Merge pull request #32 from kang2453/master

feat: refactor resource group handling based on user role in file service
cloudforet-io · Jan 6, 2025 · 62ed977 · 62ed977
2 parents 9f89be9 + 3fbffd6
commit 62ed977
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 7 deletions.
diff --git a/src/spaceone/file_manager/model/file/request.py b/src/spaceone/file_manager/model/file/request.py
@@ -41,7 +41,6 @@ class FileDeleteRequest(BaseModel):
 
 class FileGetRequest(BaseModel):
     file_id: str
-    resource_group: ResourceGroup
     domain_id: Union[list, str, None] = None
     workspace_id: Union[list, str, None] = None
     project_id: Union[str, None] = None

diff --git a/src/spaceone/file_manager/service/file_service.py b/src/spaceone/file_manager/service/file_service.py
@@ -55,7 +55,16 @@ def add(self, params: FileAddRequest) -> Union[FileResponse, dict]:
             FileResponse:
         """
 
-        resource_group = params.resource_group
+        role_type = self.transaction.get_meta("authorization.role_type")
+
+        if role_type == "SYSTEM_ADMIN":
+            resource_group = "SYSTEM"
+        elif role_type == "DOMAIN_ADMIN":
+            resource_group = "DOMAIN"
+        elif role_type == "WORKSPACE_OWNER" or role_type == "WORKSPACE_MEMBER":
+            resource_group = "WORKSPACE"
+        else:
+            raise ERROR_PERMISSION_DENIED()
 
         if resource_group == "SYSTEM":
             params.domain_id = "*"
@@ -170,7 +179,6 @@ def delete(self, params: FileDeleteRequest) -> None:
             "WORKSPACE_MEMBER",
         ],
     )
-
     @convert_model
     def get(self, params: FileGetRequest) -> Union[FileResponse, dict]:
         """Get file
@@ -189,8 +197,17 @@ def get(self, params: FileGetRequest) -> Union[FileResponse, dict]:
             FileResponse:
         """
 
-        resource_group = params.resource_group
+        role_type = self.transaction.get_meta("authorization.role_type")
 
+        if role_type == "SYSTEM_ADMIN":
+            resource_group = "SYSTEM"
+        elif role_type == "DOMAIN_ADMIN":
+            resource_group = "DOMAIN"
+        elif role_type == "WORKSPACE_OWNER" or role_type == "WORKSPACE_MEMBER":
+            resource_group = "WORKSPACE"
+        else:
+            raise ERROR_PERMISSION_DENIED()
+
         if resource_group == "SYSTEM":
             params.domain_id = "*"
             params.workspace_id = "*"
@@ -205,9 +222,6 @@ def get(self, params: FileGetRequest) -> Union[FileResponse, dict]:
             else :
                 self.identity_mgr.get_project(params.project_id, params.domain_id)
 
-
-
-
         file_vo = self.file_mgr.get_file(
             params.file_id,
             params.domain_id,