fix: validating index search permission in discover api (#37)

* fix: validating index search permission in discover api * fix: wrong error tips for validating index permission
2024-12-16 11:48:14 +08:00 · 2024-12-16 11:48:14 +08:00 · 318ba82eed
parent bafef0e65e
commit 318ba82eed
3 changed files with 26 additions and 2 deletions
--- a/core/security/validate.go
+++ b/core/security/validate.go
@ -153,7 +153,10 @@ func ValidateIndex(req IndexRequest, userRole RolePermission) (err error) {
 		}
 	}
 	if _, ok := userRole.ElasticPrivilege.Index[req.Cluster]; !ok {
-		return fmt.Errorf("no permission of cluster [%s]", req.Cluster)
+		if !hasAllCluster {
 			return fmt.Errorf("no permission of cluster [%s]", req.Cluster)
 		}
 		return fmt.Errorf("no index permission %s of cluster [%s]", req.Privilege, req.Cluster)
 	}
 	allowed = validateIndexPermission(req.Index, apiPrivileges, userRole.ElasticPrivilege.Index[req.Cluster])
 	if allowed {
--- a/modules/elastic/api/discover.go
+++ b/modules/elastic/api/discover.go
@ -28,6 +28,7 @@ import (
 	"fmt"
 	"github.com/buger/jsonparser"
 	log "github.com/cihub/seelog"
 	"infini.sh/console/core/security"
 	httprouter "infini.sh/framework/core/api/router"
 	"infini.sh/framework/core/elastic"
 	"infini.sh/framework/core/orm"
@ -65,6 +66,26 @@ func (h *APIHandler) HandleEseSearchAction(w http.ResponseWriter, req *http.Requ
 		h.WriteError(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
 	//validate index search api permission
 	reqUser, err := security.FromUserContext(req.Context())
 	if err != nil {
 		log.Error(err)
 		h.WriteError(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
 	newRole := security.CombineUserRoles(reqUser.Roles)
 	indexReq := security.IndexRequest{
 		Cluster:   targetClusterID,
 		Index:     reqParams.Index,
 		Privilege: []string{"indices.search"},
 	}
 	err = security.ValidateIndex(indexReq, newRole)
 	if err != nil {
 		log.Error(err)
 		h.WriteError(w, err.Error(), http.StatusForbidden)
 		return
 	}
 	ver := client.GetVersion()
 	if _, ok := reqParams.Body["track_total_hits"]; ok {
--- a/modules/elastic/api/init.go
+++ b/modules/elastic/api/init.go
@ -74,7 +74,7 @@ func init() {
 	api.HandleAPIMethod(api.GET, "/elasticsearch/:id/saved_objects/view/:view_id", clusterAPI.RequireClusterPermission(clusterAPI.HandleGetViewAction))
 	api.HandleAPIMethod(api.POST, "/elasticsearch/:id/view/:view_id/_set_default_layout", clusterAPI.RequireClusterPermission(clusterAPI.SetDefaultLayout))
-	api.HandleAPIMethod(api.POST, "/elasticsearch/:id/search/ese", clusterAPI.RequireClusterPermission(clusterAPI.HandleEseSearchAction))
+	api.HandleAPIMethod(api.POST, "/elasticsearch/:id/search/ese", clusterAPI.RequireLogin(clusterAPI.HandleEseSearchAction))
 	api.HandleAPIMethod(api.GET, "/elasticsearch/:id/search/trace_id", clusterAPI.HandleTraceIDSearchAction)
 	api.HandleAPIMethod(api.POST, "/elasticsearch/:id/suggestions/values/:index", clusterAPI.RequireClusterPermission(clusterAPI.HandleValueSuggestionAction))
 	api.HandleAPIMethod(api.POST, "/elasticsearch/:id/setting", clusterAPI.RequireClusterPermission(clusterAPI.HandleSettingAction))