fix: policy allow if one of the matching rules is allow

yunionio · Jun 16, 2020 · 2efb7fc · 2efb7fc
1 parent 818d40c
commit 2efb7fc
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/pkg/cloudcommon/policy/policy.go b/pkg/cloudcommon/policy/policy.go
@@ -403,8 +403,15 @@ func (manager *SPolicyManager) allowWithoutCache(scope rbacutils.TRbacScope, use
 
 	var result rbacutils.TRbacResult
 	if len(matchRules) > 0 {
-		rule := rbacutils.GetMatchRule(matchRules, service, resource, action, extra...)
-		result = rule.Result
+		result = rbacutils.Deny
+		for _, rule := range matchRules {
+			if rule.Result == rbacutils.Allow {
+				result = rbacutils.Allow
+				break
+			}
+		}
+		// rule := rbacutils.GetMatchRule(matchRules, service, resource, action, extra...)
+		// result = rule.Result
 	} else if findMatchPolicy {
 		// if find matched policy, but no rule matching, allow anyway
 		result = rbacutils.Allow