fix(workflow): project member rbac

Project members in the Member role do not have permission to create workflows and approve tasks #1378
seal-io · Nov 10, 2023 · 2e61212 · 2e61212
1 parent 4274a88
commit 2e61212
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 6 deletions.
diff --git a/pkg/apis/workflowexecution/basic.go b/pkg/apis/workflowexecution/basic.go
@@ -208,3 +208,23 @@ func (h Handler) CollectionGet(req CollectionGetRequest) (CollectionGetResponse,
 
 	return model.ExposeWorkflowExecutions(entities), count, nil
 }
+
+func (h Handler) Delete(req DeleteRequest) error {
+	return h.modelClient.WorkflowExecutions().DeleteOneID(req.ID).
+		Exec(req.Context)
+}
+
+func (h Handler) CollectionDelete(req CollectionDeleteRequest) error {
+	ids := req.IDs()
+
+	return h.modelClient.WithTx(req.Context, func(tx *model.Tx) error {
+		_, err := tx.WorkflowStepExecutions().Delete().
+			Where(workflowstepexecution.IDIn(ids...)).
+			Exec(req.Context)
+		if err != nil {
+			return err
+		}
+
+		return nil
+	})
+}
diff --git a/pkg/apis/workflowexecution/basic_view.go b/pkg/apis/workflowexecution/basic_view.go
@@ -49,3 +49,17 @@ type (
 func (r *CollectionGetRequest) SetStream(stream runtime.RequestUnidiStream) {
 	r.Stream = &stream
 }
+
+type (
+	DeleteRequest struct {
+		model.WorkflowExecutionQueryInput `path:",inline"`
+	}
+
+	DeleteResponse = *model.WorkflowExecutionDeleteInput
+)
+
+func (r *DeleteRequest) Validate() error {
+	return r.WorkflowExecutionQueryInput.Validate()
+}
+
+type CollectionDeleteRequest = model.WorkflowExecutionDeleteInputs
diff --git a/pkg/server/init_rbac.go b/pkg/server/init_rbac.go
@@ -205,11 +205,7 @@ func createRoles(ctx context.Context, mc model.ClientSet) error {
 						"projects",
 						"projectSubjects",
 						"templates",
-						"templateVersions",
-						"workflows",
-						"workflowExecutions",
-						"workflowStageExecutions",
-						"workflowStepExecutions"),
+						"templateVersions"),
 				},
 				{
 					Actions: types.RolePolicyFields("*"),
@@ -218,7 +214,11 @@ func createRoles(ctx context.Context, mc model.ClientSet) error {
 						"resources",
 						"resourceComponents",
 						"resourceRevisions",
-						"variables"),
+						"variables",
+						"workflows",
+						"workflowExecutions",
+						"workflowStageExecutions",
+						"workflowStepExecutions"),
 				},
 				{
 					Actions: types.RolePolicyFields(http.MethodPost),