From 2e6121295d519b3dfc98c253f7d4599a0307bb82 Mon Sep 17 00:00:00 2001
From: alexcc <nanyilikai@hotmail.com>
Date: Fri, 10 Nov 2023 16:13:56 +0800
Subject: [PATCH] fix(workflow): project member rbac

Project members in the Member role do not have permission to create workflows and approve tasks #1378
---
 pkg/apis/workflowexecution/basic.go      | 20 ++++++++++++++++++++
 pkg/apis/workflowexecution/basic_view.go | 14 ++++++++++++++
 pkg/server/init_rbac.go                  | 12 ++++++------
 3 files changed, 40 insertions(+), 6 deletions(-)

diff --git a/pkg/apis/workflowexecution/basic.go b/pkg/apis/workflowexecution/basic.go
index c97915b1d..12d6ee833 100644
--- a/pkg/apis/workflowexecution/basic.go
+++ b/pkg/apis/workflowexecution/basic.go
@@ -208,3 +208,23 @@ func (h Handler) CollectionGet(req CollectionGetRequest) (CollectionGetResponse,
 
 	return model.ExposeWorkflowExecutions(entities), count, nil
 }
+
+func (h Handler) Delete(req DeleteRequest) error {
+	return h.modelClient.WorkflowExecutions().DeleteOneID(req.ID).
+		Exec(req.Context)
+}
+
+func (h Handler) CollectionDelete(req CollectionDeleteRequest) error {
+	ids := req.IDs()
+
+	return h.modelClient.WithTx(req.Context, func(tx *model.Tx) error {
+		_, err := tx.WorkflowStepExecutions().Delete().
+			Where(workflowstepexecution.IDIn(ids...)).
+			Exec(req.Context)
+		if err != nil {
+			return err
+		}
+
+		return nil
+	})
+}
diff --git a/pkg/apis/workflowexecution/basic_view.go b/pkg/apis/workflowexecution/basic_view.go
index fbe903a47..1a925dab6 100644
--- a/pkg/apis/workflowexecution/basic_view.go
+++ b/pkg/apis/workflowexecution/basic_view.go
@@ -49,3 +49,17 @@ type (
 func (r *CollectionGetRequest) SetStream(stream runtime.RequestUnidiStream) {
 	r.Stream = &stream
 }
+
+type (
+	DeleteRequest struct {
+		model.WorkflowExecutionQueryInput `path:",inline"`
+	}
+
+	DeleteResponse = *model.WorkflowExecutionDeleteInput
+)
+
+func (r *DeleteRequest) Validate() error {
+	return r.WorkflowExecutionQueryInput.Validate()
+}
+
+type CollectionDeleteRequest = model.WorkflowExecutionDeleteInputs
diff --git a/pkg/server/init_rbac.go b/pkg/server/init_rbac.go
index 63b4f8061..c3597a184 100644
--- a/pkg/server/init_rbac.go
+++ b/pkg/server/init_rbac.go
@@ -205,11 +205,7 @@ func createRoles(ctx context.Context, mc model.ClientSet) error {
 						"projects",
 						"projectSubjects",
 						"templates",
-						"templateVersions",
-						"workflows",
-						"workflowExecutions",
-						"workflowStageExecutions",
-						"workflowStepExecutions"),
+						"templateVersions"),
 				},
 				{
 					Actions: types.RolePolicyFields("*"),
@@ -218,7 +214,11 @@ func createRoles(ctx context.Context, mc model.ClientSet) error {
 						"resources",
 						"resourceComponents",
 						"resourceRevisions",
-						"variables"),
+						"variables",
+						"workflows",
+						"workflowExecutions",
+						"workflowStageExecutions",
+						"workflowStepExecutions"),
 				},
 				{
 					Actions: types.RolePolicyFields(http.MethodPost),