Skip to content

Commit

Permalink
lxd/auth/drivers: Check if can_view is valid before determining sta…
Browse files Browse the repository at this point in the history
…tus code.

Signed-off-by: Mark Laing <mark.laing@canonical.com>
  • Loading branch information
markylaing committed Sep 12, 2024
1 parent 586df37 commit 5060efe
Showing 1 changed file with 5 additions and 2 deletions.
7 changes: 5 additions & 2 deletions lxd/auth/drivers/openfga.go
Original file line number Diff line number Diff line change
Expand Up @@ -254,11 +254,14 @@ func (e *embeddedOpenFGA) CheckPermission(ctx context.Context, entityURL *api.UR

// If not allowed, decide if the user can view the resource.
if !resp.GetAllowed() {
err := auth.ValidateEntitlement(entityType, auth.EntitlementCanView)
doCheckCanView := err == nil

responseCode := http.StatusForbidden
if entitlement == auth.EntitlementCanView {
responseCode = http.StatusNotFound
} else {
// Otherwise, check if we can view the resource.
} else if doCheckCanView {
// Otherwise, if `can_view` is a valid entitlement for the entity type, check if the identity can view the resource.
req.TupleKey.Relation = string(auth.EntitlementCanView)

l.Debug("Checking OpenFGA relation")
Expand Down

0 comments on commit 5060efe

Please sign in to comment.