJECTS', 1: 'PROJECT.PRIVATE_PROJECTS', 2: 'PROJECT.PUBLIC_PROJECTS' };
-export const RoleInfo = { 1: 'MEMBER.PROJECT_ADMIN', 2: 'MEMBER.DEVELOPER', 3: 'MEMBER.GUEST', 4: 'MEMBER.PROJECT_MASTER' };
-export const RoleMapping = { 'projectAdmin': 'MEMBER.PROJECT_ADMIN',
-'master': 'MEMBER.PROJECT_MASTER', 'developer': 'MEMBER.DEVELOPER', 'guest': 'MEMBER.GUEST' };
+
+export const RoleInfo = {
+ 1: "MEMBER.PROJECT_ADMIN",
+ 2: "MEMBER.DEVELOPER",
+ 3: "MEMBER.GUEST",
+ 4: "MEMBER.PROJECT_MASTER",
+ 5: "MEMBER.LIMITED_GUEST",
+};
+
+export const RoleMapping = {
+ "projectAdmin": "MEMBER.PROJECT_ADMIN",
+ "master": "MEMBER.PROJECT_MASTER",
+ "developer": "MEMBER.DEVELOPER",
+ "guest": "MEMBER.GUEST",
+ "limitedGuest": "MEMBER.LIMITED_GUEST",
+};
+
export const ProjectRoles = [
{ id: 1, value: "MEMBER.PROJECT_ADMIN" },
{ id: 2, value: "MEMBER.DEVELOPER" },
{ id: 3, value: "MEMBER.GUEST" },
{ id: 4, value: "MEMBER.PROJECT_MASTER" },
+ { id: 5, value: "MEMBER.LIMITED_GUEST" },
];
export enum Roles {
@@ -75,6 +90,7 @@ export enum Roles {
PROJECT_MASTER = 4,
DEVELOPER = 2,
GUEST = 3,
+ LIMITED_GUEST = 5,
OTHER = 0,
}
export const DefaultHelmIcon = '/images/helm-gray.svg';
diff --git a/src/portal/src/i18n/lang/en-us-lang.json b/src/portal/src/i18n/lang/en-us-lang.json
index 88e2035ee..becf3e951 100644
--- a/src/portal/src/i18n/lang/en-us-lang.json
+++ b/src/portal/src/i18n/lang/en-us-lang.json
@@ -275,6 +275,7 @@
"PROJECT_MASTER": "Master",
"DEVELOPER": "Developer",
"GUEST": "Guest",
+ "LIMITED_GUEST": "Limited Guest",
"DELETE": "Delete",
"ITEMS": "items",
"ACTIONS": "Actions",
@@ -737,7 +738,8 @@
"ADMIN": "Admin(s)",
"MASTER": "Master(s)",
"DEVELOPER": "Developer(s)",
- "GUEST": "Guest(s)"
+ "GUEST": "Guest(s)",
+ "LIMITED_GUEST": "Limited guest(s)"
},
"ALERT": {
"FORM_CHANGE_CONFIRMATION": "Some changes are not saved yet. Do you want to cancel?"
diff --git a/src/portal/src/i18n/lang/es-es-lang.json b/src/portal/src/i18n/lang/es-es-lang.json
index a8492e61a..8e7b8886c 100644
--- a/src/portal/src/i18n/lang/es-es-lang.json
+++ b/src/portal/src/i18n/lang/es-es-lang.json
@@ -276,6 +276,7 @@
"PROJECT_MASTER": "Mantenedor",
"DEVELOPER": "Desarrollador",
"GUEST": "Invitado",
+ "LIMITED_GUEST": "Limited Guest",
"DELETE": "Eliminar",
"ITEMS": "elementos",
"ACTIONS": "Acciones",
@@ -738,7 +739,8 @@
"ADMIN": "Admin(s)",
"MASTER": "Master(s)",
"DEVELOPER": "Developer(s)",
- "GUEST": "Guest(s)"
+ "GUEST": "Guest(s)",
+ "LIMITED_GUEST": "Limited guest(s)"
},
"ALERT": {
"FORM_CHANGE_CONFIRMATION": "Algunos cambios no se han guardado aún. ¿Quiere cancelar?"
diff --git a/src/portal/src/i18n/lang/fr-fr-lang.json b/src/portal/src/i18n/lang/fr-fr-lang.json
index ec9a492b8..88547b1b4 100644
--- a/src/portal/src/i18n/lang/fr-fr-lang.json
+++ b/src/portal/src/i18n/lang/fr-fr-lang.json
@@ -288,6 +288,7 @@
"PROJECT_MASTER": "préposé à la maintenance",
"DEVELOPER": "Développeur",
"GUEST": "Invité",
+ "LIMITED_GUEST": "Limited Guest",
"DELETE": "Supprimer",
"ITEMS": "items",
"ACTIONS": "Actions",
@@ -724,7 +725,8 @@
"ADMIN": "Admin(s)",
"MASTER": "Master(s)",
"DEVELOPER": "Developer(s)",
- "GUEST": "Guest(s)"
+ "GUEST": "Guest(s)",
+ "LIMITED_GUEST": "Limited guest(s)"
},
"ALERT": {
"FORM_CHANGE_CONFIRMATION": "Certaines modifications ne sont pas encore enregistrées. Voulez-vous annuler ?"
diff --git a/src/portal/src/i18n/lang/pt-br-lang.json b/src/portal/src/i18n/lang/pt-br-lang.json
index 002c39964..f3823a5d1 100644
--- a/src/portal/src/i18n/lang/pt-br-lang.json
+++ b/src/portal/src/i18n/lang/pt-br-lang.json
@@ -273,6 +273,7 @@
"PROJECT_MASTER": "Mantenedor",
"DEVELOPER": "Desenvolvedor",
"GUEST": "Visitante",
+ "LIMITED_GUEST": "Limited Guest",
"DELETE": "Remover",
"ITEMS": "itens",
"ACTIONS": "Ações",
@@ -733,7 +734,8 @@
"ADMIN": "Admin(s)",
"MASTER": "Master(s)",
"DEVELOPER": "Developer(s)",
- "GUEST": "Guest(s)"
+ "GUEST": "Guest(s)",
+ "LIMITED_GUEST": "Limited guest(s)"
},
"ALERT": {
"FORM_CHANGE_CONFIRMATION": "Algumas alterações ainda não foram salvas. Você deseja cancelar?"
diff --git a/src/portal/src/i18n/lang/tr-tr-lang.json b/src/portal/src/i18n/lang/tr-tr-lang.json
index b56259501..569d69720 100644
--- a/src/portal/src/i18n/lang/tr-tr-lang.json
+++ b/src/portal/src/i18n/lang/tr-tr-lang.json
@@ -275,6 +275,7 @@
"PROJECT_MASTER": "Uzman",
"DEVELOPER": "Geliştirici",
"GUEST": "Konuk",
+ "LIMITED_GUEST": "Limited Guest",
"DELETE": "Sil",
"ITEMS": "çeşit",
"ACTIONS": "Eylemler",
@@ -736,7 +737,8 @@
"ADMIN": "Yönetici(ler)",
"MASTER": "Uzman(lar)",
"DEVELOPER": "Geliştirici(ler)",
- "GUEST": "Misafir(ler)"
+ "GUEST": "Misafir(ler)",
+ "LIMITED_GUEST": "Limited guest(s)"
},
"ALERT": {
"FORM_CHANGE_CONFIRMATION": "Bazı değişiklikler henüz kaydedilmedi. İptal etmek istiyor musun?"
diff --git a/src/portal/src/i18n/lang/zh-cn-lang.json b/src/portal/src/i18n/lang/zh-cn-lang.json
index 279cc7565..167ca6f1b 100644
--- a/src/portal/src/i18n/lang/zh-cn-lang.json
+++ b/src/portal/src/i18n/lang/zh-cn-lang.json
@@ -275,6 +275,7 @@
"PROJECT_MASTER": "维护人员",
"DEVELOPER": "开发人员",
"GUEST": "访客",
+ "LIMITED_GUEST": "受限访客",
"DELETE": "删除",
"ITEMS": "条记录",
"ACTIONS": "操作",
@@ -738,7 +739,8 @@
"ADMIN": "管理员",
"MASTER": "维护人员",
"DEVELOPER": "开发者",
- "GUEST": "访客"
+ "GUEST": "访客",
+ "LIMITED_GUEST": "受限访客"
},
"ALERT": {
"FORM_CHANGE_CONFIRMATION": "表单内容改变,确认是否取消?"